Setting up SPF for Zendesk to send email on behalf of your email domain Follow

all plans

You can set up an SPF (Sender Policy Framework) record to verify that Zendesk can send outgoing email on behalf of your email server. An SPF record is a tool you can use to authorize Zendesk to send email on your behalf.

For example, if you receive email from your customers at help@acme.com, and you've set up an automatic redirection to forward all email received there to your Zendesk, you can authorize Zendesk to send out notifications as if it originated from your own email address (for example: help@acme.com). That way you can preserve your branding throughout the entire process

Setting up a SPF record is optional, but recommended if you've set up forwarding to an external email address.

Understanding how it works

An SPF record is a single line of text that declares which SMTP servers, other than your own, are allowed to send email as if it originated from your domain.

This is accomplished by adding a DNS (Domain Name Servers) text record. (Think of DNS as a publicly accessible record for the internet.) This record enables you to state publicly that Zendesk is an authorized sender for your email domain.

When an email client receives a message, it usually performs an SPF check to verify that the email came from who it says it did. If there isn't a valid SPF record identifying the IP address which sent the email as a sender, some receivers might consider that email spam or a phishing attempt, and flag it as untrustworthy or not display it to your customers at all.

Zendesk avoids this by sending email using our own domain when we're not authorized to use your domain, and by using your domain only when you authorize Zendesk with a proper SPF record. Either way, email sent from Zendesk should never be marked as spam.

If you're curious, you can read more about SPF records at www.openspf.org.

Deciding whether you really need to do this

So, do you have to set up an SPF record? The short answer is: No. The slightly longer answer is: Only if you really don't want your customers to see the Zendesk name on their messages.

When Zendesk sends an email message using your email address (which what happens if you've set up a support address with forwarding) the message identifies the sender as Zendesk to avoid getting rejected. However, if you create a valid SPF record, Zendesk will stop sending messages as Zendesk, and send them on behalf of your email server, completely preserving your branding.

If you don't set up an SPF record, your customers might see something like this:

If you add an SPF record, however, that "via" statement is removed.

Setting up an SPF record

Ideally, this is a task you'd get help with or have your system administrator take care of, if you can.

The process of setting up an SPF record is different for different domain registrars. For example, here are the instructions for GoDaddy, Namecheap, 1&1, Network Solutions, and Google Domains.

If you've already set up an SPF record for another purpose, you can simply add a reference to Zendesk to it. The SPF specification requires that you only have one SPF record on your domain, if you have multiple records, it may cause issues, and cause rejections of your email.

For example, instead of having two separate records, such as v=spf1 include:_spf.google.com ~all and v=spf1 include:mail.zendesk.com ~all, you can combine them into one, like this: v=spf1 include:_spf.google.com include:mail.zendesk.com ~all.

To create or edit an SPF record to reference Zendesk
  • Edit your domain's DNS settings to add a TXT record. The steps vary depending on your domain registrar.

    Zendesk recommends using the following SPF record:

    v=spf1 include:mail.zendesk.com ?all
Note: While we recommend using ?all because it's the least intrusive qualifier, you can use use whichever qualifier you are comfortable with.
Tip: Consider making an additional update to digitally sign outbound email from Zendesk to prevent your customers' email clients from blocking email. Digitally signing email proves that an email actually came from your organization and not somebody pretending to be your organization. For instructions, see Digitally signing your email with DKIM or DMARC.
Important: In the past, Zendesk suggested alternate formulations for SPF records, including include:smtp.zendesk.com and include:support.zendesk.com. These are both outdated SPF records. While they might still work, they're not the best option. If you're still using them, you'll see a warning flag indicating you've set up an outdated record.
Have more questions? Submit a request

Comments

  • 0

    1) Does Zendesk have a DKIM option?
    2) how long does it take for the TXT record to update and be effective?

  • 0

    1) Yes! https://support.zendesk.com/hc/en-us/articles/203663326
    2) It should be based on the "TTL" or time to live of your record. If you don't see it in a day or so (keep using the retry link to update), let our support team know.

  • 0

    I added the record, it says SPF record is valid in the admin panel but users still get via Zendesk in their reply emails.

    Anything I can do to troubleshoot it?

  • 0

    Hi Eugene!

    Where in the email is it saying this? I need to know what part of the communication we're dealing with in order to be able to answer your question.

  • 0

    (Guessing..) I think what Eugene is seeing is a "via ... zendesk.com" to the right of the From address, at least Google displays the From address in that manner if the From address differs from the Sender envelope address.

  • 0

    Once you create the SPF record what changes do you make in Zendesk to trigger your emails to be send via your domain?

  • 0

    Hey Isaac,

    As long as you have your Support Addresses set up, you won't need to do anything else!

  • 0

    Perhaps this article could be updated…  Whilst adding Zendesk to your SPF will ensure that your customers receive Zendesk emails posing as your domain, employees of your domain may not receive these type of emails from Zendesk until you have authorised your mail server to accept them.  This is because SPF may not the only method of authorisation required e.g. our Exchange mail server required an additional 'Receive Connector' to be setup to accept emails that were sent from Zendesk using our domain name.  Without this step in place tickets were shown in a suspended state with error:  “550 5.7.1 Client does not have permissions to send as this sender”

  • 0

    If you already have a SPF record for your domain, you should not create a new record for Zendesk because multiple SPF records are not allowed. Instead, add 'include:mail.zendesk.com' to your existing SPF record.

  • 1

    The article recommends using '?all', but that makes SPF almost useless.

  • 1

    You should not rely on SPF or DKIM alone for email authentication.

    Deploy DMARC and then -all ~all or ?all doesn't really matter, as only a SPF PASS makes the email pass DMARC.

     

  • 2

    Hi Chris - the ?all portion is up to you, as long as you have the proper entry for Zendesk it will work in regards to our system. I think we recommend ?all because it is the least intrusive, but you are free to use your preference.

  • 0

    v=spf1 include:_spf.google.com include:mail.zendesk.com ~all

     

    I have updated the mentioned SPF Records. I am still being warned to verify the SPF records.

  • 0

    Hey Neeraj!

    If you're still getting the warning message, most likely the settings aren't quite right in your DNS settings. The right way to do this is going to vary depending on what service you're using...have you checked any support documentation your DNS provider has?

  • 0

    I am using Office 365 and Godaddy.  I have added

    v=spf1 include:spf.protection.outlook.com include:mail.zendesk.com -all

    Office 365 shows all good, but I can't verify the spf record in Zendesk

  • 0

    Hi Jonathan - I'll make a ticket for you and we can troubleshoot there. Please keep an eye out for my notification in your inbox.

Please sign in to leave a comment.

Powered by Zendesk