Deauthorize marketing vendor
How to remove HubSpotfrom your domain's SPF and DKIM
HubSpot publishes authentication via an SPF include, two DKIM CNAMEs that point back to HubSpot-hosted keys, and a sending subdomain CNAME. The selector names include your HubSpot portal ID, which trips up the well-known-selector probe.
When you'd want to do this
- Migrated marketing automation off HubSpot (to Marketo, Customer.io, ActiveCampaign).
- Inherited a HubSpot trial that was never converted to paid, but the DNS records were published.
- Downsized HubSpot subscription and dropped the email module.
- Decoupling marketing-mail authority from your primary domain (good practice: marketing on a subdomain).
What HubSpot adds to your DNS
You need to remove every record below for the de-authorization to be complete. Removing only the SPF include: but leaving DKIM keys published is still a partial authorization - the vendor can sign mail as your domain even without SPF alignment if the recipient has a permissive DMARC policy.
| Type | Host | Look for |
|---|---|---|
| TXT | apex (example.com) | include:_hubspotemail.net or include:mail.hubspotemail.net The HubSpot SPF include. Older accounts published the bare hubspot include; newer ones use a mail.hubspotemail.net variant. |
| CNAME | hs1-<portal-id>._domainkey.example.com | hubspot.com First HubSpot DKIM selector CNAME. The portal-id is your HubSpot account number; selector name is unique to you. |
| CNAME | hs2-<portal-id>._domainkey.example.com | hubspot.com Second DKIM CNAME for key rotation. Remove both. |
| CNAME | <custom>.example.com (e.g. emails.acme.com) | sendinghub.com or t.hsms06.com Sending subdomain CNAME. HubSpot calls this "email sending domain" - it is the host the visible From: address uses. |
Step-by-step
- Stop sending through HubSpot first. Check every app, webhook, and automation that hits the vendor's API or SMTP. Pause those before touching DNS - if you flip the DNS first you'll just spend a week chasing bounces from a vendor that's still wired up on your application side.
- Remove the DKIM record(s) at the hosts listed above. Removing DKIM first means any mail still queued from HubSpot fails alignment, which is the safer failure mode - the receiver quarantines or rejects rather than silently delivering signed-as-you mail from a vendor you no longer control.
- Remove the SPF include. Open your SPF TXT record at the apex. Look for the exact
include:entry shown above. Remove the entire token (including theinclude:prefix). Leave the rest of the record untouched. Verify the byte-count of the record is now under 450. - Remove the CNAMEs, if any. CNAMEs for tracking domains and return-paths are dead weight once the vendor is gone; some DNS UIs surface them as "orphan records" later if you forget.
- Wait for propagation. 1-4 hours for most providers. The old SPF entry stays cached at receivers for the TTL you published (often 5 min - 1 hour).
Verify it's gone
Run a vendor-consolidation report on your domain. HubSpotshould be gone from the vendor list. If it's still showing under SPF or DKIM, the DNS edit either didn't save or hasn't propagated yet - re-check in 30 minutes.
You can also do a manual spot-check with dig TXT example.com (replace with your domain). The output should no longer show the HubSpot include.
What you'll lose
HubSpot email campaigns + workflow emails stop being able to send as your domain. They'll either fail-out at the send step in HubSpot or send from hs<portal>.hubspotemail.net instead, which lands in spam.
CRM sequence emails (one-to-one sales mail HubSpot ghost-writes for reps via the chrome extension) ALSO break - they share the same sending domain.
Common gotchas
HubSpot tracking-subdomain CNAME outlives DKIM. Even after you remove the DKIM CNAMEs, the tracking subdomain (e.g. emails.acme.com → HubSpot) still exists in DNS. Any old marketing email with a HubSpot-tracked link continues to work because the recipient's click hits your subdomain, which still resolves to HubSpot, which still has the campaign data. Remove the CNAME if you want the old links to break.
Multiple connected domains.HubSpot supports authenticating multiple domains per portal. If your portal also authenticates a sister domain or a sandbox, those have their own DNS records. Check the HubSpot "Connected domains" page.
Just want to rotate keys instead?
If you're keeping HubSpot but want to rotate credentials (a stronger move than just changing the API key - it forces all old DKIM signatures invalid), do it from the vendor side first: HubSpot console →
While you're here: audit the rest
The median domain we've analyzed has 6 vendors authorized in DNS and 3 of them can send mail as you. If you just removed one, see who else is on the list.
Run a vendor-consolidation report →