If your teams rely on HubSpot every day—whether for CRM data, private CMS pages, or shared internal files—you know how quickly an asset link can end up in the wrong hands. A sales rep forwards a pitch deck, a marketer shares a testing page, or an automation triggers access from an unintended region. Suddenly, your gated content or internal resources are exposed—and compliance risks follow right behind.
That’s why understanding and configuring HubSpot’s domain access settings isn’t just about best practices—it’s a core part of protecting your company’s content workflows. With the right controls in place, you can limit visibility by domain, maintain user access boundaries, and stay audit-ready.
This guide shows you exactly how to do that. You’ll learn where domain access lives in your settings, how to configure it based on your business needs, how to avoid missteps, and how to monitor usage so security never gets in your team’s way.
Configuring Team-Based Domain Permissions and Publishing Access
Domain access settings are HubSpot’s built-in way to restrict access to specific types of hosted content. Whether it’s an internal landing page, a sensitive file, or a knowledge article, these settings limit visibility based on domain—either by network (IP) or user email.
To get started, go to Settings > Website > Domains & URLs. This is where you’ll manage all domains associated with your HubSpot content. From there, you can choose whether each domain serves public pages or is locked to approved internal use.
Think of this as your gatekeeper setting. It empowers you to secure internal-only assets or restrict content by team or region without leaving HubSpot.
Domain access connects to multiple HubSpot areas, including:
- CMS tools, like blogs or landing pages, are segmented by domain
- File & Documents tool, where link access can be enforced
- User roles and Teams, to layer permissions for context-specific control
If you’re hosting private partner resources or internal HR portals inside HubSpot, domain settings are essential for keeping access tight and traceable.
How It Works Under the Hood
So how does HubSpot actually restrict access behind the scenes? It all starts with how your domain configuration interacts with user and network identification.
First, you define which domains are “connected” to your HubSpot portal—these serve as the base layer for assigning permissions. Then, you drill down further with domain access filters that use two primary inputs:
- Email domains (like @company.com)
- Network IPs used for access
When someone tries to load a page, HubSpot checks whether they’re logged in under an allowed domain or operating from an authorized network. If they don’t match the criteria? They’ll get a redirect or an access-denied message.
Here’s what you’ll configure:
- Your verified list of primary and subdomains
- Who’s allowed to access hosted files and internal URLs
- Asset-level visibility settings for private vs. public content
These controls create clear access boundaries. You’ll stop external parties from accidentally stumbling onto internal content—and give your teams confidence that what they’re building stays within the lines.
Additional options you can use:
- Enforce HTTPS via SSL for connected domains
- Mark content (e.g., blog posts, articles) as “Private—access by email domain only.”
- Set a default redirect destination for denied visitors, like a sign-in page
Main Uses Inside HubSpot
Restrict Internal Content from Public View
If your company hosts employee resources, onboarding pages, or team-specific updates in HubSpot, domain filtering lets you hide those from public search or accidental links.
For example, you might build a staff handbook on a subdomain like “internal.yourcompany.com” and allow access only to email addresses ending in @yourcompany.com. Any external user gets routed to a general homepage. It’s a simple safeguard, especially helpful for onboarding and internal wikis.
Control File Download Access
Files hosted in HubSpot’s file manager—whether case studies or sales templates—can be wide open unless you apply restrictions. Domain access settings help you prevent shareable links from being passed or indexed.
Use this if your files are sensitive and intended for internal or vetted partner use only. Authorized users with matching email domains can open or download, while everyone else hits a block or redirect.
Manage Multi-Domain Publishing Permissions
For companies with regional teams managing different brands or international domains, domain settings maintain clean lines between who can edit or publish where.
One team might manage “example.com,” while another runs “example.de.” When access is restricted by domain, each group focuses only on its assigned web properties—reducing risks of content collisions or compliance missteps across markets.
Common Setup Errors and Wrong Assumptions
- Misconfiguring the primary domain: HubSpot treats the primary domain as the default. Changing domain order or adding new domains without assigning secondary roles can unintentionally restrict or expose assets. Always double-check domain assignments after updates.
- Overlooking file-level access rules: Even if a page is protected by an email domain, any files linked to it remain public unless you apply file-specific privacy settings. You need to mark each sensitive file individually as private in the File Manager.
- Relying solely on redirects: A redirect might prevent someone from viewing a page, but it won’t stop them from loading or downloading a file directly. True security comes from access controls combined with redirects—not standalone routing.
- Confusing session-level access with link-restrictions: Users operating under a different email domain—say, a contractor with a partner login—won’t be able to access pages restricted to your internal domain. Make the conditions clear to collaborators so they know which account to use.
Step-by-Step Setup or Use Guide
Before updating your domain settings, make sure you:
- Have Super Admin privileges or Settings access
- Verified all connected domains via DNS
- Enabled SSL and ensured stable DNS records
Here’s how to set up domain access:
- Go to Settings.
In your HubSpot account, click the gear icon in the top-right corner to open Settings.
- Open Domains & URLs.
On the left menu, find Website > Domains & URLs. This is where your connected domains live.
- Add or verify new domains.
Click “Connect domain” to add any marketing or internal domains. You’ll need to finish DNS verification to confirm ownership.
- Enable domain restrictions.
For each connected domain, choose “Restrict access” to limit who can view hosted assets. You can choose email domain controls or login requirements.
- Enter allowed domains.
Enter your employees’ or partners’ email domains (e.g., “@company.com”) to restrict access accordingly.
- Configure privacy for sensitive files.
From the Files tool (Marketing > Files and Templates > Files), find any internal file, click “Details,” and set access to “Private – Requires login.”
- Test your setup.
Try accessing restricted pages from a browser or test account outside the approved domain. If everything is configured correctly, access will be denied or redirected.
- Set a redirect for blocked users.
Instead of a blank denial, route unauthorized visitors to a useful fallback page—like a company login or help center.
Measuring Results in HubSpot
Once access controls are live, you’ll want to monitor their behavior and confirm they’re functioning as intended—without getting in the way of your teams.
Use these analytics options:
- Watch for denied access events.
Create a report that tracks access errors or traffic redirected away from restricted assets. This tells you how often people try—and fail—to access protected pages. - Check by domain in web analytics.
Review page views filtered by traffic origin. If you’re seeing activity from unapproved domains, it’s time to revisit your restrictions. - Audit user login patterns.
Use user login history to identify logins by domain or IP. Spot anything unusual or unexpected before it becomes a larger compliance issue. - Monitor file downloads.
Count downloads from protected files and compare them against user email domains. Large spikes or out-of-pattern activity may indicate misconfigured settings. - Align CRM asset behavior.
Ensure gated forms or meeting links tied to restricted domains are receiving submissions only from your allowed internal addresses.
A monthly dashboard review can help you simplify trends, while a quarterly audit keeps your compliance and security aligned with system changes.
Short Example That Ties It Together
Let’s say your SaaS company just launched an internal enablement hub using HubSpot CMS. It holds key documents for onboarding, product training videos, and cross-functional playbooks.
You connect two domains in HubSpot:
- Public: maincompany.com
- Internal: internal.maincompany.com
Once connected and SSL is enabled, you restrict “internal.maincompany.com” to users with “@maincompany.com” email addresses. Any file under this domain is marked “Private.” Then you route unauthorized users to your homepage, preserving the UX if someone lands there by accident.
A week later, you see redirection reports triggering from a few unexpected IPs. No matching downloads show in private files. Analytics confirm the visitors were blocked, while internal staff continue to have access through SSO. The system works without a hitch—and your security holds firm.
How INSIDEA Helps
HubSpot is powerful—but configuring domain-level controls takes precision, especially across complex team structures or compliance needs. That’s where INSIDEA comes in.
Our HubSpot experts specialize in setting up secure, efficient portals tailored to how your company actually works. Whether you’re managing multiple regions, spinning up brand subdomains, or planning controlled rollouts, we help you avoid missteps.
Our services include:
- Domain and access architecture setup, designed for security and scale
- Clean onboarding for new portals or teams
- Workflow audits to spot inefficiencies and access leaks
- Cross-team automation buildouts aligned with business goals
- CRM and reporting integration to keep data centralized and clean
If your company needs real-world HubSpot support—without the guesswork—talk to an INSIDEA specialist or check out INSIDEA’s HubSpot consulting services.
