HubSpot SPF & DKIM Setup

To connect a domain go to:
Settings (Gear Icon) -> Content -> Domains & URLS -> Email Sending -> Connect Sending Domain
HubSpot will then generate the specific DNS records you need to add to your DNS provider.

Setup SPF

Hubspot will generate a unique SPF include statement for your policy that looks similar to: include:123456.spf03.hubspotemail.net.
It's very important to make sure you don't add a new SPF policy if you already have one. To verify if you have an existing SPF record, you can use the Domain Check tool:
Domain Check Tool
If you do not have an existing SPF record, you need to create a new TXT record with your DNS provider. Remember to replace 123456 with your actual HubSpot HubID.
Record Type
TXT
Host/Name
@ (or blank)
Value

v=spf1 include:123456.spf03.hubspotemail.net ~all

TTL
3600 seconds (1 hour)

Setup DKIM

HubSpot uses two CNAME records for DKIM setup. This setup relies on two separate keys to allow HubSpot to sign your branding domain keys safely. Copy the unique hosts and values provided in your HubSpot connection window - they will look similar to this:
Record Type
CNAME
Host/Name
hs1-123456._domainkey.yourdomain.com
Value
hs1-123456.dkim.hubspotemail.net
TTL
3600 seconds (1 hour)
Record Type
CNAME
Host/Name
hs2-123456._domainkey.yourdomain.com
Value
hs2-123456.dkim.hubspotemail.net
TTL
3600 seconds (1 hour)

Verification

After adding these DNS records, go back to your HubSpot tab and click Verify or Verify connection. Note that it can take up to 24 hours for DNS changes to propagate globally.
Once setup, you can verify your records are configured correctly using our domain check tool:
Verify DNS records

Setup DMARC

Lastly we can setup DMARC. Again, verify you don't already have DMARC setup.
With basic monitoring, you will receive XML reports to the email address specified which will tell you how email is passing/failing authentication. These are very useful for debugging when email isn't being delivered.
Record Type
TXT
Host/Name
_dmarc.yourdomain.com
Value

v=DMARC1; p=none; rua=mailto:you@yourdomain.com

TTL
3600 seconds (1 hour)

Reference