Zendesk is a customer service platform that sends a high volume of email on behalf of your domain — ticket notifications, agent replies, satisfaction surveys, and automated triggers. Since these emails go directly to your customers, authentication failures can significantly impact customer experience.
SPF Configuration
Zendesk provides an SPF include for their sending infrastructure.
DNS Record:
Type: TXT
Host: @
Value: v=spf1 include:mail.zendesk.com ~all
Combined with other services:
v=spf1 include:spf.protection.outlook.com include:mail.zendesk.com ~all
Verify your total lookup count with the SenderClarity SPF Checker.
DKIM Configuration
Zendesk supports custom DKIM signing for your domain.
- In Zendesk, go to Admin Center → Channels → Talk and email → Email.
- Find your support address and look for the DKIM or Domain authentication option.
- Zendesk will provide CNAME records for DKIM:
Type: CNAME
Host: zendesk1._domainkey
Value: zendesk1._domainkey.yourdomain.zendesk.com
Type: CNAME
Host: zendesk2._domainkey
Value: zendesk2._domainkey.yourdomain.zendesk.com
The exact values will be shown in your Zendesk admin panel.
- Add both CNAME records to your DNS.
- Return to Zendesk and enable DKIM signing.
Zendesk uses two selectors for key rotation.
DMARC Configuration
Start with monitoring mode:
Type: TXT
Host: _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1
Progress to enforcement:
p=quarantine; pct=25p=quarantine; pct=100p=reject
DMARC Considerations for Zendesk
Support ticket replies are your most sensitive email flow: When a customer emails your support address and an agent replies through Zendesk, that reply must pass DMARC — otherwise it may land in the customer's spam. Unlike marketing email where a delay is tolerable, a missing support reply erodes customer trust directly. Prioritize Zendesk DKIM authentication before rolling out DMARC enforcement.
Automated triggers and macros multiply your sending sources: Zendesk's automation features (triggers, automations, satisfaction surveys) all send email as your domain. These automated messages use the same infrastructure as agent replies, so a single DKIM configuration covers them all. However, any Zendesk Marketplace apps that send email may use separate infrastructure — verify in your DMARC reports.
Multi-brand Zendesk instances need per-brand authentication: If you've configured multiple brands in Zendesk, each brand's support domain needs its own DKIM records. A common mistake is authenticating your primary brand and forgetting secondary brands — which then fail DMARC silently until a customer complains about missing emails.
Verification
- Check your SPF record →
- Submit a test ticket and check the email headers on the notification
- Confirm
dkim=passis aligned with your domain - Monitor DMARC reports in SenderClarity
Common Issues
Ticket replies going to spam: This is usually caused by missing DKIM configuration. Without custom DKIM, Zendesk signs messages with its own domain, which won't align with your DMARC policy. Enabling DKIM is the single most impactful fix for Zendesk deliverability.
SPF alignment: Zendesk's return-path may not align with your domain by default. DKIM alignment is the more reliable path to DMARC compliance for Zendesk.
Multiple Zendesk instances: If your organization runs multiple Zendesk accounts (e.g., separate brands), each may need its own DKIM configuration. The SPF include only needs to appear once.
Zendesk Chat and Talk: These products may send email notifications separately. Verify that all Zendesk products sending email are covered by checking your DMARC reports for any unauthorized sources.
SPF Lookup Impact
| Include | Estimated Lookups |
|---|---|
mail.zendesk.com |
1–2 |