.svg "Paula"){kind=small}
In the first quarter of 2025, nearly a third of all phishing attacks globally targeted payment and financial services companies — the highest concentration of any sector (APWG Q1 2025 Phishing Activity Trends Report). By Q2 2025, financial institutions were the single most-attacked sector (APWG Q2 2025).
What does this have to do with your HubSpot settings? Everything.
Because inbox providers know financial services is a prime target for impersonation, they treat emails from financial firms with extra scrutiny. And because recipients are primed to be suspicious of anything that looks even slightly off, every detail matters — the domain in your URL, the sender line in your email, the verification records behind your sending infrastructure.
If your landing pages carry an unfamiliar domain or your emails arrive with "via HubSpot" in the sender line, you're not just missing a best practice. You're triggering the exact signals that get legitimate emails filtered, ignored, or deleted.
These two HubSpot settings control whether your marketing looks like it's coming from your company — or from a stranger. Both involve DNS changes, so they're worth doing carefully. Neither requires custom code.
1. Connect Your Domain, or Subdomain
When someone clicks a link in one of your marketing emails or lands on a page you built in HubSpot, the URL they see in their browser should look like it belongs to you.
Without a connected domain, it doesn't. Instead of digital.yourcompany.com/offer, they see something like 12345678.hubspotpagebuilder.com/offer — a URL that looks unfamiliar, untrustworthy, and nothing like your brand.
Disconnected Domain:
Connected Domain
(Where the subdomain is set to "Digital")
For financial services firms, this is especially damaging. Your prospects are already cautious about clicking unfamiliar links. A URL that doesn't match your brand is exactly the kind of thing they've been trained to avoid.
Connecting a domain also has a less obvious benefit: HubSpot's own spam filters are more likely to flag form submissions from pages on unconnected domains. That means legitimate leads — people who actually filled out your form — can get filtered into spam before anyone on your team sees them.
Now, you might have noticed that the links above use two words before .ca (Digital + Paulainc), that's because those examples use subdomains (digital).
📖 What's a subdomain? A prefix added to your main domain. If your website is yourcompany.com, then info.yourcompany.com is a subdomain. You use one when you want to host content on a different platform from your main website. For example, our website paulainc.ca is hosted by Framer — but if we wanted to run a blog through HubSpot, we'd create blog.paulainc.ca and point it to HubSpot. Framer keeps serving the main site. HubSpot serves the blog. Same idea applies to landing pages, email preference pages, or any other content you build in HubSpot while your website lives somewhere else.
| 🪛 Setting it up: Step 1: Go to Settings > Content > Domains & URLs Step 2: Click "Connect a domain" and choose what you'll use it for (landing pages, blog, email, etc.) Step 3 * : Enter the subdomain you want to connect (e.g., info.yourcompany.com) Step 4: HubSpot generates DNS records. Add them to your DNS provider (GoDaddy, Cloudflare, etc.) Step 5: Click Verify. DNS changes can take 15–80 minutes to propagate. * Note: A common fear in Step 3 is that connecting a domain will redirect or break your existing website. It can if you don't set it up properly, but if you add a subdomain, it won't. In other words, the field highlighted in yellow below must be filled in, otherwise you'll redirect all traffic going to your website to HubSpot and they'll get an error (assuming your website is hosted somewhere else). |
📖 What are DNS records? DNS is like a phone book for the internet — it tells browsers where to find websites. When you "add a DNS record," you're telling the internet that a specific subdomain should point to HubSpot's servers. Your web host or domain registrar (GoDaddy, Namecheap, Cloudflare) is where you make these changes. If this sounds unfamiliar, your IT person or web developer will know exactly what to do.
Two things people miss:
1. DNS providers that auto-append your domain. GoDaddy, Network Solutions, and others sometimes add .yourcompany.com to the end of your entry automatically — turning the record into yourcompany.com.yourcompany.com, which breaks the connection. If domain verification fails, this is the first thing to check.
2. Add your domains to the form spam filter settings too. Even with the tracking code installed, forms on external domains can get flagged as spam if the domain isn't added under Settings > Marketing > Forms > Non-HubSpot Forms. This is a separate setting from domain connection — and it's frequently missed.
HubSpot Knowledge Base: Connect a Domain to HubSpot →
Related: Prevent Spam Form Submissions →
2. Authenticate Your Email Sending Domain
When you send a marketing email from HubSpot, the recipient's inbox provider (Gmail, Outlook, Yahoo) runs a background check. It asks: did this company actually authorize HubSpot to send this email on their behalf?
Email authentication is how you answer "yes." Without it, your emails look unverified — and inbox providers treat unverified emails the way you'd treat a letter with no return address. They might deliver it. They might not. They definitely don't trust it.
With authentication in place, your emails consistently reach inboxes. Your sender reputation builds over time instead of eroding. And your marketing emails stop showing "via HubSpot" next to your company name — a small detail that makes a noticeable difference in how professional your outreach looks.
Emails from unconfigured Email Sending Domain:
Emails from authenticated Email Sending Domain:
This matters even more in 2025. Gmail and Yahoo now require SPF, DKIM, and DMARC authentication for bulk senders. Without these records in place, your emails are increasingly likely to be filtered or rejected outright — not because of your content, but because your infrastructure doesn't pass the check.
And roughly 1 in 6 marketing emails never reaches the inbox at all. For a financial services firm sending drip campaigns, compliance updates, or event invitations, that's a significant number of touches that simply disappear.
You don't need to understand how SPF, DKIM, and DMARC work technically. You just need them in place. HubSpot tells you exactly what records to add — it's a copy-and-paste process in your DNS settings. But -- if you are curious -- simply put: SPF: who's allowed to send email for your domain; DKIM: proof the email wasn't tampered with; DMARC: what to do if either check fails.
| This matters even more in 2025. Gmail and Yahoo now require SPF, DKIM, and DMARC authentication for bulk senders. Without these records in place, your emails are increasingly likely to be filtered or rejected outright — not because of your content, but because your infrastructure doesn't pass the check. And roughly 1 in 6 marketing emails never reaches the inbox at all. For a financial services firm sending drip campaigns, compliance updates, or event invitations, that's a significant number of touches that simply disappear. You don't need to understand how SPF, DKIM, and DMARC work technically. You just need them in place. HubSpot tells you exactly what records to add — it's a copy-and-paste process in your DNS settings. But -- if you are curious -- simply put: SPF: who's allowed to send email for your domain; DKIM: proof the email wasn't tampered with; DMARC: what to do if either check fails. |
To be clear: this doesn't change your email address or how it appears to recipients. It adds verification behind the scenes so inbox providers trust that HubSpot is authorized to send on your behalf.
Separately, HubSpot also uses a subdomain for things like the web version of your emails, image hosting, and subscription preference pages — the links people see when they click "view in browser" or manage their preferences. That's configured through the Email content type domain (Item 1 in this article), not the email sending domain. They're related but separate settings.
Two things people miss:
1. Don't create a second SPF record. If your domain already has an SPF record (most do), add HubSpot's entry to the existing one — don't create a new record. Two SPF records on the same domain causes authentication failures across all your email, not just HubSpot. This is the single most common DNS mistake with email setup. To check: look at the TXT records in your DNS provider. If you see one that starts with v=spf1, that's your existing SPF record. Add HubSpot's include: value to that line. Don't create a new TXT record with another v=spf1.
2. New sending domains need a warmup period. A brand-new sending domain has zero reputation with inbox providers. If you switch domains and immediately blast your full list, deliverability will suffer. Start with your most engaged contacts and increase volume gradually over a few weeks.
HubSpot Knowledge Base: Manage Email Authentication in HubSpot →
The Takeaway
These two settings control whether your marketing looks like it's coming from your company or from a stranger. Without them, your landing page URLs carry someone else's domain and your emails arrive unverified — or don't arrive at all.
In an industry where nearly a third of all phishing attacks target financial firms, looking legitimate isn't a nice-to-have. It's the difference between your marketing reaching people and your marketing being treated like the threats they've been warned about.
Both settings involve DNS changes, so they're worth doing carefully. Neither requires custom code. And both should have been part of your HubSpot onboarding — but probably weren't.