I need to create an RBL exception for hubspot, but they suggest using a DNS which resolves to a TXT record. Can I whitelist based on a TXT DNS?

What do you mean by an RBL exception, Jason - do you mean that Hubspot will be sending marketing emails for you using your domain name?  If you have an SPF record in DNS, just add include:shared.hubspot.com to it.

Cheers - Bob

No.   Incoming email.  They seem to be on RBL often and I need to create an RBL exception so their emails to our marketing people don't get randomly dropped.    They suggested I exclude their source server IPs from RBL checks, which is like 100 different IPs in that SPF record (shared.hubspot.com).   I guess I could manually put every IP into the UTM, but this wouldn't be dynamic as they may change their IP ranges.  

If these are all emails from their domain, just make an RBL Exception for *@hubspot.com - any luck with that?

Cheers - Bob

So they are routinely blacklisted as spammers, but your organization wants to put your own reputation in their hands by using tem to send email on your behalf?  Not my recommendation.

Rbl lists are implementrd using dns, so in theory you could creste an override in your dns system, and then point utm to that override.  I don't  think utm does txt records.   And if you make a mistake you might let in real spam.

The problem with sender domain exceptions us that it applies to both the domain and any fraudulent mail asserting the same identity.   IP exceptions are safer.  On the other hand, you have to consider that an ip whitelist allows snything sent from those servers for any domain, and oerhaps some of that mail is more woorisome than mail falsely claiming to be from hotspot.com

Yes, not my recommendation either, but such is IT.    I've settled on BAlfson's recommendation of just an RBL exception for senders as *@*.shared.hubspot.com which will allow my marketing people who use the hubspot servers to at least receive emails when the random server they use for deliver is on an RBL.  I'm only keeping 30 days of logs, but I'm seeing 6% of the delivery attempts hubspot is making come up as dropped due to RBL in the last 30 days. 

Why do cloud companies use tens or even hundreds of different IPs to deliver mail for single domains?

I bet that information might make hubspot change suppliers.  I bet their customers would not like knowing that 6% of the emails they pay for are blocked by blacklists.

Jason, I don't think *@*.shared.hubspot.com will work with that second * in there.

Cheers - Bob

Using many servers will distribute tbe workload geographically, providing resilience against network bottlenecks.

Web search results say that they are a Customer Relationship Management system for inbound marketing.   So it is odd that they have a problem with outbound mail.  

They may be getting into trouble by sending mail on their clients behalf without coordinating to ensure that the client SPF, DKIM, and DMARC policies permit them to do so.   This is an easy mistake to avoid and would be odd for a tech marketing company.  But I have seen it occur before with business partners that should have known better.

It is also easy to monitor RBLs to see if you have been blacklisted.   If a particular client mail creates problems, they should be able to detect it quickly and fail over to a different server, and/or separate clients between servers.

It is absolutely the sender's job to avoid blacklisting to ensure that their email goes through.   If a tech marketing company cannot do this, they have a big problem.