If you want to use your own email address to receive support requests, and you've added your email address as a support address in Zendesk, then you can set up your custom email domain to verify that Zendesk can send email on behalf of your email server.
For example, if you receive email from your customers at help@acme.com, and you've set up an automatic redirect to forward all email received there to Support, you can authorize Zendesk to send out notifications as if it originated from your own email address (for example: help@acme.com). That way you can preserve your branding throughout the entire process.
You don’t have to configure your email domain this way, but it’s recommended if you use your own custom email domain and have set up forwarding to an external email address. If you use a non-custom domain, such as addresses ending in @gmail.com or @yahoo.com, you can't use this feature, as you won't have access to the account DNS settings.
The advantages of this configuration
So, do you have to allow Zendesk to send email on behalf of your email domain? The short answer is: No. The slightly longer answer is: Only if you really don't want your customers to see the Zendesk name on their messages.
When Zendesk sends an email message using your email address (which is what happens if you've set up a support address with forwarding) the message identifies the sender as zendesk.com to avoid getting rejected. However, if you allow Zendesk to send email on behalf of your email domain, Zendesk stops sending messages from zendesk.com, and sends them from your domain, completely preserving your branding.
If you don't complete the tasks described in this article, your customers might see something like this:
The following warning will also appear in the agent interface next to your external support addresses:
However, if you complete the tasks described in this article, the via statement and warning don’t appear.
Setting up records for your domain
Ideally, the task in this section is something you’d get help with, if you can, or that you’d ask your system administrator to do for you. You will need to set up an SPF record and a separate DNS TXT record (as described in Verifying your domain). Make sure you do both.
The process of setting up an SPF record is different for different domain registrars. For example, here are the instructions for GoDaddy, Namecheap, 1&1, Network Solutions, and Google Domains.
To create or edit an SPF record to reference Zendesk
- Edit your domain's DNS settings to add a TXT record. The steps vary depending on your domain registrar. A TXT record is required for your SPF record to be validated.
Zendesk recommends using the following SPF record:
v=spf1 include:mail.zendesk.com ?all?all because it's the least intrusive qualifier, you can use whichever qualifier you are comfortable with.If you've already set up an SPF record for another purpose, you can simply add a reference to Zendesk to it. The SPF specification requires that you only have one SPF record on your domain. If you have multiple records, it may cause issues, and cause rejections of your email.
For example, instead of having two separate records, such as v=spf1 include:_spf.google.com ~all and v=spf1 include:mail.zendesk.com ~all, you can combine them into one, like this:
v=spf1 include:_spf.google.com include:mail.zendesk.com ~allIn the past, Zendesk suggested alternate formulations for SPF records, including include:smtp.zendesk.com and include:support.zendesk.com. These are both outdated SPF records. While they might still work, they're not the best option. If you're still using them, you'll see a warning flag indicating you've set up an outdated record.
Verifying your domain
In order for Zendesk Support to send emails on your behalf, you must verify that you own the domain that you want Support to use. This is done by adding a TXT record (a domain verification record) to your DNS server that Support will check. The domain verification record is unique for each Support account and domain combination.
If you don’t add the domain verification record, Support sends emails from a Zendesk-provided email address. If you want to give your customers a white label experience, hiding all Zendesk branding, you must add this record.
To verify that a domain belongs to you
- After you have finished setting up your SPF record, go to Support and click the Admin icon (
) in the sidebar, and then navigate to Channels > Email.
- Locate the DNS records (located outside of Zendesk) for your Support address, then click See details to see the domain verification value. See the illustration below for an example.
Note: If you are an agent with permissions to manage support addresses, you can use the Support Addresses API endpoint to find the domain verification code for your support address instead, if you prefer. Look for the domain_verification_code value. For more information, see the developer documentation about Support Addresses.
- Edit your domain's DNS settings and add this TXT record:
Type Name Value TTL TXT zendeskverification <your unique value found in Support> 3600 or use default You can find the value next to the Domain verification TXT record check. In this example, the value is abcdef123456:
- After you add the TXT record, click the Verify DNS records button to confirm that all of your records are now valid.
If they are, the red error messages will be gone. If you're having trouble setting up your DNS record correctly, see Why do I receive the error "DNS records are not set up correctly" when verifying my DNS records.
After your domain is verified, leave the domain verification record in-place.
If you decide to change your Support subdomain or host mapping later, you don’t need to update your domain verification records.
Understanding SPF checks
Sender Policy Framework (SPF) is a domain level email authorization protocol that allows you to declare which IP addresses are allowed to send email as if it originated from your domain.
This is accomplished by adding Domain Name System (DNS) TXT record. Think of DNS as a publicly accessible record for the internet. This record enables you to state publicly that Zendesk is an authorized sender for your domain.
When an email client receives a message, it performs an SPF check on the sending domain to verify that the email came from who it says it did. If this check fails, or there isn't a DNS record that says that Zendesk is a permitted sender, some receivers might consider that email spam or a phishing attempt, and flag it as untrustworthy or not display it to your customers at all.
Zendesk avoids this by sending email using our own domain when we're not authorized to use your domain, and by using your domain only when you authorize Zendesk with a proper SPF record. Either way, email sent from Zendesk should never be marked as spam.
If you're curious, you can read more about SPF at www.openspf.org. If you're having trouble verifying your SPF record, see Why is my SPF record not validating?
152 Comments
We are one of those zendesk-users who are seriously affected by this action. We are currently a service provider responsible for about 40 brands.Brands with different e-mail domains for which the SPF record is already a problem to keep them under 10 lookups So please, reverse this action or make sure that the mail.zendesk.com include is limited to one DNS lookup action. Stef Roelofs ServiceHouse B.V.
Hello Henrik and Stef, We apologize that you are experiencing this. Our Dev and Product teams are currently looking into this issue.
Hello,
What is the deadline for the change? And how do we know that we are already migrated so that if i complete the change i am sure that all the settings are correct?
Kind Regards,
Pierre
Hello all, The SPF record for mail.zendesk.com has been corrected. It is now a single lookup.
Pierre, We do not currently have a deadline for account migration. The process for verifying that your DNS records are correct, which should be done in advance of account migration, is described in the article. The in-app verification for each address can be found in Admin>>Channels>>Email>>Support Addresses.
I find this article a bit hard to read. To sum it up, the complete process as of February 2019 should be:
it seems we need a way for Zendesk to ping us individually and let us know if you changed the configurations correctly.
Hi Bjørn, You still need an SPF record until we migrate accounts to using Amazon SES services. That hasn't happened yet. We are hoping that will be soon.
Dolev, the verification check in the user interface is how you can know if the records are set up correctly. If you have any specific questions about your records then it is best to open a ticket at support@zendesk.com.
Please help,
I don't see Verfications in my agent interface. In the section titled "To verify that a domain belongs to you", I am supposed to navigate to Admin > Channels > Email and then get the "domain verification value" under "Verifications" for my Support address.
The problem is, I don't see that anywhere.
> Find the domain verification value under Verifications for your Support address.
Hi Donald, You're not using an external support address - you are only using the native Zendesk support addresses. No action is required.
Hello Sean,
When I click on "Add address" > "Connect external address" and then type in the external address that I am trying to set this up with, it says "This address is already used by Support."
I get the same message when I try "Connect other".
Hi Donald, You can not add an address as a support address that is associated with a user profile in your account. Use the magnifying glass to search that user and then decide how best to proceed based on their profile - you can either change the address associated with them or delete the profile.
Ah.... Thank you!
I have a similar question as Donald above. I also cannot find the "domain verification value". I do however have an error that my DNS records are not set up correctly and received the email saying I needed to make an adjustment. Are you saying that I don't need to make changes to the DNS records?
Hi,
I did this setup back in january 2019 and I see all green ticks under Channel->Email->Support addresses, so I think our setup and all is good.
However today I received an e-mail from Zendesk, saying
"If you’re receiving this message, your account has been identified as one that needs to make this adjustment. This article explains those changes and what action you should take in preparation."
So the question is:
is our account setup correctly and this is a generic re-send of the e-mail or is there a problem with our account? as we cannot tell.
Hi Tony, Since this might require looking at the specifics of your account and domain it might be best if you open a ticket with us at support@zendesk.com.
Hi Sean,
Thanks ticket #4381458 logged.
Same question as Tony,
I guess we're asking what prompted this week's email as oppose to the email regarding the January change. should Zendesk customers who made the necessary arrangements for January be now concerned by this?
Same question as Tony & Dolev.
We completed the set up in January and have green ticks when looking in the channel/emails.
As such want to be sure what exactly is required as, as far as I can tell we can completed all the steps
Hi All,
I did log a ticket, I will update once I get a reply from support.
This email was general reminder to all accounts that had an external email address added. If you are seeing green check marks for all CNAMEs and TXT records, then you are good to go! Tony, you should have received an email response. I noted your ticket - 4381458 - had been updated.
Glad I checked here, thanks @Sean Cusick. We did the changes a while back too, so this weeks e-mail confused me too. But we're all green, so all good.
Thanks @Sean Cusick,
Did not receive an update to my ticket but thats ok.
Thank you for confirming, however a badly worded e-mail.
Suggestion may be to put something in there along the lines of "if its all green - then your setup is complete".
Thanks
Hey Renee Morgan!
I've created ticket #4387667 to review this with you. I look forward to working with you there!
Hi All,
do you know if can we keep SPF records also after migration to AWS?
We use the corporate domain for the email support so for us it is very critical to keep SPF.
Anynone is experiencing issue using corporate domain for email support?
Thanks
Donato
Hi Donato, You can keep your SPF TXT record, though there should be no reason to do so. SPF will be established differently - through the use of the CNAME records and as part of the MailFrom exchange - once we migrate to sending from Amazon SES. The SPF TXT record should be redundant at that point.
I am not able to find the domain_verification_code under channel -->email as there is no verifications menu there. Can anyone help
me too, not able to find the domain verification code
Dilip & Jalis,
I had the same question and they opened a ticket. I think these are just poorly written instructions. The response was that my IT should create a TXT record to match the code zendesk gives in box 5. The domain verification value is the value in box 5. There is not a separate menu.
AWS Route53 has an SPF Record and
is not valid. What needs to do for this case?
Just want to confirm. If we have the "Send email via gmail" option enabled, we are using the google connector, so we are not affected by this. Correct?
Please sign in to leave a comment.