BetaSPFWise is in beta, and every feature is free until it ends. More information after you sign up.

Email Authentication Report for hubspot.com

A live look at how hubspot.com configures SPF, DKIM, DMARC, and transport security, with the grade explained.

A+

hubspot.com

100 out of 100

Scanned: Jul 6, 2026, 1:24 PM

Why this score

The score starts at 100. Every issue below subtracts points based on how much it hurts your deliverability or lets someone spoof you.

Nothing is lowering your score. Every live check passed cleanly.
  • SPF

    Pass
    • Ends with -all (hardfail).

      A hardfail tells receivers to reject any sender that is not listed. This is the strongest and recommended setting.

    • SPF is present and correctly configured.

      A single SPF record was found, it stays within the DNS lookup limit, and it ends with a strong all qualifier.

    DNS lookups4 / 10
    v=spf1 redirect=_hspf.hubspot.com
    allQualifier
    -
  • DKIM

    Pass
    • DKIM is set up (6 valid selector(s) found).

      At least one valid signing key was found, so your outgoing mail can be signed and verified by receivers.

    selectors
    google, s1, s2, mandrill, hs1, hs2
    keyType
    rsa
    keyBits
    2048
  • DMARC

    Pass
    • Policy is p=reject (strongest).

      Reject tells receivers to refuse any mail that fails authentication, the strongest protection against spoofing.

    • Aggregate reporting is enabled.

      A rua address is set, so you receive daily reports showing every source that sends as your domain.

    • DMARC is present and enforced.

      A valid DMARC record was found with an enforcing policy, so receivers act on mail that fails authentication.

    v=DMARC1;p=reject;pct=100;rua=mailto:bdlk5ayo@ag.dmarcian.com;ruf=mailto:bdlk5ayo@fr.dmarcian.com
    policy
    reject
    subdomainPolicy
    reject
    pct
    100
    rua
    mailto:bdlk5ayo@ag.dmarcian.com
    adkim
    r
    aspf
    r
  • MX

    Pass
    • MX is configured (1 mail server(s)).

      Your domain has MX records and every listed mail server resolves to an IP address, so it can receive mail.

    mxHosts
    smtp.google.com (1)
    mxCount
    1
  • Blacklist

    Pass
    • Not on any checked blocklist.

      Your mail server IPs were not found on the public blocklists we checked. Reputation can change, so it is worth monitoring over time.

    ipsChecked
    142.250.147.27, 142.250.147.26, 142.251.9.27
    blocklists
    bl.spamcop.net, dnsbl.sorbs.net

Optional enhancements

Advanced, nice-to-have features. Setting these up (or not) does not change your grade.

  • DNSSEC

    Pass
    • DNSSEC is enabled.

      Your zone is signed and the parent publishes a DS record, so resolvers can verify your DNS answers were not tampered with on the way to them.

    algorithm
    ECDSAP256SHA256
    signatureExpiry
    2026-08-14T22:17:49Z
  • MTA-STS

    Optional
    • MTA-STS is not set up.

      MTA-STS is optional but recommended. It tells sending servers to require TLS when delivering mail to you, which blocks downgrade and man-in-the-middle attacks on your inbound mail.

      How to fix: Publish a _mta-sts TXT record and host a policy at https://mta-sts.<yourdomain>/.well-known/mta-sts.txt with mode enforce.

    Read the MTA-STS guide
  • TLS-RPT

    Optional
    • TLS reporting (TLS-RPT) is not set up.

      TLS-RPT is optional. It asks receivers to send you reports when TLS fails while delivering your mail, which is how you catch MTA-STS or certificate problems before they hurt delivery.

      How to fix: Publish a _smtp._tls TXT record with v=TLSRPTv1 and a rua address, for example rua=mailto:tlsrpt@yourdomain.

    Read the TLS-RPT guide
  • BIMI

    Pass
    • BIMI is set up.

      Your BIMI record is valid, DMARC is enforced, and a Verified Mark Certificate is present, so supporting inboxes can show your logo.

    v=BIMI1; l=https://www.hubspot.com/hubfs/hubspot_inc_1435039322.svg; a=https://www.hubspot.com/hubfs/hubspot_inc_1435039322.pem;
    logo
    https://www.hubspot.com/hubfs/hubspot_inc_1435039322.svg
    vmc
    https://www.hubspot.com/hubfs/hubspot_inc_1435039322.pem

This report looks at the email authentication posture of hubspot.com as it appears in public DNS today. Software platforms send a constant stream of transactional mail, so the records that prove those messages are genuine directly affect whether customers receive them.

How to read the grade

Everything above is computed live from the records hubspot.com publishes right now. A strong result means SPF authorizes the correct senders, DKIM signs outgoing mail with a valid key, and DMARC sets a policy that instructs receivers on how to handle failures. Where a check is weak, the report shows the exact record involved so the gap is easy to understand.

About this report

This report is generated from publicly available DNS records for hubspot.com and is provided for informational and educational purposes only. SPFWise is not affiliated with, endorsed by, or connected to the owner of hubspot.com. The records shown are the same ones any mail server can query, and the grade updates automatically as they change.

Want the same breakdown for your own domain? Run a free scan to get an identical grade along with the exact records to fix anything that is weak.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Guides to fix common issues