It's easy for some people to spoof email -- that is, send email that pretends to be from somebody else. To combat spoofing, you can digitally sign outbound email from Zendesk to prove that an email actually came from somebody in your organization and not somebody pretending to be from your organization.
Digitally signing outbound email is supported only if you use an external email domain for your Zendesk email, as described in Forwarding incoming email from your existing email address to Zendesk Support and Allowing Zendesk to send email on behalf of your email domain.
Zendesk Support allows DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication. Email service providers that support DKIM or DMARC, such as Gmail and Yahoo!, check inbound email to see whether an organization that claimed to have signed a message actually did. The signature is associated with the organization's registered domain name. If the message is properly signed, the email service provider delivers the message normally. If the message is not signed or is improperly signed, the email service provider may deliver it with a caution to the user, or discard it.
You need to perform the following configuration steps to digitally sign your email:
Updating your DNS records to use the Zendesk domain key
Before you can digitally sign your outbound email from Zendesk, you must update the Domain Name System (DNS) records of each of the external domains you are using with Zendesk so that the Zendesk domain key can be located and used to verify signatures. The DNS update creates a redirect to the domain key on the Zendesk domain. When an email service provider receives an email with your domain name, the provider looks up the Zendesk domain key to verify the signature of the email.
As an added security measure, Zendesk rotates its DKIM encryption keys every quarter. As long as you use the method described below to add domain keys to your DNS record, you won't have to make any changes when the keys are updated. The lookup will automatically locate the current Zendesk domain keys.
The UI and terminology may vary depending on your registrar, but the concepts are the same.
To add the domain key to your DNS records
- Log in to your domain registrar's control panel.
Use the login name and password that you created when you registered the domain name.
- Look for the option to change DNS records.
The option might be called something like DNS Management, Name Server Management, or Advanced Settings.
- Locate the CNAME records for your domain.
A CNAME record, or Canonical Name record, is a type of alias used by the Domain Name System (DNS). CNAME records let you point to the Zendesk domain to use its domain key.
- Look for an option to add a CNAME record.
- Create a CNAME record with the following values:
- In the Host Record field (or equivalent), enter:
zendesk1._domainkey.your_email_domain.com
where your_email_domain.com is the external email domain you use for your Zendesk email. Example: "mondocam.com". The domain can have a different top-level domain, such as .net, .org, or .ca.
Example host record value:
zendesk1._domainkey.mondocam.com
- In the Points To field (or equivalent), enter:
zendesk1._domainkey.zendesk.com
- In the Host Record field (or equivalent), enter:
- Create a second CNAME record with the following values:
- In the Host Record field, enter:
zendesk2._domainkey.your_email_domain.com
where your_email_domain.com is the external email domain you use for your Zendesk email.
Example host record value:
zendesk2._domainkey.mondocam.com
- In the Points To field, enter:
zendesk2._domainkey.zendesk.com
- In the Host Record field, enter:
Enabling digital signatures in Zendesk
- In Admin Center, click Channels in the sidebar, then select Talk and email > Email.
- In the Custom Domain for DKIM section, select Enable.
- Click Save.
You can use third party validation tools to confirm that DKIM is enabled and running properly. See How do I know if my DKIM records are configured correctly? for more information.
10 comments
罗迪文
Hi, this is the error I met, please kindly help. The operation document does not work, I can barely understand it.
And how to get this below page to appear once again:
Look forward to your reply.
0
Ian Lotinsky
This seems to be a global feature in Zendesk. We have multiple email sending domains. We're about to set up our first with DKIM in its DNS records. If we flip this global switch in Zendesk, will this negatively impact the other domains' ability to have Zendesk send email on their behalf? I.e. is it either DKIM for all or none or can we set it up for select domains?
0
Juraj Jarmek
Hello @...,
I see that this question/request was already taken into a ticket with one of your admins and that they are working on it.
Have a great day and stay safe!
0
Jason Bennett
Does anybody know if it is possible to have custom DKIM keys? We have a large institution and do not want to globally enable DKIM for the domain. We can't use SPF.
0
Russell Chee
Hey Jason,
Thanks for reaching out on the community post, I hope you are doing well!
Unfortunately not, DKIM custom keys are not supported with Zendesk's workflow.
If you have any further questions around this, please reach out to us and we'd be more than glad to help!
Russell Chee | Senior Customer Advocacy Specialist | Melbourne, Australia
0
Chad Susa (Gravity CX - Zendesk Partner)
HI
For multibrand do we just add each brand domain as per above?
Example for two brands:
zendesk1._domainkey.firstbrand.com > Points To > zendesk1._domainkey.zendesk.com
zendesk2._domainkey.firstbrand.com > Points To > zendesk2._domainkey.zendesk.com
zendesk1._domainkey.secondbrand.com > Points To > zendesk1._domainkey.zendesk.com
zendesk2._domainkey.secondbrand.com > Points To > zendesk2._domainkey.zendesk.com
And so on for each branded domain?
0
Ariya
zendesk1._domainkey.firstbrand.com
what is "domainkey" stand for? am i just need to write "domainkey"?
and;
How if my domain email is used .go.id like example mycompany.go.id
am i need to write like this: zendesk1._domainkey.mycompany.go.id ?
1
Ariya
Chad Susa (Gravity CX - Zendesk Partner)
Russell Chee
maybe you can help me to answer my question
0
Chad Susa (Gravity CX - Zendesk Partner)
Hi @...
Below is our DKIM config in our DNS settings manager:
I had to attach a screengrab as this article editor is weird. I couldn't format text correctly.
1
Richard Penman
Note that Namecheap will automatically append the domain so you have to use the following for the CNAME DKIM hosts:
Found the solution here after wasting several hours.
Similarly for DMARC you have to use just _dmark as the host rather than _dmark.example.com.
1