If you want to use your own email address to receive support requests, and you've added your email address as a support address in Zendesk, then you can set up your custom email domain to verify that Zendesk can send email on behalf of your email server.
For example, if you receive email from your customers at firstname.lastname@example.org, and you've set up an automatic redirect to forward all email received there to Support, you can authorize Zendesk to send out notifications as if it originated from your own email address (for example: email@example.com). That way you can preserve your branding throughout the entire process.
You don’t have to configure your email domain this way, but it’s recommended if you use your own custom email domain and have set up forwarding to an external email address. If you use a non-custom domain, such as addresses ending in @gmail.com or @yahoo.com, you can't use this feature, as you won't have access to the account DNS settings.
The advantages of this configuration
So, do you have to allow Zendesk to send email on behalf of your email domain? The short answer is: No. The slightly longer answer is: Only if you really don't want your customers to see the Zendesk name on their messages.
When Zendesk sends an email message using your email address (which is what happens if you've set up a support address with forwarding) the message identifies the sender as zendesk.com to avoid getting rejected. However, if you allow Zendesk to send email on behalf of your email domain, Zendesk stops sending messages from zendesk.com, and sends them from your domain, completely preserving your branding.
If you don't complete the tasks described in this article, your customers might see something like this:
The following warning will also appear in the agent interface next to your external support addresses:
However, if you complete the tasks described in this article, the via statement and warning don’t appear.
Setting up records for your domain
The process of setting up an SPF record is different for different domain registrars. For example, here are the instructions for GoDaddy, Namecheap, 1&1, Network Solutions, and Google Domains.
To create or edit an SPF record to reference Zendesk
- Edit your domain's DNS settings to add a TXT record. The steps vary depending on your domain registrar. A TXT record is required for your SPF record to be validated.
Zendesk recommends using the following SPF record:
v=spf1 include:mail.zendesk.com ?all
?allbecause it's the least intrusive qualifier, you can use whichever qualifier you are comfortable with.
If you've already set up an SPF record for another purpose, add a reference to Zendesk to it. The SPF specification requires that you only have one SPF record on your domain. If you have multiple records, it may cause issues, and cause rejections of your email.
For example, instead of having two separate records, such as
v=spf1 include:_spf.google.com ~all and
v=spf1 include:mail.zendesk.com ~all,
combine them into one, like this:
v=spf1 include:_spf.google.com include:mail.zendesk.com ~all
In the past, Zendesk suggested alternate formulations for SPF records,
include:support.zendesk.com. These are both
outdated SPF records. While they might still work, they're not the
best option. If you're still using them, you'll see a warning flag
indicating you've set up an outdated record.
Verifying your domain
In order for Zendesk Support to send emails on your behalf, you must verify that you own the domain that you want Support to use. This is done by adding a TXT record (a domain verification record) to your DNS server that Support will check. The domain verification record is unique for each Support account and domain combination.
If you don’t add the domain verification record, Support sends emails from a Zendesk-provided email address. If you want to give your customers a white label experience, hiding all Zendesk branding, you must add this record.
To verify that a domain belongs to you
- Make sure you have finished setting up your SPF record.
In Admin Center, click
Channels in the sidebar, then select Talk and email > Email.
You should see a verification check for your DNS records.
- Click See details to see the domain verification value.
You can find the value next to the Domain verification TXT record check. In this example, the value is abcdef123456:Note: If you are an agent with permissions to manage support addresses, you can use the Support Addresses API endpoint to find the domain verification code for your support address instead, if you prefer. Look for the domain_verification_code value. For more information, see the developer documentation about Support Addresses.
- Edit your domain's DNS settings and add this TXT record:
Type Name Value TTL TXT zendeskverification <your unique value found in Support> 3600 or use defaultNote: Your domain will be automatically appended to zendeskverification. If your domain is used in more than one Zendesk account, your TXT record can include all of the verification codes, separated by a space, up to 255 characters.
- After you add the TXT record, click the Verify DNS
records button to confirm that all of your
records are now valid.
If they are, the red error messages will be gone. If you're having trouble setting up your DNS record correctly, see Why do I receive the error "DNS records are not set up correctly" when verifying my DNS records.
After your domain is verified, leave the domain verification record in-place.
If you decide to change your Support subdomain or host mapping later, you don’t need to update your domain verification records.
Understanding SPF checks
Sender Policy Framework (SPF) is a domain level email authorization protocol that allows you to declare which IP addresses are allowed to send email as if it originated from your domain.
This is accomplished by adding Domain Name System (DNS) TXT record. Think of DNS as a publicly accessible record for the internet. This record enables you to state publicly that Zendesk is an authorized sender for your domain.
When an email client receives a message, it performs an SPF check on the sending domain to verify that the email came from who it says it did. If this check fails, or there isn't a DNS record that says that Zendesk is a permitted sender, some receivers might consider that email spam or a phishing attempt, and flag it as untrustworthy or not display it to your customers at all.
Zendesk avoids this by sending email using our own domain when we're not authorized to use your domain, and by using your domain only when you authorize Zendesk with a proper SPF record. Generally, this helps to prevent emails from your Zendesk account to your customers from being incorrectly marked as spam. However, if you are having this problem, see How can I stop my emails from going into my customer's spam folder?
If you're curious, you can read more about SPF at www.openspf.org. If you're having trouble verifying your SPF record, see Why is my SPF record not validating?
I'm going quietly nuts trying to do the Zen verification.
The instructions in this article don't appear to be correct or I'm missing something.
I've set up mail mail redirections and they work but the replies come back from ourdomain.zendesk.com. We want them to come back from ourdomain.com.
I've also set up the SPF record and it appears to be OK.
The trouble is that I can't find the domain verification value and I get stopped here
Where do I find the "see details" part ?
"See details" button can be seen on a screenshot for step #3. It is located in Email menu, for each private support email address added.
I will duplicate it here, just in case:
This should reveal verification number required to finish setting up SPF.
Thanks Sergei for your answer.
I'm just making deductions here but maybe you can confirm.
We haven't added an email address for support. Our email is firstname.lastname@example.org.
I can't add our support address because it's been used as the admin email address.
So if I change that and add our support address (as I believe I should), will I then get the "see details" dropdown ?
That is correct. You cannot add agent's email address as your support address and vice versa.
After you will add required address in Email menu, you will see options to confirm forwarding (if applicable) and DNS setup button, as shown on my last screenshot.
See this article on how to add private support addresses, in case this will come handy.
It works ! :)
My SPF record will not verify. If I understand this article correctly we should add the following as a value in a TXT record:
What should the name of that TXT record be? Also, if the name should just be our base domain or "@" but we already have records with those names, what should we do?
For reference we are using AWS Route 53 to manage our DNS.
Email sending stopped working without notice and all configuration look fine. Disable send via gmail didnt help. What to do aaaaa!
Can you confirm that your default triggers are still enabled under Admin>Business Rules>Triggers? More information here: About the Support default triggers
Are emails still generating tickets in your account? Or is the issue that your agent responses are not making it back to customers?
Any additional information can help us point you in the right direction :)
@... I am working with a Zendesk setup, and following these instructions: https://support.zendesk.com/hc/en-us/articles/203663336-Adding-support-addresses-for-users-to-submit-tickets
we have it set up so that the support address is email@example.com .
This works fine, and the e-mails generated by Zendesk have:
From: mysetup <firstname.lastname@example.org>
Reply-To: mysetup <email@example.com>
The e-mails are being sent out properly, but some of our customers are finding these e-mails in the SPAM folder.
I analyzed the e-mails in my customer's SPAM folder and see:
DMARC is failing because DKIM/SPF is not aligned with the Reply-To: address.
When sending e-mails, is it possible to get Zendesk to sign the e-mails with DKIM/SPF for mydomain.com instead of zendesk.com?
When my customer's e-mail system sees SPF signed for one domain (zendesk.com), but From: and Reply-To: contains another domain (mydomain.com), then this fails DMARC and gets flagged as spam.
Thanks for reaching out to Zendesk Support, I hope you are doing well!
I'm sorry to hear that you are seeing an issue where some of your end-users are seeing your responses from your Agents arrive into their spam folder. I would like to create a ticket on your behalf so we can explore this a little more in depth. Please keep an eye out for the ticket and speak soon!
When trying to verify forwarding our support mail address, the forwarded mail is not accepted by our Zendesk domain support mail. The message comes back saying:
Delivery has failed to these recipients or groups:
"Our sending/forwarding email address here."
Your message wasn't delivered because the recipient's email provider rejected it.
Diagnostic information for administrators:
Generating server: AM0PR0302MB3316.eurprd03.prod.outlook.com
"Our sending/forwarding email address here."
Remote Server returned '550 5.7.520 Access denied, Your organization does not allow external forwarding. Please contact your administrator for further assistance. AS(7555)'
"Your organization does now allow external forwarding."
Is that our organization in Zendesk? If so, have I missed to make some setting right for this to work?
Support address works, SPF works, the DNS settings work, all verified.
Thanks in advance.
Best regards, Sten
Hi Sten, you must address this issue with your domain admin or provider. This is a restriction at your end. We do not have any inbound acceptance restrictions and we did not respond with this message:
All the best,
Hi Sean, Erwin,
Problem solved at our end, it was the Outlook 365 server who did not approve forwarding of e-mails outside our domain.
Thank you very much for your help.
Have a nice day.
Best regards, Sten
Hello, I am running into a strange error of "Forwarding Check failed" for our support email address.
Please see attached photo
SPF record and DNS record are fine.
If I try to re-verify forwarding, the same error just keeps repeating itself.
This issue is only happening when I set Barracuda ESS as the outbound smarthost in our gmail settings.
As soon as I remove Barracuda as outbound smarthost, I will get the green "Forwarding verified" message again
Any suggestion on what might be causing the issue here?
Thank you for reaching out to us.
Based on the information you have provided - it seems there is a tight security with Barracuda that blocks forwarding. The forwarding verification is failing might be because of authentication on the smart host and doesn't allow it to forward emails to Zendesk.
I would highly suggest reaching out to them.
These instructions seem mangled?
"Locate the DNS records (located outside of Zendesk) for your Support address, then click See details to see the domain verification value. See the illustration below for an example."
There's no illustration below this step, and I assume you're not talking about inside the DNS records that there would be a "see details". This appears to be separate steps that are not related smushed together, and there's no action listed for this step.
I need help with email configuration. We have very unique requirements. Can someone reach out to me around email options?
Hi Nick. You can contact Zendesk Customer Support for help on issues specific to your account.
- An email is sent from our customer to Support@OLDComanyDomain.com
- This email address forwards to Support@NEWCompanyDomain.com (forwarding is configured with our email server).
- Support@NEWCompanyDomain.com is a configured as one of our Zendesk support addresses, but not the default. Forwarding is verified, SPF record is valid, DNS records set up correctly.
- Support@OLDComanyDomain.com is not configured as one of our Zendesk support addresses, as we want to phase out this email address and discourage use.
-The ticket is created in Zendesk VIA our default support address and not via Support@NEWCompanyDomain.com
- The email address Support@OLDCompanyDomain.com is added to the ticket on CC
QUESTION: Why isn't this ticket being created via Support@NEWCompanyDomain.com even though the emails forward to this mailbox? This is how it worked for us for two years prior to January 2022.
Is there something we have to change in our Zendesk settings? We have not made any changes to our email forwarding setup in years. We've had a ticket open with Zendesk Customer Support for almost 2 months and they can't give us an explanation or solution, so I'm seeking help from other sources. Thanks!
Hi, I have setup my spf record, however I don't see a domain verification check for firstname.lastname@example.org. If I try to add our support email, I get a message, that "This address is already used by Support." I'm looking in Channels->Text&Email -> Email.
Hi Mark! You won't see a domain verification record in the user interface until the support email is actually added. The This address is already used by Support error means that the email address you are trying to add is already in use as an end-user or agent in your Zendesk account.
You will need to search for the email address in your Zendesk and edit the email address value. For example, you can modify the email address of the user to email@example.com. After you make this change, you can add the support email to your Zendesk Email Settings page.
If DNS records are verified, is it necessary to add SPF record to avoid emails sent using external address ending up on spam folder?
Hi Jen! It is highly recommended that you add the Zendesk entry of include:mail.zendesk.com to the SPF record for your external email domains. SPF impacts the outbound email deliverability of your outbound Zendesk notifications considerably more than the DNS records verification setting.
My IT depertmant created a dedicated sub domain name zendesk.ourcompanyname.com , and we want to use that subdomain for sending emails from the Zendesk application.
We appear to be having some difficulty however when in verifying the SPF though the DNS records are verified.
For any unexpected behavior within our product, it will be better to contact support for one of our Advocate to investigate further.
Having the same problem Derek mentioned here in the comments, which got no response
What record name should the txt record be?
I have a TXT record under the record name @.domain.com
which contained already one spf value, and added
as in the tutorial.
but i cannot find it in dns lookups (when using lookup to domain.com it indeed resolves to the value I expect, which is defined in another TXT record with the name domain.com)
When it comes to the name, normally it's just @ or domain.com. However, it can change depending on the DNS host. You can coordinate with your DNS host to determine what is the name they are using for the TXT. We can only provide you with the actual value of the TXT record which you are already aware of.
how do i stop an email forwarding into zendesk
You will need to log into your email provider and remove the forwarding rule from there so emails are no longer being sent to Zendesk. The location of this setting will depend on what email provider you use. If you're using Outlook, you can use these instructions for example: Turn on or off automatic forwarding in Outlook.com
I hope this helps!
Please sign in to leave a comment.