Digitally signing your email with DKIM or DMARC Follow

all plans

It's easy for some people to spoof email -- that is, send email that pretends to be from somebody else. To combat spoofing, you can digitally sign outbound email from Zendesk to prove that an email actually came from somebody in your organization and not somebody pretending to be from your organization.

Digitally signing outbound email is supported only if you have set up an external email domain for your Zendesk email, as described in Using an external email domain.

Zendesk Support allows DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication. Email service providers that support DKIM or DMARC, such as Gmail and Yahoo!, check inbound email to see whether an organization that claimed to have signed a message actually did. The signature is associated with the organization's registered domain name. If the message is properly signed, the email service provider delivers the message normally. If the message is not signed or is improperly signed, the email service provider may deliver it with a caution to the user, or discard it.

You need to perform the following configuration steps to digitally sign your email:

Updating your DNS records to use the Zendesk domain key

Before you can digitally sign your outbound email from Zendesk, you must update the Domain Name System (DNS) records of your domain so that the Zendesk domain key can be located and used for verifying signatures. The DNS update creates a redirect to the domain key on the Zendesk domain. When an email service provider receives an email with your domain name, the provider looks up the Zendesk domain key to verify the signature of the email.

As an added security measure, Zendesk rotates its DKIM encryption keys every quarter. As long as you use the method described below to add domain keys to your DNS record, you won't have to make any changes when the keys are updated. The lookup will automatically locate the current Zendesk domain keys.

Note: Working with domain names can be confusing because it's something most of us rarely do. Consult your system administrator, if you have one, before proceeding.

The UI and terminology may vary depending on your registrar, but the concepts are the same.

To add the domain key to your DNS records

  1. Log in to your domain registrar's control panel.

    Use the login name and password that you created when you registered the domain name.

  2. Look for the option to change DNS records.

    The option might be called something like DNS Management, Name Server Management, or Advanced Settings.

  3. Locate the CNAME records for your domain.

    A CNAME record, or Canonical Name record, is a type of alias used by the Domain Name System (DNS). CNAME records let you point to the Zendesk domain to use its domain key.

  4. Look for an option to add a CNAME record.
  5. Create a CNAME record with the following values:
    • In the host record field, enter:

      where is any of your support addresses that you want to protect with DKIM.

      Note: Your address can have a different top-level domain, such as .net, .org, or .ca.

      For example:
    • In the points to field, enter:

  6. Create a second CNAME record with the following values:
    • In the host record field, enter:
    • In the "points to" field, enter:
Note: It takes time for changes to the DNS system to be implemented. Typically, it can take anywhere from a few hours to a day, depending on your Time To Live (TTL) settings in the registrar's control panel.

Enabling digital signatures in Zendesk

  1. In Zendesk, click Manage () and select Email from the Channels category.
  2. Scroll down to Custom Domain for DKIM and select the Enable option.
  3. Click Save.
Have more questions? Submit a request


  • 0

    +1 on making DKIM available to all levels. Although, I suppose this is similar to us having to pay extra to have SSL encryption for a custom domain. :-P

  • 0

    We are definitely planning on making DKIM available on all plans. Originally the feature was plan limited for exactly the reason Bryan mentions: we wanted to create consistency. I don't agree with that decision in this case however. DKIM and DMARC are becoming necessities in the world of email. I can't be specific about the timeline yet, but this change will come soon.

  • 0

    Thanks for the update, Max!

  • 0

    Awesome, great to hear!

  • 0

    +1 on making DKIM available on all plans. We're in the same boat as Bruce and we've starting looking at alternatives. Security is important for everyone.

  • 0

    Hey, all: DKIM is now available on all plans. We need to update some documentation, but the change has been made in your accounts!

  • 0

    Awesome news. Thanks Max!

  • 0

    Thanks for getting this implemented so quickly, Max! Please pass my thanks along to the team!

  • 0

    Thank you so much for enabling DKIM support for all accounts! It's an awesome feature and the emails are received even faster now in Gmail.

    Just to confirm, the CNAME should be added with a trailing dot on the end, like this:

    Thanks goes to Pete Walker for confirming this.

    Edited by Vladimir Kochkovski
  • 0

    The instructions refer to adding the CNAME record to the default support address. Is it safe to assume that we should add this to our other support addresses as well, or is there an issue with that not addressed by this article? Thanks!

  • 0

    @Vladimir - no, the trailing dot is correct. See

  • 0

    @Pete - You are right! I have used the trailing dot on the CNAME and it works great. Thank you for the reply!
    I will edit the previous comment if I can, so it doesn't cause any confusion.

  • 0

    @David - once your CNAME record has been updated to include Zendesk, all support addresses using the same domain should be all set. If you use other domains, you'd need to go through the same steps to add Zendesk to their CNAME records.

  • 0

    Help please, I can't figure how to add these in CPANEL, what am I doing wrong?

    and with the trailing dot:

    Edited by John B
  • 0

    Instructions taken from

    For cPanel:

    1. Log in to your account with your particular hosting provider.
    2. Find the window entitled 'Domains.'
    3. Click on 'Simple DNS Zone Editor' - This will take you to a control panel.
    4. In the control panel you will see a section titled 'Add a CNAME Record':
    5. In the 'Name' field of this section, type the name of your chosensubdomain.  For example, if you picked as your custom domain, enter lander here. Or, if you're using a root domain such as then you'll want to enter www here.  cPanel automatically fills in the rest of your URL.
    6. In the 'CNAME' field, type
    7. Click the 'Add CNAME Record' button at the bottom.



    Looks like you should have zendesk1._domainkey in the Name field without the

    Thanks again, Zendesk, for implementing this for everyone!

  • 0


    It looks like I've successfully added the CNAME records in GoDaddy (the registrar accepted the records).

    The weird thing is that in both the host records I had to truncate my root domain to enter the values: because my root domain is, according to the article I should have inserted in the host records and

    Instead after different attempts, GoDaddy accepted the host record truncating the last part of the root domain in this way:



    Do you think will it work?

  • 0

    Hi Guido Dati,

    It's good that you've managed to add the DKIM to GoDaddy registrar. But, I'm not sure that it will work properly if the name gets truncated.

    You might want to see if you can add it with quotes, like this:


    and see if GoDaddy shows it properly.


    If you have any additional questions, please feel free to contact me.


    Best regards,
    Vladimir Kochkovski

  • 0

    Hi Vladimir,

    I followed your advice but it doesn't work as you can see from the screenshot. (It's in Italian and it asks to insert the host name as a subdomain)

    Instead, if I insert the complete text without "..." GoDaddy now allows me to insert the text and accept it but it doesn't show the root domain.

    I sent some test e-mail using this last setting

    and the e-mail details say that it is signed by, which should be correct. Can you confirm this?

    Is it correct that it is mailed-by considering that is an e-mail forwarding? Can you confirm this?




    Edited by Guido Dati
  • 0

    Thank you for the screenshots, Guido.

    In your case, you only need to add this without the domain and without the quotes:

    You can use this video as guideline:

    If you have any additional questions, please feel free to contact me.

    Best regards,
    Vladimir Kochkovski

Please sign in to leave a comment.

Powered by Zendesk