It's easy for some people to spoof email -- that is, send email that pretends to be from somebody else. To combat spoofing, you can digitally sign outbound email from Zendesk to prove that an email actually came from somebody in your organization and not somebody pretending to be from your organization.
Digitally signing outbound email is supported only if you use an external email domain for your Zendesk email, as described in Forwarding incoming email to Zendesk Support and Setting up SPF for Zendesk to send email on behalf of your email domain.
Zendesk Support allows DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication. Email service providers that support DKIM or DMARC, such as Gmail and Yahoo!, check inbound email to see whether an organization that claimed to have signed a message actually did. The signature is associated with the organization's registered domain name. If the message is properly signed, the email service provider delivers the message normally. If the message is not signed or is improperly signed, the email service provider may deliver it with a caution to the user, or discard it.
You need to perform the following configuration steps to digitally sign your email:
Updating your DNS records to use the Zendesk domain key
Before you can digitally sign your outbound email from Zendesk, you must update the Domain Name System (DNS) records of your domain so that the Zendesk domain key can be located and used for verifying signatures. The DNS update creates a redirect to the domain key on the Zendesk domain. When an email service provider receives an email with your domain name, the provider looks up the Zendesk domain key to verify the signature of the email.
As an added security measure, Zendesk rotates its DKIM encryption keys every quarter. As long as you use the method described below to add domain keys to your DNS record, you won't have to make any changes when the keys are updated. The lookup will automatically locate the current Zendesk domain keys.
The UI and terminology may vary depending on your registrar, but the concepts are the same.
To add the domain key to your DNS records
- Log in to your domain registrar's control panel.
Use the login name and password that you created when you registered the domain name.
- Look for the option to change DNS records.
The option might be called something like DNS Management, Name Server Management, or Advanced Settings.
- Locate the CNAME records for your domain.
A CNAME record, or Canonical Name record, is a type of alias used by the Domain Name System (DNS). CNAME records let you point to the Zendesk domain to use its domain key.
- Look for an option to add a CNAME record.
- Create a CNAME record with the following values:
- In the Host Record field (or equivalent), enter:
zendesk1._domainkey.your_email_domain.com
where your_email_domain.com is the external email domain you use for your Zendesk email. Example: "mondocam.com". The domain can have a different top-level domain, such as .net, .org, or .ca.
Example host record value:
zendesk1._domainkey.mondocam.com
- In the Points To field (or equivalent), enter:
zendesk1._domainkey.zendesk.com
- In the Host Record field (or equivalent), enter:
- Create a second CNAME record with the following values:
- In the Host Record field, enter:
zendesk2._domainkey.your_email_domain.com
where your_email_domain.com is the external email domain you use for your Zendesk email.
Example host record value:
zendesk2._domainkey.mondocam.com
- In the Points To field, enter:
zendesk2._domainkey.zendesk.com
- In the Host Record field, enter:
Enabling digital signatures in Zendesk
- In Zendesk, click Manage (
) and select Email from the Channels category.
- Scroll down to Custom Domain for DKIM and select the Enable option.
- Click Save.
You can use third party validation tools to confirm that DKIM is enabled and running properly. See How do I know if my DKIM records are configured correctly? for more information.
60 Comments
Hi Nikolai!
Inbox is a stand-alone product, different from Support, so the functionality will be different. To the best of my knowledge, it's not possible to set up DKIM or DMARC in Inbox...I'd recommend checking out the documentation in our Inbox Help Center for more information!
Hi Nikolai,
Unfortunately we do not have DKIM as a feature of Inbox (It is only available on Support at this time -- our paid offering). You may find success in setting up an SPF record to remove that reference, as Inbox does use the same mail servers as Support, but nothing in this regard is mentioned (or directly supported) within the Inbox product.
Here is our article on SPF records:
Setting up SPF for Zendesk to send email on behalf of your email domain
Outside of the above (and if that does not deem the results you're looking for), the only other option at this time would be to switch over to a support account at this time for those features (as they just aren't available within the Beta at this time).
Excellent! The paid offering is totally an option. Thank you.
Before we pull the trigger, can we confirm a couple things?
1. I tried creating a Support account for the same team-name we used when creating the Inbox acct. It said that name is not available.
Is there a way to expand the offerings for an existing account?
Or do we need to start with a new Support acct and then add Inbox to that?
2. Once we have a Support account created and SPF records in place, are you saying that those settings will come into play for the Inbox service?
Hey Nikolai,
Glad to cover these questions as well:
You would have to use a separate subdomain for the support account -- If you write into support [at] zendesk.com though (from the listed owner account of your inbox email) we could rename your inbox account to something else, which would then allow you to use that on your Support account. This is necessary due to both products using the same format for login (subdomain.zendesk.com)
The SPF record would only show as validated on the Support account, as Inbox doesn't make reference to the specification itself. That being said, Inbox mail servers use the same servers/processors that Support does, so if an SPF record is in place for mail.zendesk.com your customers email clients should recognize the sending server as authorized, regardless of product.
Hope that clears things up! If you have any questions about product features, feel free to email us as well!
I've done all the steps, but I think zendesk is still using their default DKIM signature on my emails... (please note that it's only been 16 hours so I did it).
How can I test this to be sure it's working? What will my new DKIM signature look like?
Hi Kendall,
Thank you for the question and the details.
The email that you use for testing seems like the sign-in email sent from Zendesk. This usually is not the best way to test the DKIM setup.
You can use a service like this to check if the key is setup correctly on your domain:
https://dkimcore.org/tools/keycheck.html
Enter "zendesk1" in the selection field and your domain "employeereferrals.com" in the domain field. It does seem like you've setup everything correctly.
To test the actual email, please request a ticket from an email address that's not associated with your Zendesk account in any way. The response should come with the proper DKIM key.
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
Thank you so much Vald, I appreciate the help!
Thank you, Kendall! Glad if it's useful.
Did you manage to get everything working good?
Thanks for helping out, Vladimir!
Thank you, Jessie! Glad if I could help
how to add dkim record in cloudflare dns, type CNAME, in the first field which is labelled as Name i write zendesk1._domainkey.mydomain.com & in the second field which is labelled as Domain Name i write zendesk1._domainkey.zendesk.com when i click on add record. the error appears which says"Invalid hostname: Use '@' to represent the root domain" below the field where i write zendesk1.domainkey.zendesk.com
Hi Fahad,
It's been a while since I setup CloudFlare, but do try this:
In Name add only "zendesk1._domainkey" without your domain.
In Domain add "zendesk1._domainkey.zendesk.com" and check if that works.
If not, there is a workaround, but it's a bit more complicated. You will need to:
1. Disable CloudFlare DNS and use your original domain registrar DNS
2. Setup everything on the original domain DNS as shown in the DKIM tutorial
3. Enable CloudFlare DNS again and import all the DNS settings.
This will usually setup everything correctly in CloudFlare, even some settings that you can't normally add manually.
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
Hi all,

I have this all setup.
The issue I want to know if there is a way to resolve. We send fraud check requests from Zendesk to customers.
I have removed footer - so it appears just from our company.. but when the customer replies to the email, it goes to:
support+id28881@[COMPANY].zendesk.com
Is there anyway to change this?
Any help - greatly appreciated.
Many thanks
Hi Conza,
Thank you for your question!
Something seems to be missing. How are the tickets initiated?
Usually, a customer first needs to send an email to your address that's connected with Zendesk (ex. support@youremail.com) and then the ticket reply is sent from that same address. In this case, the reply-to should be the same address (ex. support@youremail.com) as well.
If you are forwarding emails from another address not connected to Zendesk, and use Zendesk only for initializing outgoing emails, you might have issues.
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
Hi,
We use Office 365 to handle our mail services and I have two basic questions;
1. Would this cause any kind of conflict if I'd at the DKIM records in our DNS host management?
2. Will we have to do anything on the O365 side also?
Best regards,
Óðinn Thor
Hi Óðinn,
I haven't used Office 365 with Zendesk myself, but if it the setup is similar to G Suite, you might need to make some adjustments on it.
This info might help to set it up:
https://docs.microsoft.com/en-us/office365/securitycompliance/use-dkim-to-validate-outbound-email
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
any help to do it on BlueHost ?
is it supposed to replace the CNAME records "zendesk1 points to
and zendesk2 points to
or it's a whole new brand records ?!
ERROR:
Failed to validate args in method GAP::Dns::record_update
any ideas ?
Hey Osama!
I believe you would replace the CNAME record rather than creating a new one, but set up varies from provider to provider. I would recommend checking BlueHost's documentation to make sure!
We have the Zendesk Support, but I'm unable to find the DKIM setting that is mentioned in this article - did you change the interface?
Hey Jesper -- It looks like your save button is missing -- Try logging out and logging back in/ Clearing your cache and cookies, and it should show up! If it doesn't, you will want to open up a ticket with our support team to take a look.
Thanks!
Hey Ryan,
I have tried over weeks, and even changed my computer recently, but the fields have now magically appeared 👍
Thank you for the help.
I suppose i have the the same problem as Jesper. The "Save" button is visible, but the "Custom Domain for DKIM" Settings are not present. Tried a different computer, tried to clear cookies and cache. Any solutions ? Also opened a ticket two days ago, no reply so far.
Hi Daniil,
I was able to track down the ticket you referenced and it looks like it's currently assigned to one of our Customer Advocates. I've bumped the priority of this ticket so that should help get eyes on it faster :)
Our team will follow-up with you once we have more information to provide.
Cheers!
Do you have instructions for setting up DKIM signing for Zendesk with Google Domains and G-Suite as the mail provider?
When I enter the CNAMEs, the host changes - and verification is not successful.
SPF and DNS settings and mail forwarding are all setup and functioning. Google documentation mentions that it's not possible to have two DKIM and that I would need to regenerate another one but can only use 1 signature?
Any help would be great, and I'm sure there is more like me out there who could use the setup info.
As of 2020/12/01 GoDaddy still appends domain names onto the end of CNAME records.

Assuming your domain is contoso.com the instructions will walk you through entering the following record:
Name:zendesk1._domainkey.contoso.com
Value:zendesk1._domainkey.zendesk.com
and repeated for zendesk2.
If you do this with GoDaddy the record will get published with a name of zendesk1._domainkey.contoso.com.contoso.com
To get around this when setting up your CNAME record for the NAME field enter "zendesk1_domainkey" Godaddy will append your domain with a leading period.
Hi, this is the error I met, please kindly help. The operation document does not work, I can barely understand it.
And how to get this below page to appear once again:
Look forward to your reply.
This seems to be a global feature in Zendesk. We have multiple email sending domains. We're about to set up our first with DKIM in its DNS records. If we flip this global switch in Zendesk, will this negatively impact the other domains' ability to have Zendesk send email on their behalf? I.e. is it either DKIM for all or none or can we set it up for select domains?
Please sign in to leave a comment.