Allowing Zendesk to send email on behalf of your email domain

Will Gates
Will Gates

You can set up your custom email domain to verify that Zendesk can send email on behalf of your email server.

For example, if you receive email from your customers at help@mycompany.com, and you’ve set up an automatic redirect to forward all email received there to Support, you can authorize Zendesk to send out notifications as if it originated from your own email address (for example: help@mycompany.com).

Setting up records for your domain can be confusing because it’s something most of us rarely do. Consult your system administrator, if you have one, before proceeding.

You don’t have to configure your email domain this way, but it’s recommended if you use your own custom email domain and have set up forwarding to an external email address. If you use a non-custom domain, such as addresses ending in @gmail.com or @yahoo.com, you can’t use this feature, as you won’t have access to the account DNS settings.

The advantages of this configuration

When Zendesk sends an email message using your email address (which is what happens if you’ve set up a support address with forwarding) the message identifies the sender as zendesk.com to avoid getting rejected. However, if you allow Zendesk to send email on behalf of your email domain, Zendesk stops sending messages from zendesk.com, and sends them from your domain, preserving your branding.

If you don’t complete the tasks described in this article, your customers might see something like this:

Email via Zendesk

The following warning will also appear in the agent interface next to your external support addresses:

SPF warning

Setting up records for your domain

You will need to set up an SPF record and several CNAME records. Make sure you do both.

Setting up an SPF record

If this is the first time doing this task, keep in mind that you should also set up your CNAME records when you’re done.

The process of setting up an SPF record is different for different domain registrars. For example, here are the instructions for GoDaddy, Namecheap, 1&1, Network Solutions, and Google Domains.

Don’t forget to set up your CNAME records when you’re done.

To create or edit an SPF record to reference Zendesk

  • Edit your domain’s DNS settings to add a TXT record. The steps vary depending on your domain registrar. A TXT record is required for your SPF record to be validated.

Zendesk recommends using the following SPF record:

v=spf1 include:mail.zendesk.com ?all

While we recommend using ?all because it’s the least intrusive qualifier, you can use whichever qualifier you are comfortable with.

If you’ve already set up an SPF record for another purpose, you can simply add a reference to Zendesk to it. The SPF specification requires that you only have one SPF record on your domain, if you have multiple records, it may cause issues, and cause rejections of your email.

For example, instead of having two separate records, such as v=spf1 include:\_spf.google.com ~all and v=spf1 include:mail.zendesk.com ~all you can combine them into one, like this:

v=spf1 include:\_spf.google.com include:mail.zendesk.com ~all

In the past, Zendesk suggested alternate formulations for SPF records, including include:smtp.zendesk.com and include:support.zendesk.com. These are both outdated SPF records. While they might still work, they’re not the best option. If you’re still using them, you’ll see a warning flag indicating you’ve set up an outdated record.

Setting up CNAME records

In order for Zendesk to send email on your behalf, you must add four CNAME (Canonical Name) records to your DNS server that give Zendesk domain-level email authorization.

The CNAME records redirect SPF checks to mail*.zendesk.com, which is a Zendesk server that includes an SPF record that is maintained by Zendesk. This SPF record is used for mail sent from zendesk*.customer.com. This means that Zendesk maintains SPF records for a subset of mail delivered from your domain, and ensures they are always up-to-date.

To authorize Zendesk to deliver your email using CNAME records

  • Edit your domain’s DNS settings and add each of these CNAME records:

    Type Name/Host/Domain Value/Target/Destination TTL
    CNAME zendesk1 mail1.zendesk.com 3600 or use default
    CNAME zendesk2 mail2.zendesk.com 3600 or use default
    CNAME zendesk3 mail3.zendesk.com 3600 or use default
    CNAME zendesk4 mail4.zendesk.com 3600 or use default

If you’re unsure about any of the above, consult with your DNS provider.

Consider making an additional update to digitally sign outbound email from Zendesk to prevent your customers’ email clients from blocking email. Digitally signing email provide that an email actually came from your organization and not someone pretending to be your organization. For instructions, see Digitally signing your email with DKIM or DMARC.

Verifying your domain

In order for Zendesk Support to send emails on your behalf, you must verify that you own the domain that you want Support to use. This is done by adding a TXT record (a domain verification record) to your DNS server that Support will check. The domain verification record is unique for each Support account and domain combination.

If you don’t add the domain verification record, Support sends emails from a Zendesk-provided email address. If you want to give your customers a white label experience, hiding all Zendesk branding, you must add this record.

To verify that a domain belongs to you

  1. After you have finished setting up your CNAME records, go to Support and click the Admin icon (Settings icon) in the sidebar, and then navigate to Channels > Email.
  2. Locate the DNS records (located outside of Zendesk) for your Support address, then click See details to see the domain verification value.

    If you are an agent with permissions to manage support addresses, you can use the Support Addresses API endpoint to find the domain verification code for your support address instead, if you prefer. Look for the domain_verification_code value.

  3. Edit your domain’s DNS settings and add this TXT record:

    Type Name/Host/Domain Value TTL
    TXT zendeskverification   3600 or use default

    You can find the value next to the Domain verification TXT record check. In this example, the value is abcdef123456:

    domain_verification

  4. After you add the TXT record, click the Verify DNS records button to confirm that all of your records are now valid. If they are, the red error messages will be gone.

    After your domain is verified, leave the domain verification record in-place.

If you decide to change your Support subdomain or host mapping later, you don’t need to update your domain verification records.

Understanding SPF checks

Sender Policy Framework (SPF) is a domain level email authorization protocol that allows you to declare which IP addresses are allowed to send email as if it originated from your domain.

This is accomplished by adding Domain Name System (DNS), TXT, or CNAME records. Think of DNS as a publicly accessible record for the internet. These records enable you to state publicly that Zendesk is an authorized sender for your domain.

When an email client receives a message, it performs an SPF check on the sending domain to verify that the email came from who it says it did. If this check fails, or there isn’t a DNS record that says that Zendesk is a permitted sender, some receivers might consider that email spam or a phishing attempt, and flag it as untrustworthy or not display it to your customers at all.

Zendesk avoids this by sending email using our own domain when we’re not authorized to use your domain, and by using your domain only when you authorize Zendesk with a proper SPF record. Either way, email sent from Zendesk should never be marked as spam.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request

Comments

3 comments

  • Comment author
    Daniel Redmond

    Our emails have stopped sending without notice but the configuration looks fine. We tried to disable send via gmail but that didn't help. Any other suggestions??

    0
  • Comment author
    Daniel Redmond

    I've fixed the triggers and the emails are working now. Thank you!

    0
  • Comment author
    Vera Yang

    Can you confirm that your default triggers are still enabled under Admin>Business Rules>Triggers? More information here: About the Support default triggers

    Are emails still generating tickets in your account? Or is the issue that your agent responses are not making it back to customers?

    Any additional information can help us point you in the right direction :) 

    0

Please sign in to leave a comment.