How do I sign DKIM on a sender domain that isn't the primary domain while using Hubspot?

Summary

To sign DKIM on a sender domain that isn't the primary domain while using HubSpot, you need to own the domain or have permission from the owner. First, set up the non-primary domain as an email sending domain within HubSpot by navigating to Settings > Domains & URLs > Connect a domain > Email Sending. HubSpot will then provide DKIM and SPF records. These records need to be added as TXT records to the DNS settings of the subdomain or sending domain at your domain host. This process verifies your ownership and authorizes HubSpot to send emails on behalf of that domain. For subdomains, you might need to delegate signing authority by creating a DKIM record on the subdomain itself. DKIM works by generating a public/private key pair; the private key is used to sign outgoing messages, while the public key is published in the DNS records. Receiving servers use the public key to verify the signature, confirming the email's authenticity, improving deliverability rates, and proving to ISPs that messages are legitimate.

Key findings

  • Domain Ownership/Permission: You must own the sender domain or have explicit permission to use it for DKIM signing.
  • HubSpot Configuration: Set up the non-primary domain as an email sending domain in HubSpot’s settings.
  • DNS Record Addition: Add DKIM and SPF records (provided by HubSpot) as TXT records to the DNS settings of the sender domain or subdomain.
  • Subdomain Delegation: For subdomains, delegation of signing authority may be required via a DKIM record.
  • DKIM Key Pair: DKIM utilizes a public/private key pair to sign outgoing emails and verify their authenticity.
  • Enhanced Deliverability: Proper DKIM setup enhances email deliverability and sender reputation.

Key considerations

  • DNS Access: Ensure you have access to modify DNS records for the sender domain.
  • HubSpot Specific Instructions: Follow HubSpot's specific instructions and guidelines for connecting email sending domains.
  • Record Propagation Time: DNS record changes may take some time to propagate, so allow sufficient time for verification.
  • Key Management: Securely manage the private DKIM key, as it's crucial for signing outgoing messages.
  • Accurate Record Entry: Ensure accurate entry of DKIM and SPF records to avoid authentication issues.

What email marketers say
8Marketer opinions

To sign DKIM on a sender domain that isn't the primary domain while using HubSpot, the general process involves setting up the non-primary domain as an email sending domain within HubSpot. This requires accessing HubSpot's settings, connecting the domain, and selecting 'Email Sending'. HubSpot then provides DKIM and SPF records, which must be added as TXT records to the DNS settings of the subdomain at your domain host. This process verifies ownership and authorizes HubSpot to send emails on behalf of the non-primary domain. Correct DKIM configuration is crucial for improving email deliverability by authenticating emails and proving to ISPs that the messages are legitimate.

Key opinions

  • HubSpot Setup: Set up the sender domain (non-primary) as an email sending domain within HubSpot.
  • DNS Records: Add the DKIM and SPF records provided by HubSpot as TXT records to the DNS settings of the sender domain.
  • Authentication: This process authenticates emails sent from the sender domain via HubSpot.
  • Domain Verification: Adding DNS records also verifies ownership of the sending domain.
  • Domain Authentication: Authenticating your emails with DKIM assists in better deliverability rates.

Key considerations

  • Access to DNS: You need access to the DNS settings of your domain to add the required records.
  • Record Propagation: DNS record changes can take up to 24-48 hours to propagate, so verification might not be immediate.
  • HubSpot Instructions: Always follow HubSpot's specific instructions for setting up email sending domains to ensure correct configuration.
  • TXT Records: When connecting a subdomain, append *_domainkey to the subdomain.
Marketer view

Email marketer from SendGrid shares the steps to configure DKIM. This generally involves generating a DKIM record in SendGrid, then adding that record as a TXT record to your DNS settings. They also provide instructions on how to verify DKIM is set up correctly.

May 2022 - SendGrid
Marketer view

Email marketer from EmailOctopus explains that configuring DKIM involves adding a TXT record to your DNS settings with the specific DKIM information provided by EmailOctopus. Once added, you can usually verify the DKIM setup in the EmailOctopus platform. The record confirms your authorization for EmailOctopus to send on your behalf.

January 2024 - EmailOctopus
Marketer view

Email marketer from Reddit says you need to add the DKIM and SPF records to the DNS settings of your subdomain. HubSpot provides these records when you set up the subdomain as an email sending domain within the platform. These records authorize HubSpot to send emails on behalf of that subdomain.

November 2024 - Reddit
Marketer view

Email marketer from Email Geeks shares the process for setting up an Email Sending Domain on Hubspot, highlighting the need for a list of owned Email Sending Domains and access to the Domain Host (or IT/Domain Administrator). Eoin refers to a Hubspot knowledge base article for detailed steps and provides a text version of the instructions: To connect the domain to HubSpot follow the steps : • Log in to your HubSpot account. • In the main navigation bar click on the *settings icon*. • Go to *Website > Domains & URLs* in the left sidebar menu. • Click on *Connect a domain*. • Select *Email Sending* and then click on *connect*, in the dialog box. This will direct you to the domain connection screen. Selecting Domain • Enter the email address that is used to send emails from that domain on the domain connection screen, then click on *Next*. • Verify the email sending domain on the next screen and then click on *Next*. Verifying URLs This is the final step that requires you to log in to your DNS provider. Follow the steps below: • Log in to your DNS provider in a separate tab, after logging in select the *I’m logged in* checkbox in HubSpot. • In the DNS provider, Go to *DNS settings* and select the *I’m there* checkbox in HubSpot. • In HubSpot, go to the Update your DNS records section, click on *Copy* next to the value in the Host(name) column, and paste it in the respective field in the DNS provider. • Similarly, click on the *Copy* next to the value in the Value column in the HubSpot and paste it in the respective field at the DNS provider. *Note:* If a subdomain is being connected to HubSpot you will have to append *_domainkey*. • After updating the values in the DNS provider, select the *Done* checkbox in HubSpot. • You will see a *Verified* message if DNS records are set up correctly, which means your email sending domains are now verified. This may take 24 hours to take effect. • Click *Done* on the *verified* message • If your DNS records are not set up or are still being processed, you will see a Record Invalid error displayed to the right of the record(s). Click on *Check them again* to check if the changes have been updated.

January 2025 - Email Geeks
Marketer view

Email marketer from MailerLite explains that setting up DKIM requires creating a DKIM record in your domain's DNS settings. This record contains a public key that email servers can use to verify that messages truly came from your domain. MailerLite's documentation usually provides the specific DKIM record to add for their users.

March 2023 - MailerLite
Marketer view

Email marketer from Gmass highlights that DKIM (DomainKeys Identified Mail) works by adding a digital signature to outgoing emails. This signature is verified using a public key stored in the domain's DNS records. If the signature checks out, receiving mail servers are more likely to trust the email and deliver it to the inbox.

November 2022 - Gmass
Marketer view

Email marketer from ওয়ার্ডপ্রেস ডটকম shares the process of authenticating email sending with DKIM in HubSpot. The steps involve setting up an email sending domain inside HubSpot, then adding provided DNS records (TXT records) to the domain’s DNS settings to verify ownership and enable DKIM signing.

April 2024 - ওয়ার্ডপ্রেস ডটকম
Marketer view

Email marketer from Mailjet shares the benefits of implementing DKIM. By authenticating emails with DKIM, you are more likely to achieve higher deliverability rates by proving to Internet Service Providers (ISPs) that the outgoing message is actually coming from a legitimate source.

September 2021 - Mailjet

What the experts say
3Expert opinions

To sign DKIM on a sender domain that isn't the primary domain, you must own the domain or have the domain owner's permission. For subdomains, you need to delegate signing authority by creating a DKIM record on the subdomain, pointing to the signing domain. This involves generating a DKIM key pair; the private key signs outgoing messages, and the public key is published as a TXT record in the DNS of your sending domain or subdomain, allowing mail servers to verify the signature.

Key opinions

  • Ownership/Permission: You must own the sender domain or have permission from the owner to DKIM sign.
  • Subdomain Delegation: For subdomains, delegate signing authority by creating a DKIM record on the subdomain.
  • Key Pair Generation: DKIM involves generating a public/private key pair.
  • DNS Publication: Publish the public key as a TXT record in the DNS settings of the sender domain or subdomain.
  • Signature Verification: Mail servers use the public key in the DNS to verify the signature of outgoing emails.

Key considerations

  • Domain Control: Ensure you have control over the DNS settings of the sender domain or subdomain.
  • Key Security: Keep the private key secure as it's used to sign outgoing messages.
  • Record Accuracy: Ensure the DKIM record is accurately entered in the DNS settings to avoid verification failures.
Expert view

Expert from Spam Resource, Laura Atkins, explains that for subdomains, you'll need to delegate signing authority by creating a DKIM record on the subdomain itself, pointing to the signing domain. This allows the subdomain to use DKIM even though it's not the primary domain.

January 2025 - Spam Resource
Expert view

Expert from Email Geeks explains that you can only DKIM sign with domains you own or with the permission of the domain owner.

January 2025 - Email Geeks
Expert view

Expert from Word to the Wise explains that DKIM involves generating a key pair (public and private). The private key is used to sign outgoing messages, and the public key is published as a TXT record in the DNS of your sending domain or subdomain. Mail servers verify the signature using the public key.

November 2022 - Word to the Wise

What the documentation says
3Technical articles

To sign DKIM on a non-primary sender domain using HubSpot, follow HubSpot's domain connection process: navigate to Settings > Domains & URLs > Connect a domain > Email Sending. You'll need to update DNS records with values HubSpot provides. DKIM involves generating a private/public key pair. The private key signs the email, while the public key is published in the domain's DNS records as a TXT record. Receiving servers use the public key to verify the signature, confirming the email's authenticity and domain authorization.

Key findings

  • HubSpot Connection: Use HubSpot's domain connection feature to add the non-primary sender domain.
  • DNS Update: Update DNS records with the specific values provided by HubSpot.
  • Key Pair: DKIM relies on a private/public key pair for signing and verification.
  • Public Key in DNS: Publish the public key as a TXT record in the domain's DNS settings.
  • Verification Process: Receiving servers use the public key to verify the DKIM signature.

Key considerations

  • HubSpot Specific Steps: Carefully follow HubSpot's instructions for connecting domains to ensure correct setup.
  • Accurate DNS Records: Ensure DNS records are accurately added to avoid verification failures.
  • Key Management: Properly manage and secure the private key.
Technical article

Documentation from EasyDMARC highlights that DKIM signing involves generating a private/public key pair. The private key is used to sign the email, and the public key is published in the domain's DNS records. The receiving server uses this public key to verify the signature, confirming the email's authenticity.

November 2023 - EasyDMARC
Technical article

Documentation from HubSpot explains how to connect your email sending domain in HubSpot. It involves navigating to Settings > Domains & URLs, selecting 'Connect a domain,' and choosing 'Email Sending.' The documentation details the steps for verifying the domain by updating DNS records with the values provided by HubSpot.

February 2024 - HubSpot
Technical article

Documentation from SparkPost explains that DKIM requires publishing a DKIM record, which contains your public key. You'll need to generate a DKIM key-pair, then add a TXT record to your DNS settings. This TXT record contains the public key which receiving mail servers use to verify that messages signed with the corresponding private key were authorized by the domain owner.

December 2023 - SparkPost