Customer service platform with support email ticketing and routing. This guide covers the complete email authentication stack for Zendesk: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.
Authorize Zendesk to send support emails on behalf of your domain by adding the correct SPF include.
TXT
@
v=spf1 include:mail.zendesk.com ~all
Add include:mail.zendesk.com to your existing SPF record.
Go to your Zendesk Admin Center.
Go to Channels > Email. Add or select your support email address.
Look up your current SPF record.
dig TXT yourdomain.com +short | grep spfAdd include:mail.zendesk.com to your existing SPF record.
v=spf1 include:mail.zendesk.com ~allSend a test support email from Zendesk and check the headers for SPF pass.
v=spf1 include:_spf.google.com ~allv=spf1 include:_spf.google.com include:mail.zendesk.com ~allAdd include:mail.zendesk.com to your SPF record. For example: v=spf1 include:mail.zendesk.com ~all.
SPF is not strictly required but strongly recommended. Without it, emails from Zendesk may be flagged as suspicious by recipient mail servers.
Yes. Combine both: v=spf1 include:_spf.google.com include:mail.zendesk.com ~all.
Enable DKIM signing for Zendesk support emails by publishing two CNAME records for Zendesk's DKIM selectors.
CNAME
zendesk1._domainkey
zendesk1._domainkey.zendesk.com
You need two CNAME records: zendesk1._domainkey and zendesk2._domainkey.
Go to your Zendesk Admin Center.
Go to Channels > Email. Find the DKIM or domain authentication section.
Zendesk will display two CNAME records you need to add to your DNS.
Create both CNAME records in your DNS provider.
zendesk1._domainkey.yourdomain.com CNAME zendesk1._domainkey.zendesk.com
zendesk2._domainkey.yourdomain.com CNAME zendesk2._domainkey.zendesk.comIn Zendesk Admin, toggle on "Enable digital signatures" once the CNAME records have propagated.
Zendesk uses zendesk1 and zendesk2 as DKIM selectors, published as CNAME records.
Yes. Since the records are CNAMEs pointing to Zendesk-managed DNS, keys can be rotated without DNS changes on your end.
Yes. If your support email uses a subdomain, add the DKIM CNAME records for that subdomain.
Publish a DMARC record to protect your domain when sending support email through Zendesk.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
Ensure Zendesk SPF and DKIM are configured before enforcing DMARC.
Set up both SPF (include:mail.zendesk.com) and DKIM (zendesk1/zendesk2 CNAME records) before adding DMARC.
Send a test support email from Zendesk and check email headers for SPF and DKIM pass.
Add a TXT record at _dmarc.yourdomain.com.
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Review DMARC reports to verify Zendesk emails are passing. Look for any alignment issues.
Move from p=none to p=quarantine and finally p=reject.
Zendesk supports DKIM alignment through its CNAME-based DKIM setup. SPF alignment depends on your email configuration.
If SPF and DKIM are properly configured, no. But if either is missing, enforced DMARC may cause ticket emails to be rejected.
No. One DMARC record per domain covers all email, including Zendesk.
Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.