Zendesk is changing the way we send outbound email from Zendesk Support. In the future, all outbound email from Support will be sent from Amazon SES servers. This change coincides with our migration to Amazon Web Services (AWS). If Zendesk sends email on behalf of your email domain, there are some important changes that you need to make to your DNS server because we will be using Amazon SES.
We are making this change because Amazon SES has proven benefits such as enhanced abuse protection, account segmentation based on reputation, and a more scalable framework to meet your demands. Using Amazon SES will improve the reliability of mail for our customers, and also allow us to build additional features such as providing feedback on deliveries, opens, clicks, and sends.
Zendesk uses dedicated IPs with Amazon, which are entirely exclusive to our organization and managed by Amazon. These are all included in the SPF record.
Only Support customers that use external support address like support@yourdomain.com are affected by this change. If you use a native Zendesk address like support@yoursubdomain.zendesk.com, or you have linked your Gmail account to your Support account, then no action is needed.
This article is meant to help both you and your DNS provider understand what you need to do and in what order. It explains why this is happening, who is affected, and how to prepare. It also assumes that you have already reviewed the information in Allowing Zendesk to send email on behalf of your email domain about upcoming changes to the authorization process.
This article includes these sections:
- Preparing to use Amazon SES
- Adding CNAME records
- Using MX and TXT records instead of CNAME records
- Verifying your domain
- Verifying your domain when using Gmail Connector
- What to do with the verification email from Amazon
- Frequently asked questions
Related articles:
Preparing to use Amazon SES
If you have authorized Zendesk to send email on your behalf, there are three main things that you will need to do in order to avoid disruptions.
- Add new records to your DNS server.
We recommend that you add CNAME records, but if you can't for some reason, you can add MX and TXT records instead.
- Verify your domain for Zendesk Support.
Most customers will follow these instructions. However, if you are using Gmail Connector, see Verifying your domain when using Gmail Connector.
- Verify your email for AWS.
Later, when you account is transitioned to AWS, you will get an email notification from AWS. This should be clicked for you automatically. If it is not, then you may need to click the link in the email to verify your email.
AWS requires verification before they will send email on behalf of another email domain and address.
Adding CNAME records
CNAME (Canonical Name) records allow you to delegate domain level email authorization to Zendesk. This means that Zendesk can maintain SPF records for a subset of email delivered from your domain, and ensure that they're always up-to-date.
With the new authorization process, the receiving email server will attempt to perform an SPF check, meaning the email server checks the SPF record on your DNS server by looking up the envelope-from address in the DNS.
We recommend that you complete this task before the change the authorization process occurs.
To authorize Zendesk to deliver your email using CNAME records
- Edit your domain's DNS settings and add each of these CNAME records:
| Type | Name / Host / Domain | Value / Target / Destination | TTL |
|---|---|---|---|
| CNAME | zendesk1 | mail1.zendesk.com | 3600 or use default |
| CNAME | zendesk2 | mail2.zendesk.com | 3600 or use default |
| CNAME | zendesk3 | mail3.zendesk.com | 3600 or use default |
| CNAME | zendesk4 | mail4.zendesk.com | 3600 or use default |
If you're unsure about any of the above, consult with your DNS provider.
Using MX and TXT records instead of CNAME records
If you can’t add CNAME records to your DNS server for some reason, there’s an alternative. You can add four MX and four TXT records instead and they will serve the same purpose as the CNAME records. This workaround allows Amazon SES to send your outbound email from Support. See the tables below for information about how to set up these MX and TXT records.
We recommend that you use the CNAME method (above), if possible, to point to our securely managed subdomains because it simplifies the process for you. It reduces the number of records you need to maintain. See the tables below for information about which records are required for your circumstance.
If your support address is support@example.com (where example.com is your domain), then you would add these records:
| Support address | Subdomain | DNS field | MX Record | TXT record |
|---|---|---|---|---|
|
support@example.com |
zendesk1.example.com |
Priority |
10 |
|
|
Value |
feedback-smtp.us-west-2.amazonses.com. |
v=spf1 include:mail1.zendesk.com ~all |
||
|
zendesk2.example.com |
Priority |
10 |
||
|
Value |
feedback-smtp.us-east-1.amazonses.com. |
v=spf1 include:mail2.zendesk.com ~al |
||
|
zendesk3.example.com |
Priority |
10 |
||
|
Value |
feedback-smtp.eu-west-1.amazonses.com. |
v=spf1 include:mail3.zendesk.com ~al |
||
|
zendesk4.example.com |
Priority |
10 |
||
|
Value |
feedback-smtp.eu-central-1.amazonses.com. |
v=spf1 include:mail4.zendesk.com ~al |
When using a subdomain (support@support.example.com) for email:
| Support address | Subdomain | DNS field | MX Record | TXT record |
|---|---|---|---|---|
|
support@support.example.com |
zendesk1.support.example. com |
Priority |
10 |
|
|
Value |
feedback-smtp.us-west-2.amazonses.com. |
v=spf1 include:mail1.zendesk.com ~all |
||
|
zendesk2.support.example.com |
Priority |
10 |
||
|
Value |
feedback-smtp.us-east-1.amazonses.com. |
v=spf1 include:mail2.zendesk.com ~al |
||
|
zendesk3.supportexample.com |
Priority |
10 |
||
|
Value |
feedback-smtp.eu-west-1.amazonses.com. |
v=spf1 include:mail3.zendesk.com ~al |
||
|
zendesk4.supportexample.com |
Priority |
10 |
||
|
Value |
feedback-smtp.eu-central-1.amazonses.com. |
v=spf1 include:mail4.zendesk.com ~al |
With many domain admin panels, you would add the zendesk1.support portion (replace the word "support" with whatever your subdomain uses) to the Host field, and your domain (example.com) would then be appended automatically.
Verifying your domain
In order for Zendesk Support to send emails on your behalf, you must verify that you own the domain that you want Support to use. This is done by adding a TXT record (a domain verification record) to your DNS server that Support will check. The domain verification record is unique for each Support account and domain combination.
If you don't verify your domain
If you do not verify your domain and establish the necessary DNS records through either the CNAME or the MX/SPF option, then delivery will be done by a native Zendesk address like support@yourdomain.zendesk.com. For many large parent domain providers, like Gmail and others, this has the effect of displaying a "Delivered via zendesk.com" message in the email that is sent to your end-users. If you wish to preserve the white-labelled experience, you must add the DNS records.
If you don't make these changes, these things will happen:
-
Without a Domain Verification record, we cannot send mail on behalf of a customer's subdomain, so any emails that your customers receive would show as being sent from *your_subdomain_here*.zendesk.com.
-
Without a CNAME record, your customers will see sent via Zendesk on some email clients such as Gmail.
To verify that a domain belongs to you
- After you have finished setting up your CNAME records, go to Support and click the Admin icon (
) in the sidebar, and then navigate to Channels > Email. - Locate the DNS records for your Support address, then click See details to see the domain verification value. See the image below for an example.
Note: If you are an agent with permissions to manage support addresses, you can use the Support Addresses API endpoint to find the domain verification code for your support address instead, if you prefer. Look for the domain_verification_code value. For more information, see the developer documentation about Support Addresses.
- Edit your domain's DNS settings and add this TXT record:
Type Name Value TTL TXT zendeskverification <your unique value found in Support> 3600 or use default You can find the value next to the Domain verification TXT record check. In this example, the value is abcdef123456:
- After you add the TXT record, click the Verify DNS records button to confirm that all of your records are now valid. If they are, the red error messages will be gone.
After your domain is verified, leave the domain verification record in-place.
If you decide to change your Support subdomain or host mapping later, you don’t need to update your domain verification records.
Verifying your domain when using Gmail Connector
If your account's connection to the Gmail Connector is disrupted for any reason (rate limits being the most common issue), then Zendesk will begin sending from our servers, where your domain’s DNS records will come into play if you wish to maintain a branded experience for your customers.
What to do with the verification email from Amazon
Once you have added the CNAME records, and as your account is being transitioned over to sending from Amazon (SES), a verification email will be sent to each custom support address in use. These should be detected by Zendesk and the verification links clicked automatically by our inbound email processors, so that no action should be needed on your end.
If these emails are not detected by us, then it may become necessary for you to navigate into the inbox of the account in question and click the links manually. Alternatively, find the ticket in the Suspended ticket view that should have been created from the forwarded email in your Zendesk account and verify it by clicking the link.
Frequently asked questions
This section includes answers to frequently asked questions about using Amazon SES.
What is happening to the bounce notifications?
What is happening to the bounce notifications? We are working towards greatly improving that process. Amazon will be collecting those so that we will eventually be able to add features like delivery verification within the user interface, as well as being able to recognize and manage undeliverable email addresses much better.
What about SPF?
We are not doing away with SPF, but rather only establishing that same sending authority in a slightly different way than we had been previously. When you add the four CNAME records to your DNS, then it determines how Amazon begins the SMTP conversation and in turn constructs the mail envelope.
When sending on your account's behalf, Amazon will use a custom MAIL FROM in the SMTP handshake as well as utilizing a unique HELO/EHLO clause in the server greeting. These are both used to verify the SPF authority by a given recipient server.
The MAIL FROM argument is where the Return-Path: header value will be set to allow for DMARC identifier alignment - <tokenized@zendesk1.yourdomain.com>. The HELO/EHLO clause will likewise be initiated with the subdomain record you have created: zendesk1.yourdomain.com.
More information can be found in Amazon's article on this practice.
What about DKIM?
If you have the DKIM feature enabled in your Zendesk account then we will pass the email over to the AWS servers with your domain's signature already included. Amazon will then add another DKIM signature to any outbound email they are sending. Zendesk will sign outbound mail delivered via Amazon SES the same way as it currently does. No action is required here.
15 Comments
Thanks for this. I have been honestly working on this all day. It appears that the change over to Amazon is creating confusion. I look forward to a much more detailed walkthrough with a clear example about how to implement this process. I have tried the CNAME method outlined in previous articles, and this new one with MX and TXT records. I have not been successful getting the DNS record to work. Would Zendesk please publish a clear walkthrough? I am trying to piece together various articles with conflicting information....a bit frustrating.
Hey D Mokrushin!
We actually have an alternative for domain providers which don't allow underscores. Please use zendeskverification in its place (altogether, no hyphen or underscore).
if that doesnt work, please let us know and we'd be glad to look into it.
Thanks so much Ryan!
zendeskverification has worked for me!
Thanks, Ryan. It works for me.
Hi Mark (thanks Brett!), It sounds as if you might be referencing the CNAME records you set up for DKIM? If so, then what Brett has pointed out are the new records that you'll need to set up. If you have any more questions then please open a ticket at support@zendesk.com so that we can take a closer look and verify that all your records are as they should be.
Hi, why do you use zendesk_verification with the underscore? As I know it's invalid symbol for domain names. For example, I can't create this record, but it's ok if I use zendesk-verification
hi Sean,
I see in your article the point "If you cannot add CNAME records to your DNS, don't panic",
if we have already added the CNAME entries in our DNS, and these are verified in Zendesk and been working ok for years, do we need to take any further action, i.e. add the MX and TXT entries for when Zendesk moves over the AWS?
or
Can we leave as is, will our email continue to work ok?
thank you, Mark
Thanks so much Jenna! We will give this a try!
Hey Mark,
You're old CNAME entries should remain intact. However, you'll need to set up the new CNAME records listed in the following article as well: Allowing Zendesk to send email on behalf of your email domain . I've also copied the relevant information below:
To authorize Zendesk to deliver your email using CNAME records
If you've already set these CNAME records up then you should be all set on your end :)
Hi Jerod, we apologize this has been frustrating for you. Can you open a ticket with us at support@zendesk.com, so that we can get some specific information from you? The editing and publishing of DNS records happens entirely at your domain's admin control panel, but we are happy to verify whether the records are appearing as they should.
When setting this up i get a message from the 'Email' section on Zendesk asking for a 'TXT record'. Is it necessary with a 'TXT Record' ?
zendesk1.mydomain.comzendesk2.mydomain.comzendesk3.mydomain.comzendesk4.mydomain.comzendesk_verification.mydomain.comSet to
46a2c2d3502ea744It's all good! I fully accept this process. I will open a ticket for some advice and will add snippets for clarity.
Cheers! :)
Jerod
I am having the same exact issue.
Hello Jonas and DuBose!
Thanks for your inquiries.
The TXT record referenced for the both of you as missing for zendesk_verification.{domain}.com is a required component. Based on what you both have shown, your respective TXT records have not been published. You will want to contact your provider for assistance with this.
If, after you've done that, you have any followup questions, feel free to post back here and we'll be happy to help!
Jonas and DuBose,
Some DNS configuration tools do not want you you include your domain in the host field as your DNS service may be automatically completing the {your_domain}.com bit.
So with Zendesk suggesting you enter:
You could try instead entering in the "host" field just:
Then use the aphanumeric value as given by Zendesk in the TXT value field.
We were experiencing the same issues with the DNS TXT record, and the DKIM records and omitting the {your_domain}.com part of Zendesk's recommended settings has worked for us.
Cheers,
Jenna.
Please sign in to leave a comment.