Recently, Google and Yahoo set new DMARC requirements for email senders to try to cut down on the number of unsolicited emails that users receive daily. These requirements are making it so that HubSpot users who send emails to contacts on these email platforms need to make updates to their email authentication settings. Otherwise, their messages will be flagged as spam.
What are the new requirements? How can you update your email authentication settings to comply with them? Why should you make these updates as soon as possible?
Important Terms to Know for HubSpot Email Authentication Updates
Here are a few key terms that you’ll see referenced in materials covering these new email platform updates:
- An acronym for Domain Name System. This is the system that takes the “human readable” domain name of a website or email address and converts it into an IP address that web browsers can use to access (or deliver) internet-based resources.
- A portmanteau of “canonical name.” a CNAME record “maps an alias name to a true or canonical domain name.” It is useful for mapping a subdomain to the domain hosting that subdomain. For example, if Bluleadz.com is the hosting domain, www.bluleadz.com would be mapped to the Bluleadz.com domain by a CNAME record.
- An acronym for Sender Policy Framework. This is an email authentication standard that is meant to protect email recipients and senders alike from common nuisances like spam, phishing, and email spoofing. It entails creating a public list of senders who are approved to send emails from your domain.
- An acronym for DomainKeys Identified Mail. This protocol signs emails in a way that allows them to be verified by mailbox providers.
- An acronym for Domain-based Message Authentication, Reporting & Conformance. It builds off of the SPF and DKIM protocols to link to an email author’s “From” domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders. This helps improve monitoring for emails to prevent fraud.
- DNS PTR. PTR is an abbreviation of Pointer Record, making DNS PTR an acronym for Domain Name System Pointer Record. These are used in reverse DNS lookups where the query starts with the IP address to look up the domain name (as opposed to using the domain name to look up the IP address).
- An acronym for Authenticated Received Chain. This is used to verify the identity of intermediaries that forward emails between a sender and a receiver.
- ARC Header. A header that contains information about the email. There can be an authentication results header that provides information about authentication (like SPF, DKIM, and/or DMARC), a message signature header, or a seal header (which includes both signature and authentication results header information).
- An acronym for Transport Layer Security. This is a security protocol that is used to encrypt emails to prevent them from being read if they’re intercepted by a third party during transmission.
- RFC 5321. Also known as the “Simple Mail Transfer Protocol,” RFC 5321 is “a specification of the basic protocol for Internet electronic mail transport.” It’s meant to ensure the efficient and consistent transfer of mail over the internet.
- RFC 5322. Also known as the “Internet Message Format,” RFC 5322 is “a syntax for text messages that are sent between computer users.” It specifies line length limits, header field formats and specifications, and body content limitations.
- RFC 8058. Also known as “Signaling One-Click Functionality for List Email Headers.” RFC 8058 specifies a method for “signaling a one-click function for the List-Unsubscribe email header field.” It is meant to address an issue where email systems would accidentally trigger unsubscriptions from emails when some anti-spam software would try to fetch all resources from an email’s header field (which might include the List-Unsubscribe header field) without the intervention or intent of the email recipient.
- An acronym for Simple Mail Transfer Protocol. i.e., it’s another name for RFC 5321.
If you want to learn more about any of these terms, please check out the links in the descriptions.
What Are the New Standards?
As of February 2024, Google is now requiring that “bulk senders” (entities that send more than 5,000 emails in a day) meet three specific requirements. Bulk email senders must:
- Authenticate Their Email. Following Google’s best practices. This includes having a DMARC pass, valid forward and reverse DNS PTR records, adherence to RFC 5321 and 5322 standards, TLS for inbound emails, ARC headers for forwarded emails, and segregation of email class types by domain.
- Enable Easy Unsubscription. Emails sent to or through Gmail must be easy to unsubscribe from using a single click. In short, the “unsubscribe now” link or button in your email should be a single click to unsubscribe rather than taking users to a different page.
- Ensure They’re Sending Wanted Emails. Google is revising its spam rate threshold. So moving forward, HubSpot users will need to make sure that they’re even more careful about managing their HubSpot lists and how they segment their email sends to keep them as relevant and meaningful as possible to each recipient.
The Yahoo! sender requirements are largely similar to the ones now being enforced by Google, with a few minor differences like:
- Not requiring TLS for inbound emails.
- Not requiring ARC for forwarded emails.
- Allowing email class types to be segregated by IP or domain rather than just domain.
How to Update Your HubSpot Email Authentication Settings
Here’s the good news: a lot of what Yahoo! and Google are updating their email requirements to be were already best practices recommended by HubSpot—such as making it easy to unsubscribe, keeping emails relevant to recipients, and more. So the impact of these changes should be minimal for many users.
However, if you got that message about authenticating your email domains like the “John Doe” from our story and are having difficulty, here’s a quick how-to to help you! This authentication process is available to any HubSpot user on the Marketing, Sales, Service, or CMS Hub at a Starter, Professional, or Enterprise level.
For Existing Sending Domains in Your HubSpot Account: Update Your DNS Records and Verify in HubSpot
The first step is to update your DNS records—you will need to have up-to-date login details for your DNS provider and access to any associated DNS records.
Note: This process will differ from one DNS provider to the next. If you haven’t checked your DNS records and updated your recovery email or other DNS provider account settings in a while, please contact your provider for help with this.
It can take up to 80 minutes for HubSpot to verify that DNS records are set up correctly. You can review your DNS record authentication in your HubSpot portal by going to Settings (gear icon) and clicking on Domains & URLs under the “Website” dropdown under the “Tools” header in the left menu bar. The “Email sending domains” section of the “Domains” tab will show you the status of your authentication for all email sending domains you’re using. The three statuses are:
- Not Authenticated. The email sending domain hasn’t verified that any of the authentication checks for DKIM, SPF, or DMARC have been fully set up with your DNS provider.
- Partially Authenticated. DKIM has been set up and verified, but either SPF or DMARC needs to be verified.
- All necessary protocols have been set up and verified with your DNS provider.
If you see that your email domains are not fully authenticated, you can click on the “Continue domain setup” button to start the authorization process. You will need to sign in with your DNS provider to authorize your email.
Once you have logged into your DNS provider, you can click on the “Authorize with [DNS Provider] button in the setup wizard or click on the “No, I’ll set it up manually” link.
If setting up manually, you’ll need to:
- Locate your DNS record settings by logging into your DNS domain provider—if you have difficulty locating them, please contact your domain provider’s support team or refer to their support resources for assistance, as the location of this information may vary from one provider to the next.
- Update your DNS records by copying the required HubSpot codes for DKIM, DMARC, and SPF into the DNS record—you can find buttons for copying the code in the manual updating tool.
- When finished, return to the HubSpot tab and click “Verify.”
Please note that it can take up to 80 minutes for HubSpot to verify that your email sending domain’s DNS records have been updated and reflect that in your email sending domain status.
Setting up a New Email Sending Domain in HubSpot
If you’re a new HubSpot customer and want to connect an email sending domain to your HubSpot account, here’s how you can do that:
In the Settings menu, go to the “Domains & URLs” option under the “Website” dropdown below the “Tools” heading.
In the “Domains” tab, click on the “Connect a Domain” button.
In the dialog box that appears, click on the “Email Sending” option and click the “Connect” button.
In the new window, enter the name of an email address that you use to send marketing emails.
If you do not have an email for this yet, click on the “Don’t have a domain yet? find one now” link. A pop-up will appear when you click on it informing you that the “Find a domain” tool is powered by GoDaddy.
This will take you to GoDaddy’s “Domain Connect” tool, where you can type in a bit of text to start searching for an available domain you can purchase.
After you finish typing in your email address that you use for marketing emails, click “Next” in the bottom-right of the screen.
You will see a verification screen showing that your emails will be sent from a domain using the <name>@<domain> format.
Click Next to continue.
HubSpot will autodetect which DNS provider hosts the domain in question. Click on the “Authorize with <DNS Provider>” button to start the setup process. This will require you to log into your DNS provider’s website in a separate tab.
How to Edit DNS Records for Different DNS Providers
Alright, so, how can you edit your DNS records? The thing is that the process might be a bit different depending on which DNS provider your sending domain is hosted on. HubSpot has a handy guide that provides instructions on how to change DNS records for a dozen different DNS providers.
These guides show step-by-step processes for updating your CNAME records in each DNS provider. We’ll cover just a few of the bigger DNS providers here:
Updating CNAME Records in GoDaddy
Since HubSpot’s “find a domain” tool uses GoDaddy to help HubSpot customers find new email sending domains, let’s start with this leading DNS provider.
- Log into your GoDaddy account and locate the existing CNAME record for your subdomain or create a new subdomain.
- In the Host field, enter the subdomain that you’re connecting.
- In the Points to field, copy the value from the HubSpot setup wizard. It should look like [your Hub ID]groupXsites.hubspot.net.
- Click Save to finish and wait for the DNS provisioning to complete.
Updating CNAME Records in Cloudflare
- Log into your Cloudflare account and select the website you want to update.
- At the top of the page, select DNS.
- Click + Add record to add a new CNAME record, then enter the subdomain information.
- In the Type dropdown, select CNAME.
- In the Name field, enter the subdomain.
- In the Target field, enter HubSpot’s CNAME address, copied from the Value column in your HubSpot account.
- Under Proxy status, click the orange Cloudflare logo so that it’s set to grey. This is important for HubSpot to recognize the record.
- Click Save to finish.
Updating CNAME Records in AWS (Route 53)
- Log into your AWS dashboard
- click on the Hosted zones option in the left menu
- In the list of domains, select the domain that you want to edit
- If you haven’t created your subdomain yet, click the “Create Record Set” option. Otherwise, select the CNAME record that you want to edit.
- In the right panel, ent the subdomain into the Name field.
- In the Type dropdown menu, select CNAME.
- Next to Alias, select “No.”
- in the Value field, enter the value provided by HubSpot.
- The routing policy should be set to “Simple” by default—in most cases, you won’t need to change this.
- Click “Create” or “Save Record Set” (the option varies depending on if you’re making a new record or modifying an existing one).
Need Help Managing Your DNS and HubSpot Integration?
Setting up and maintaining your HubSpot account’s connections with your DNS provider can be a hassle. If you need help managing your HubSpot portal, setting up emails to follow email best practices, or any other bit of HubSpot troubleshooting, help is just a call away.
Book a meeting with our team to discuss your needs and how you can make the most of your HubSpot tools as soon as possible!
Douglas Phillips
Former military brat, graduated from Leilehua High School in Wahiawa, Hawaii in 2001. After earning my Bachelor's in English/Professional Writing, took on a job as a writer here at Bluleadz.