Home/Knowledge Hub/HubSpot: What Your TechSpy Scan is Telling You
← Back to Knowledge Hub

HubSpot: What Your TechSpy Scan is Telling You

DNS & NetworkEmailDeliverability·June 5, 2026·6 min read

HubSpot is the CRM and marketing platform that sends emails from your domain. Here's why it needs your SPF, DKIM, and CNAME — and how to set them up so your …

What Is HubSpot?

You just got a note from your marketing lead: “We signed up for HubSpot. IT needs to add some DNS records — can you forward this?” You open the email. It’s a list of technical terms with cryptic values. You have no idea what HubSpot even is, or why it needs access to your domain.

HubSpot is an all-in-one platform that helps businesses manage customer relationships, run email campaigns, track sales, and automate follow-ups. If someone at your company says “we’re using HubSpot,” they’re probably talking about the software that sends your monthly newsletter or the tool that tracks which leads opened which emails.

But here’s the catch: to send an email that looks like it comes from your company (e.g., ), HubSpot needs your permission. It can’t just forge your sending address. That permission lives in your domain’s DNS — which is why HubSpot shows up in your TechSpy scan as a set of hubspot.com scripts, CNAME records, and SPF includes.

Real-World Analogy

Think of your domain like a company building. Anyone can walk up and claim they work there. But you’ve given HubSpot an official badge, a designated parking spot, and a key to the mailroom. Those are the DNS records TechSpy detected.

How HubSpot Works

When you send a marketing email from HubSpot, the message actually comes from HubSpot’s servers, not from your company’s email provider. But the “From” address still shows your domain. For a receiving mail server to accept that, it needs to see two things: a written guest list that says HubSpot is allowed to send on your behalf, and a unique signature that proves the email hasn’t been tampered with on the way.

Here’s the sequence: your marketing user creates a campaign in HubSpot and hits Send. HubSpot’s system picks up the email, stamps it with a secret digital signature that only it could create (because it holds a private key), and then delivers the message. When the recipient’s server gets it, it looks at your domain’s public guest list — a line in your DNS that says “HubSpot is an authorized sender.” It also checks the signature against a public key you’ve published. If both checks pass, the email gets delivered to the inbox. If either one fails, the email might go to spam or be rejected.

There’s also a branding piece: when HubSpot tracks clicks, it rewrites links in your emails. Without extra setup, those links show a hubspot.com domain. But you can make them show your own domain — like — by adding a CNAME record. That same CNAME can be used for landing pages hosted by HubSpot, which TechSpy catches if you’ve set it up.

Technical Details
SPF (Sender Policy Framework): a TXT record at your root domain that lists authorized senders. For HubSpot, you typically add — but the exact value comes from your HubSpot account. If you already have an SPF record, you merge HubSpot’s include with your existing one.
DKIM (DomainKeys Identified Mail): a TXT record at a subdomain like . It contains a public key that receiving servers use to verify the digital signature HubSpot adds to your emails. HubSpot provides the full record value.
CNAME for click tracking: a record like pointing to (the exact target is unique to your account). This lets HubSpot-branded links show your domain instead of hubspot.com. The same principle applies to landing pages via CNAME targets.
No MX records are involved — HubSpot doesn’t handle incoming email; it only sends outgoing marketing emails.

Why It Matters for Your Business

When these records are set up right, your email deliverability stays high. Messages go to the inbox, not spam. Customers, leads, and partners see a clean, consistent sender address — which means they’re more likely to trust and open your mail. For your sales and marketing teams, that’s the difference between a campaign that converts and one that doesn’t.

If they’re wrong, things break silently. Emails land in spam or get rejected outright. HubSpot’s dashboard might show “delivered” but recipients never see them. Worse, a misconfigured or abandoned setting can open the door for someone else to impersonate your domain using HubSpot — if an old HubSpot account you don’t know about still has an SPF include, a bad actor could abuse it.

This isn’t just an IT concern. Marketing teams who see low open rates, sales teams wondering why their sequences get no replies, and founders who worry about domain reputation all need to understand this. A clean HubSpot setup is a business continuity issue, not a technical footnote.

Common Issues and Warning Signs

Problems usually show up as business symptoms first: a campaign’s open rate is half what you expected, or a customer reports that your email went to spam. When you dig in, you often find a DNS piece that was never finished or got broken during a domain migration.

Common Issues

Your newsletter or sales emails consistently land in spam tests (Possible cause: missing or misaligned SPF/DKIM for HubSpot)
Click-through rates drop suddenly — but you recently changed your domain’s DNS provider (Cause: lost CNAME for click tracking, links now default to hubspot.com, which some spam filters flag)
HubSpot’s email-health tool reports authentication failures (Cause: SPF include typed wrong or DKIM public key stale)
TechSpy shows an SPF include for HubSpot you don’t recognize (Cause: someone set up a trial or another team created an account using your domain without coordination)
Your landing pages show a security warning or the wrong URL (Cause: CNAME for HubSpot pages not properly pointing to your domain)

How to Fix or Improve HubSpot

The fix is straightforward, but it requires either DNS access or a chat with whoever manages your DNS. The first step is always: log into your HubSpot account and go to the domain settings area, where it will list the exact records you need. You can’t guess them.

A correctly configured HubSpot integration won’t just improve deliverability — it also removes the security risk of unauthorized HubSpot instances using your domain. Once you’ve tidied that up, your TechSpy scan will show exactly what you expect, and your marketing team can work with confidence.

<!-- self-check: layer1_readable=true | fix_doable=true | no_padding=true | jargon_expanded=true -->

1In HubSpot, navigate to Settings > Website > Domains & URLs. Find your connected domain and click “Actions” > “Check DNS settings.” You’ll see a list of records that need to be added or updated.
2If you manage your own DNS: log into your DNS provider (where you bought the domain or where your nameservers point). For the SPF record, you’ll either add a new TXT record or merge the include with your existing one. For DKIM, add the TXT record at the subdomain HubSpot specifies. For click tracking, add the CNAME it shows. Apply changes.
3If someone else manages DNS (your IT team, a marketing agency, your hosting provider): forward them the full record details from HubSpot’s screen. Ask them to implement them exactly as shown and confirm back to you.
4After records are live, run a fresh TechSpy scan. It will re-check for HubSpot’s records and flag any remaining misconfigurations. You want to see green checks next to SPF, DKIM, and CNAME.
5Wait up to 24 hours for DNS propagation, then send a test email from HubSpot and verify it lands in the inbox.

See how your domain's configuration stacks up.

Get a free scan — no sign-up, no credit card.

Scan Your Domain Free →