Infrastructure assessment of hubspot.com identified 4 core issues backed by 17 diagnostic evidence items.
| Severity | Root Issue | Evidence Items |
|---|---|---|
| HIGH | Multiple MX IPs on Reputation Blocklists (10 hits) | 10 |
| MEDIUM | MTA-STS Not Deployed for hubspot.com | 1 |
| MEDIUM | Multiple DKIM Selectors Below 2048-bit (5 selectors) | 5 |
| LOW | TLS-RPT Not Deployed for hubspot.com | 1 |
| Mail Platforms | Google Workspace |
| DNS Providers | Cloudflare |
| ESPs | HubSpot |
MX host IP 74.125.200.26 is listed on Invaluement ivmSIP (sip.invaluement.com). Certain receiving systems consuming this reputation source may reject or filter mail originating from listed infrastructure.
74.125.200.26 on sip.invaluement.com74.125.200.26 on sip24.invaluement.com74.125.200.27 on sip.invaluement.com74.125.200.27 on sip24.invaluement.com172.253.118.27 on sip.invaluement.com172.253.118.27 on sip24.invaluement.com64.233.170.26 on sip.invaluement.com64.233.170.26 on sip24.invaluement.com64.233.170.27 on sip.invaluement.com64.233.170.27 on sip24.invaluement.comBusiness Impact: Certain receiving systems may reject or filter messages originating from listed infrastructure. Potential deliverability degradation for receivers consuming this reputation feed.
Remediation: Identify and resolve the root cause of the listing. Submit an official delisting request to Invaluement ivmSIP.
Ref: Threat Intelligence IntegrationNo MTA-STS TXT record was found. MTA-STS prevents downgrade attacks and STARTTLS stripping on inbound mail delivery.
hubspot.com_mta-sts.hubspot.comNOANSWER2026-06-11T15:20:18.822178+00:00Business Impact: Inbound mail is vulnerable to opportunistic TLS downgrade attacks. An attacker with network access can force plaintext delivery.
Remediation: 1. Create a TXT record at _mta-sts.{domain}: v=STSv1; id=
DKIM selector 'google' uses a 1024-bit RSA key. RFC 8301 recommends a minimum of 2048 bits for new deployments.
google (1024-bit)hs1 (1024-bit)hs2 (1024-bit)m1 (1024-bit)s1 (1024-bit)Business Impact: The configuration does not align with modern cryptographic recommendations and may become incompatible with future policy requirements.
Remediation: Rotate to a 2048-bit RSA key during next maintenance window.
Ref: RFC 8301No TLS-RPT record was found. TLS-RPT enables reporting of TLS negotiation failures from remote MTA connections.
hubspot.com_smtp._tls.hubspot.com2026-06-11T15:20:18.893623+00:00Business Impact: TLS delivery failures are not reported and cannot be detected.
Remediation: Add a TXT record at _smtp._tls.{domain}: v=TLSRPTv1; rua=mailto:tls-reports@{domain}
Ref: RFC 8460MX record analysis identified Google Workspace as the mail platform for hubspot.com. This establishes the primary mail infrastructure context.
Google WorkspaceMXsmtp.google.com[{'exchange': 'smtp.google.com', 'priority': 1}]2026-06-11T15:20:14.408284+00:00Business Impact: Mail platform identification is required to determine expected authentication configuration (DKIM selectors, SPF mechanisms, DMARC policy alignment).
Remediation: No remediation required. This is an infrastructure observation.
NS record analysis identified Cloudflare as the DNS provider for hubspot.com.
CloudflareNSjerry.ns.cloudflare.com['jerry.ns.cloudflare.com', 'yolanda.ns.cloudflare.com']2026-06-11T15:20:13.841099+00:00Business Impact: DNS provider identification is relevant to change management, DNS propagation timing, and DNSSEC capability assessment.
Remediation: No remediation required. This is an infrastructure observation.
HubSpot was identified as an authorised sending platform via SPF include analysis for hubspot.com.
HubSpotSPF_INCLUDE_hspf.hubspot.comv=spf1 redirect=_hspf.hubspot.com2026-06-11T15:20:17.745149+00:00Business Impact: Third-party sending platforms affect SPF lookup depth, DKIM alignment, and DMARC pass rates. Each additional sending platform increases infrastructure complexity.
Remediation: No remediation required. This is an infrastructure observation. If this vendor is no longer in use, remove it from SPF to reduce lookup depth.
The subdomain links.hubspot.com resolves and is likely used for email tracking, link wrapping, or sending purposes.
links.hubspot.comhubspot.comDNS_CNAME_A_PROBE2026-06-11T15:20:18.116043+00:00Business Impact: Tracking subdomains may carry separate sender reputation. Authentication configuration on these subdomains should be consistent with the root domain policy.
Remediation: No remediation required. This is an infrastructure observation. Ensure DMARC subdomain policy is intentionally configured.
The subdomain track.hubspot.com resolves and is likely used for email tracking, link wrapping, or sending purposes.
track.hubspot.comhubspot.comDNS_CNAME_A_PROBE2026-06-11T15:20:18.116043+00:00Business Impact: Tracking subdomains may carry separate sender reputation. Authentication configuration on these subdomains should be consistent with the root domain policy.
Remediation: No remediation required. This is an infrastructure observation. Ensure DMARC subdomain policy is intentionally configured.
The subdomain go.hubspot.com resolves and is likely used for email tracking, link wrapping, or sending purposes.
go.hubspot.comhubspot.comDNS_CNAME_A_PROBE2026-06-11T15:20:18.116043+00:00Business Impact: Tracking subdomains may carry separate sender reputation. Authentication configuration on these subdomains should be consistent with the root domain policy.
Remediation: No remediation required. This is an infrastructure observation. Ensure DMARC subdomain policy is intentionally configured.
The subdomain mail.hubspot.com resolves and is likely used for email tracking, link wrapping, or sending purposes.
mail.hubspot.comhubspot.comDNS_CNAME_A_PROBE2026-06-11T15:20:18.116043+00:00Business Impact: Tracking subdomains may carry separate sender reputation. Authentication configuration on these subdomains should be consistent with the root domain policy.
Remediation: No remediation required. This is an infrastructure observation. Ensure DMARC subdomain policy is intentionally configured.
DMARC policy is p=reject. All unauthenticated mail is rejected.
v=DMARC1;p=reject;pct=100;rua=mailto:bdlk5ayo@ag.dmarcian.com;ruf=mailto:bdlk5ayo@fr.dmarcian.comreject100Business Impact: Maximum anti-spoofing protection is in place.
Remediation: No remediation required.
Ref: RFC 7489Both DS and DNSKEY records are present, indicating DNSSEC is deployed.
[{'key_tag': 2371, 'algorithm': 13, 'digest_type': 2}][{'algorithm': 13}, {'algorithm': 13}]Business Impact: DNS responses for this domain are cryptographically authenticated.
Remediation: No remediation required.
Ref: RFC 4033BIMI is deployed. Brand logo will display in supporting mail clients.
v=BIMI1; l=https://www.hubspot.com/hubfs/hubspot_inc_1435039322.svg; a=https://www.hubspot.com/hubfs/hubspot_inc_1435039322.pem;https://www.hubspot.com/hubfs/hubspot_inc_1435039322.svgTrueBusiness Impact: Brand visibility enhanced in BIMI-supporting mail clients.
Remediation: No remediation required.
SPF evaluation requires 4 DNS lookups, within the RFC limit.
4v=spf1 redirect=_hspf.hubspot.comBusiness Impact: SPF lookup depth is within acceptable limits.
Remediation: No remediation required.
A valid SPF record is configured for hubspot.com.
v=spf1 redirect=_hspf.hubspot.com4NoneBusiness Impact: Sender authorisation is declared. Authentication analysis can proceed.
Remediation: No remediation required. This is an informational observation.
Ref: RFC 7208Reverse DNS for 64.233.170.26 resolves to sg-in-f26.1e100.net and forward-confirms.
64.233.170.26 -> sg-in-f26.1e100.net64.233.170.27 -> sg-in-f27.1e100.net172.253.118.27 -> sl-in-f27.1e100.net74.125.200.27 -> sa-in-f27.1e100.net74.125.200.26 -> sa-in-f26.1e100.netBusiness Impact: FCrDNS passes. Basic PTR reputation check satisfied.
Remediation: No remediation required.
| Category | Level |
|---|---|
| SECURITY | HIGH |
| DELIVERABILITY | MEDIUM |
| OPERATIONAL | HIGH |
| BUSINESS_CONTINUITY | MEDIUM |