DKIM for Zendesk: Email Authentication Setup Guide
How to set up DKIM for Zendesk. Step-by-step guide covering SPF and DKIM DNS records for Zendesk Support email authentication.
Last updated: 2026-04-14
This guide is part of our Support Platforms series.
When customers receive a support email from your Zendesk helpdesk, their email provider checks whether the message is actually from you. Without DKIM, those emails can look suspicious, land in spam, or get rejected entirely. For a support team that depends on reliable communication, that is a serious problem.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your outgoing emails. It proves to receiving mail servers that the message came from an authorized sender and was not tampered with in transit.
Why Zendesk Support Emails Need DKIM
Zendesk sends emails on behalf of your support domain. Every ticket reply, automated notification, and satisfaction survey goes out through Zendesk's infrastructure using your company's email address. Without proper authentication, receiving mail servers have no way to verify that Zendesk is authorized to send on your behalf.
Here is what happens without DKIM:
- Support replies land in your customers' spam folders
- Ticket notifications get silently dropped by strict email providers
- Automated workflows like satisfaction surveys never reach recipients
- Your domain reputation degrades over time as unauthenticated messages accumulate
- DMARC policies on your domain may cause outright rejections
If you are already seeing delivery issues with Zendesk emails, missing DKIM is the most likely culprit. Gmail, Yahoo, and Microsoft now enforce stricter authentication requirements, making DKIM configuration essential rather than optional.
What You Need Before Starting
Before configuring DKIM in Zendesk, make sure you have:
- Admin access to Zendesk - You need permissions in Zendesk Admin Center to manage email channels
- Access to your domain's DNS settings - You will add CNAME and TXT records through your domain registrar or DNS provider
- A custom support email address already configured - Zendesk should already be sending from your domain (e.g., [email protected])
If you are still using a default Zendesk email address (e.g., [email protected]), you need to set up a custom support address first. DKIM only applies to emails sent from your own domain.
Setting Up DKIM for Zendesk
Open Zendesk Admin Center
Log in to your Zendesk account and navigate to Admin Center. Go to Channels > Talk and email > Email. Scroll down to the section that lists your support addresses.
Enable DKIM for your domain
Under your custom support email address, look for the DKIM authentication settings. Zendesk will display the CNAME records you need to add to your DNS. There are typically two CNAME records - copy both of them exactly as shown.
Add CNAME records to your DNS
Log in to your domain registrar or DNS provider. Create the two CNAME records provided by Zendesk. The records point specific subdomains (under _domainkey) to Zendesk's signing servers, allowing Zendesk to sign emails with a key that maps back to your domain.
Configure SPF for Zendesk
While you are editing DNS, update your SPF record to include Zendesk. Add include:mail.zendesk.com to your existing SPF TXT record. If your current record looks like v=spf1 include:_spf.google.com ~all, update it to v=spf1 include:_spf.google.com include:mail.zendesk.com ~all.
Wait for DNS propagation
DNS changes can take anywhere from a few minutes to 48 hours to propagate. Most providers update within 1-4 hours.
Verify in Zendesk
Return to Zendesk Admin Center and click the verification button next to your DKIM settings. Zendesk will check your DNS records and confirm whether DKIM is active. Once verified, all outgoing support emails will be signed.
Need to generate DKIM keys?
Use DKIM Creator to generate and validate DKIM records for your domain. Helpful for verifying your Zendesk configuration.
DNS Records at a Glance
Here is a summary of the DNS records you will add for Zendesk email authentication:
| Record Type | Purpose | Example Value |
|---|---|---|
| CNAME | DKIM key 1 | `zendesk1._domainkey` → provided by Zendesk |
| CNAME | DKIM key 2 | `zendesk2._domainkey` → provided by Zendesk |
| TXT (SPF) | Authorize Zendesk to send | `v=spf1 ... include:mail.zendesk.com ~all` |
Do not remove your existing SPF includes when adding Zendesk. Your SPF record should list every service authorized to send email for your domain. Removing other entries will break email from those services.
Troubleshooting Common Issues
Zendesk says verification failed DNS propagation may not be complete. Wait a few hours and try again. Double-check that you copied the CNAME records exactly - even a trailing period or extra space can cause a mismatch.
Emails still landing in spam after enabling DKIM
Check that your SPF record is also correct. DKIM and SPF work together. If one passes but the other fails, some providers will still flag the message. See our common DKIM errors guide for more troubleshooting tips. Also verify you do not have a strict DMARC policy (p=reject) without alignment - this can cause issues during the transition.
Multiple support addresses on different domains You need to configure DKIM separately for each domain you use in Zendesk. Each domain requires its own pair of CNAME records and its own SPF update.
SPF record exceeds the DNS lookup limit SPF records are limited to 10 DNS lookups. If adding Zendesk pushes you over this limit, you may need to consolidate or flatten your SPF record. This is a common issue for businesses using many third-party email services.
Verifying Everything Works
After Zendesk confirms your DKIM records are active, send a test email from Zendesk to a Gmail account. Open the message in Gmail, click the three-dot menu, and select Show original. Look for these lines in the headers:
dkim=pass- Your DKIM signature is validspf=pass- Zendesk is authorized via SPF
If both show pass, your Zendesk email authentication is fully configured. You can also use DKIM Creator to look up and validate your published DKIM records.
DKIM and DMARC Together
Once DKIM and SPF are in place, consider adding a DMARC record if you do not already have one. DMARC ties DKIM and SPF together with a policy that tells receiving servers what to do when authentication fails. Start with a monitoring policy (p=none) to collect reports before enforcing stricter rules.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- Zendesk official documentation — Email authentication and DKIM setup
Using Zendesk for customer support? Make sure every email you send is authenticated and trusted.
Verify your Zendesk DKIM setup
Use DKIM Creator to check your domain's DKIM records and confirm Zendesk emails are properly signed.
Check DKIM Records