Allowing Zendesk to send email on behalf of your email domain

Have more questions? Submit a request


  • Simon McAllister

    Yes, of course;  you will want your customers to continue to send to

    Ensure that the server that handles mail for your domain, is setup to forward those mails to your

    Also ensure that reply emails that are sent from Zendesk (from your support agents), send 'as'

    If your mail domain is protected against spoofing (where you authorise specific servers to send 'as' your domain) you will also have to update the protection to allow Zendesk servers.

    SPF is one type of protection that is discussed above.

    This is important because many (not all yet) customer email systems may perform checks as part of their anti-spam protection.  Those that do will more than likely not receive your support agents’ replies from Zendesk unless protection is updated correctly.

    My organisation has an on premise Exchange server that works with this scenario and is secured as much can be.  Thus the components of our Exchange server (receive connectors) required similar action (add Zendesk mail sending server IP’s) to authorise Zendesk’s emails, posing as our domain, to arrive in our own support agents or sales employees mailboxes.

    Bear in mind that if your mail server is inaccessible, it cannot receive or forward mails from your customers.  Zendesk itself is quite resilient, in many cases, more so than some of its customer’s mail platforms.  But it depends on each scenario.  Research, plan and test where you can.  Good luck.

  • Nicole - Community Manager

    Thanks for jumping in and helping out, Simon! Always great to see our Community Members helping one another out. 

    Support - I see that these are your first posts. Welcome to the Zendesk Community! I encourage you to head over to the Welcome Thread in The Lounge to introduce yourself.

    We look forward to seeing you around the Community. Happy Zendesking!

  • Michael Reinhart

    Just a quick note -- we were stuck in the weeds after migrating our email services to Amazon Web Services WorkMail...

    Route 53 DNS wants to create a DNS record type of SPF, which we faithfully used and to which we added This refused to be verified until we figured out that SPF is an outdated record type and we HAD to use a TXT record instead. Once we made that record, verification worked.

  • Nicole - Community Manager

    Thanks for sharing those details, Michael. I'm sure some others will benefit from it. 

  • Daria Nesterenko

    Hi There! I really need your help. We set up SPF for our domain. Zendesk tells that SPF record is valid


    When we send a letter with status Pending, the user got it, but when i put the status Solved.they dont get the reply. did i do something wrong? I need some additional settings? Views? Triggers? 

  • Jessie Schutz

    Hi Daria! Welcome to the Community!

    This is almost certainly a trigger thing. When you started your Zendesk there was a default trigger in place to do this called Notify requester of solved request. If at any point in time someone deactivated or alter that, it would potentially prevent those notifications from going out, depending on what changes you made.

    The good news is, it's easy to fix! If you still have that trigger active, you just need to check the conditions to make sure there's nothing preventing it from firing, and ensure that the action in the trigger is to email the requester. If the trigger has been deactivated, you can reactivate. Or, you can just build a new one from scratch. Here are a couple screenshots from my test account:

    Let us know if you have any other questions!

  • Simon McAllister

    Hi Zendesk support

    Are there any plans to modify your SPF infrastructure so customers can use '' (or similar) syntax?

    The reason I ask is that using the current method of adding '' to an existing SPF record may result with 'too many DNS lookups', if the SPF record already has other DNS includes

    This can be seen for the above scenario when using the SPF checker within

    It appears to be more of an issue for organisations that outsource and integrate many of their platforms to external providers.  Using _SPF syntax seems to resolve this.

    What think ye?

  • Henrik Schack

    It doesn't make any difference which name you give the label. Purely cosmetic.

    What would make a difference would be if Zendesk could start doing some proper bouncehandling, using a sender envelope pointing to their servers instead of the customers mailserver.

    If they could use a sender envelope of 

    instead of 

    the SPF record should be created on and you would never get any "too many DNS lookups" errors.



  • Simon McAllister

    Thanks Henrik

    In my experience and scenario, using _SPF syntax in place of a DNS address resolved the too many DNS lookups errors that mxtoolbox gave when testing my SPF record.  This was after integrating another external service.

    So, it doesn't appear to be cosmetic, which is why I asked the question.

  • Henrik Schack

    Well, it is, the underbar is just added to signal it isn't a normal hostname/subdomain

  • Simon McAllister

    Perhaps that is why it solved my issue then.
    Either way, It has a positive effect in my scenario and may help others too.
    I’m nterested to hear Zendesk’s response to my question.

  • Sean Cusick

    Hi Simon / Henrik,

    Our SPF record ( should only use a single DNS lookup. We have no plans to change that currently. 

    How we set the Return-Path: header value is determined by whether or not the account in question has a verified SPF record within Zendesk and if they have enabled DKIM. We set the Return-Path: value to the external domain when both protocols are being used, to achieve identifier alignment. If only SPF is used then the Return-Path: is set to the default native Zendesk address, to improve outbound deliverability.

    We apologize that right now bounce-back notifications are not processed to the suspended queue. Receiving them in the external domain's inbox is the best option. Or, if an account is using the Gmail Connector and the "Send Email via Gmail" feature then they would naturally arrive in that account's inbox. 

    If you have any further questions feel free to open a support ticket at 

  • Clay Swartz

    We recently set up our own external mail address. Everything works except sending emails from zendesk as our domain into our exchange server on premise. We've tried every derivation of receive connectors but we still get a 550 5.7.1 Client does not have permissions to send as this sender.


    Any thoughts?

  • Sergei Dudko

    Hi Clay,


    Good question. I would suggest to check any other authorisation methods that could be present on your Exchange server. Error message hints at it.

    An example would be this option 'Receive Connector' - requires additional setup in order to send tickets from your subdomain. All that has to be done is: adjust settings to accept emails that were sent from Zendesk using your domain name (whitelist it, in other words). 

    Feel free to open a ticket with if you need further assistance with Forwarding. 

  • Rossana Oyola

    Hi Max,

    What about if we never set up SPF records and used the option of creating a contact in Exchange and forwarding our internal email to that contact. Do we still need to create SPF records with the new changes? I can see the "SPF does not include Zendesk Support Retry" Message in the Email section of the Amin console

    Let me know.


  • Colin Guthrie


    I'm curious about the CNAME change and the new email sending structure. I appreciate that I can add a CNAME to my domain and doing a TXT lookup on that domain via dig can give additional answers and ultimately return the TXT records for the target name too (albeit I presume this might require multiple internal lookups in the resolver), but it's not really clear to me how this helps.

    So you will presumably have a server in AWS pumping out email. Will it start talking to other SMTP servers and announcing itself (HELO/EHLO) as ""? When the "Mail From" bit is handled how does SPF kick in?

    From what I can tell, suggests you check the HELO/EHLO identity but it also states that Mail From must also be checked. So presumably the SPF record of the is still processed? That being the case, how does it pass the SPF check?

    I appreciate this is a technical question and I'm sure I'm mistaken above! I'm just curious as to how the whole process works! :-)

  • Ariel

    Hello Guys,

    When trying to add the CNAME.
    It says "The Host must end with "".

    Then it is not possible to add as you say: "zendesk1".

    What should I write to make it work ?
    Host = ""



    Host = ""

    and as Alias the value:


    Kind Regards,




  • Sean Cusick

    Hi Indira, It is difficult to know with certainty how to respond to your question, but you would not actually add the actual text "" to your CNAME record, but that would be replaced by your own parent domain. For example, if I had a domain named "" then that is what I would use for that record. is like "" for whatever your domain is. If you have any further questions please open a ticket with us at, so that we can take a closer look. The likelihood is that you will need to contact your domain admin or provider for any assistance with editing your domain's DNS records. Please let us know. 

  • Ariel

    Hi Sean,

    I know that "MyDomain" is an example.

    I wrote it thinking you'd assume it would be my domain.

    I have written it as well as a generic not to make public my domain.

    In my question where I write "mydomain" I refer to my real domain.



  • Sean Cusick

    Hi Indira, You would need to check with your provider, but the parent domain should be implicit when you add the record, though you may need to specify. You would either add "zendesk1" or "" depending on how your provider requires the record to be added. I will let our documentation team know that this article might need further clarification, though ultimately each provider may have slightly differing requirements, and they should always be consulted for the specifics of their service.

  • Matt Savage

    We've noticed substantial increase in rejected emails coming on behalf of Zendesk.  Have any changes related to this announcement been enabled that may have affected it?

  • Sean Cusick

    Hi Matt, Could you open a ticket with us at and provide some of those non-delivery notices so that we can inspect them more closely? 


  • Michael H

    @Nicole et al: I'm a little disappointed in how the changeover to a CNAME requirement has been handled.

    I've only stumbled across these changes today whilst doing some admin work on my instance, and noticed an alert next to our configured email addresses, which I dug into.

    In summary, Zendesk could have done better with communicating this change to customers, so they could make these changes before they were migrated (or before they were needed), to ensure a smooth transition process.

    Please take the time to pass this feedback along to the relevant product/program manager for this change, and product/program managers generally. There should be a consistent and repeatable method for communicating out key product and configuration changes that require action - and relying solely on an updated document within the support site as has happened here isn't anywhere near sufficient for the level of communication needed for such high impact activities that can break configurations or change intended behaviours.

  • Kristal Lam

    Hi Michael, 

    Totally understand that reading the documentation is not enough. Our team is actually working on sending customer communication to everyone who needs to make this change. The communication will be sent out end of October. The timeline to when the change needs to be done has been extended and we will be changing that on the docs. 

    Thanks again for the feedback! 

  • Neal Price

    We have also had a sudden influx of Requesters saying they are not receiving our communication via tickets. We have applied the recommended settings and one of our agents is reporting 25% of her recipients are not receiving the communication. 

  • Michael H

    @Neal: Has there been any analysis of a sample set of the customers tickets, and specifically the events tab, to determine if the email has been sent?

    And if Zendesk is saying they have been sent, have there been bounce messages; and if so where are the bounce messages going, and have they been included in the analysis?

  • Dan Cooper


    Is a communication still planned to go out for this for the end of this month?  Do we know the scope of who is going to get it and how those messages will be sent? 

  • Kristal Lam

    @Daniel - it is currently in the works. We are working on getting the communication translated. It will be around 2nd week of November. We have a full list of customers. 

  • Dan Cooper

    @Kristal, thanks for confirming! Our team is keeping an eye out for it. 

  • Jonathan March

    Hello Kristal and team,

    > To authorize Zendesk to deliver your email using CNAME records, edit your domain's DNS settings and add each of these CNAME records:

    Type    Name/Host/Domain   Value/Target/Destination      TTL
    CNAME     zendesk1         3600 or use default
    CNAME     zendesk2         3600 or use default
    CNAME     zendesk3         3600 or use default
    CNAME     zendesk4         3600 or use default


    > Once you add the CNAME records to your DNS server, you’ll be ready, but you’ll continue to use your SPF record until your account’s email sending methods have changed. Don’t remove the old SPF record from your DNS server yet.

    1) Is there any way that we can we check in advance that these CNAME additions are correctly done?

    2) We have multiple support addresses. Does anything additional need to be done to prepare?

    Looking forward to receiving the relevant communication in the next week or so. Please announce here when it goes out, so we can be sure not to miss it in the flood of emails.



Please sign in to leave a comment.

Powered by Zendesk