It's easy for some people to spoof email -- that is, send email that pretends to be from somebody else. To combat spoofing, you can digitally sign outbound email from Zendesk to prove that an email actually came from somebody in your organization and not somebody pretending to be from your organization.
Digitally signing outbound email is supported only if you use an external email domain for your Zendesk email, as described in Forwarding incoming email to Zendesk Support and Setting up SPF for Zendesk to send email on behalf of your email domain.
Zendesk Support allows DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication. Email service providers that support DKIM or DMARC, such as Gmail and Yahoo!, check inbound email to see whether an organization that claimed to have signed a message actually did. The signature is associated with the organization's registered domain name. If the message is properly signed, the email service provider delivers the message normally. If the message is not signed or is improperly signed, the email service provider may deliver it with a caution to the user, or discard it.
You need to perform the following configuration steps to digitally sign your email:
Updating your DNS records to use the Zendesk domain key
Before you can digitally sign your outbound email from Zendesk, you must update the Domain Name System (DNS) records of your domain so that the Zendesk domain key can be located and used for verifying signatures. The DNS update creates a redirect to the domain key on the Zendesk domain. When an email service provider receives an email with your domain name, the provider looks up the Zendesk domain key to verify the signature of the email.
As an added security measure, Zendesk rotates its DKIM encryption keys every quarter. As long as you use the method described below to add domain keys to your DNS record, you won't have to make any changes when the keys are updated. The lookup will automatically locate the current Zendesk domain keys.
The UI and terminology may vary depending on your registrar, but the concepts are the same.
To add the domain key to your DNS records
- Log in to your domain registrar's control panel.
Use the login name and password that you created when you registered the domain name.
- Look for the option to change DNS records.
The option might be called something like DNS Management, Name Server Management, or Advanced Settings.
- Locate the CNAME records for your domain.
A CNAME record, or Canonical Name record, is a type of alias used by the Domain Name System (DNS). CNAME records let you point to the Zendesk domain to use its domain key.
- Look for an option to add a CNAME record.
- Create a CNAME record with the following values:
- In the Host Record field (or equivalent), enter:
zendesk1._domainkey.your_email_domain.com
where your_email_domain.com is the external email domain you use for your Zendesk email. Example: "mondocam.com". The domain can have a different top-level domain, such as .net, .org, or .ca.
Example host record value:
zendesk1._domainkey.mondocam.com
- In the Points To field (or equivalent), enter:
Example:
zendesk1._domainkey.zendesk.com
- In the Host Record field (or equivalent), enter:
- Create a second CNAME record with the following values:
- In the Host Record field, enter:
zendesk2._domainkey.your_email_domain.com
where your_email_domain.com is the external email domain you use for your Zendesk email.
Example host record value:
zendesk2._domainkey.mondocam.com
- In the Points To field, enter:
zendesk2._domainkey.zendesk.com
- In the Host Record field, enter:
Enabling digital signatures in Zendesk
- In Zendesk, click Manage (
) and select Email from the Channels category. - Scroll down to Custom Domain for DKIM and select the Enable option.
- Click Save.
You can use third party validation tools to confirm that DKIM is enabled and running properly. See How do I know if my DKIM records are configured correctly? for more information.
56 Comments
+1 on making DKIM available to all levels. Although, I suppose this is similar to us having to pay extra to have SSL encryption for a custom domain. :-P
We are definitely planning on making DKIM available on all plans. Originally the feature was plan limited for exactly the reason Bryan mentions: we wanted to create consistency. I don't agree with that decision in this case however. DKIM and DMARC are becoming necessities in the world of email. I can't be specific about the timeline yet, but this change will come soon.
Thanks for the update, Max!
Awesome, great to hear!
+1 on making DKIM available on all plans. We're in the same boat as Bruce and we've starting looking at alternatives. Security is important for everyone.
Hey, all: DKIM is now available on all plans. We need to update some documentation, but the change has been made in your accounts!
Awesome news. Thanks Max!
Thanks for getting this implemented so quickly, Max! Please pass my thanks along to the team!
Thank you so much for enabling DKIM support for all accounts! It's an awesome feature and the emails are received even faster now in Gmail.
Just to confirm, the CNAME should be added with a trailing dot on the end, like this:
zendesk2._domainkey.zendesk.com.
Thanks goes to Pete Walker for confirming this.
The instructions refer to adding the CNAME record to the default support address. Is it safe to assume that we should add this to our other support addresses as well, or is there an issue with that not addressed by this article? Thanks!
@Vladimir - no, the trailing dot is correct. See http://www.dns-sd.org/trailingdotsindomainnames.html
@Pete - You are right! I have used the trailing dot on the CNAME and it works great. Thank you for the reply!
I will edit the previous comment if I can, so it doesn't cause any confusion.
@David - once your CNAME record has been updated to include Zendesk, all support addresses using the same domain should be all set. If you use other domains, you'd need to go through the same steps to add Zendesk to their CNAME records.
Help please, I can't figure how to add these in CPANEL, what am I doing wrong?
and with the trailing dot:
Instructions taken from https://help.instapage.com/hc/en-us/articles/206028397-How-do-I-add-a-CNAME-with-a-cPanel
For cPanel:
lander.mydomain.comas your custom domain, enterlanderhere. Or, if you're using a root domain such aswww.mydomain.comthen you'll want to enterwwwhere. cPanel automatically fills in the rest of your URL.pageserver.instapage.com.----------
Looks like you should have zendesk1._domainkey in the Name field without the .yourdomain.com.
Thanks again, Zendesk, for implementing this for everyone!
Hi,
It looks like I've successfully added the CNAME records in GoDaddy (the registrar accepted the records).
The weird thing is that in both the host records I had to truncate my root domain to enter the values: because my root domain is procosmet-italy.com, according to the article I should have inserted in the host records zendesk1._domainkey.procosmet-italy.com and zendesk2._domainkey.procosmet-ital.com
Instead after different attempts, GoDaddy accepted the host record truncating the last part of the root domain in this way:
zendesk1._domainkey.procosme
zendesk2._domainkey.procosme
Do you think will it work?
Hi Guido Dati,
It's good that you've managed to add the DKIM to GoDaddy registrar. But, I'm not sure that it will work properly if the name gets truncated.
You might want to see if you can add it with quotes, like this:
"zendesk1._domainkey.procosmet-italy.com"
and see if GoDaddy shows it properly.
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
Hi Vladimir,
I followed your advice but it doesn't work as you can see from the screenshot. (It's in Italian and it asks to insert the host name as a subdomain)
Instead, if I insert the complete text without "..." GoDaddy now allows me to insert the text and accept it but it doesn't show the root domain.
I sent some test e-mail using this last setting
Is it correct that it is mailed-by procosmet.zendesk.com considering that is an e-mail forwarding? Can you confirm this?
Cheers,
Guido
Thank you for the screenshots, Guido.
In your case, you only need to add this without the domain and without the quotes:
zendesk1._domainkey
You can use this video as guideline:
https://youtu.be/YMm7EQ3AmWw
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
Hello I can't to all that about DKIM, can you help me?,
my domain finish in .com.mx but my go daddy server erase if I add .mx
I attempt with this "...." at the beginning and the end but it doesn't work.
Please help me.
Thanks
Hi Oscar,
Try adding only "zendesk1._domainkey" without the domain name afterwards.
If that doesn't work, you might want to contact the domain registrar support and ask them if they can set it up for you. You can point them to this topic as reference.
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
Hi Vladimir.
I already could, It works like you said, zendesk1._domainkey.
Thanks and regards.
As it seems, I am unable to add this CNAME record within PLESK .
I tried various ideas taken from the above comments, for example extra dot at the end, quote marks ("). Any help would be really appreciated.
Hi Charalampos,
Does it work if you enter only zendesk1.domainkey.zendesk.com (without the _) ?
If yes, then you will need to contact your domain DNS provider to remove restrictions in the "Canonical name" field.
Alternatively, you can use another DNS for your domain, such as NameCheap or CloudDNS.
You can use the guide in this video on how to change the DNS and setup DKIM:
https://www.youtube.com/watch?v=YMm7EQ3AmWw
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
Thanks for jumping in, Vladimir!
Welcome to the Zendesk Community, Charlampos! Let us know if that answers your question. :)
I'm also getting an error when trying to add the record. It says 'Invalid CNAME record destination. It must be validate hostname.' It works if I take out the '_' for the destination. My DNS is with Doteasy, and I was told that is a unsupported character by the system.
Hi Shawn Yu,
Thank you for your comment. If the '_' is not supported, you will either need to ask your host if they can implement it for you from their side, or just use an alternative DNS service.
If you use an alternative DNS service, your host, website and domain will all remain the same, but you would be able to setup more advanced options.
You can use the guide in this video on how to change the DNS and setup DKIM:
https://www.youtube.com/watch?v=YMm7EQ3AmWw
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
Hi Vladimir, does that mean I have to move all my DNS records from current service to the new one?
Shawn
Hi Shawn,
Yes, exactly. If your current host doesn't offer those DNS capabilities, you will need to move all of your DNS entries to the new service.
Make sure to test the MX records for the email and the A and CNAME for your domain,
If you have any additional questions, please feel free to contact me.
Best regards,
Vladimir Kochkovski
I signed up for Zendesk Inbox directly
...without a Zendesk support/agent account.
I have forwarded email, and made the DNS entries, but I am not seeing a way to Enable Digital Signatures in my Zendesk Inbox UI.
Am I missing something?
Please sign in to leave a comment.