If Zendesk cannot confirm that an email was sent from the address that appears in the From line (known as “spoofing”), it will be noted by adding the tag POTENTIAL_MESSAGE_SPOOFING to the comment, and the flag “This message may not have been sent by <email address>”.
This article contains the following topics:
Related articles:
How spoofed emails are identified
To determine whether an email has been spoofed, we look at the following indicators:
- The path the email has taken before reaching us.
- Whether the email was sent from an authorized location. See Setting up SPF for Zendesk to send email on behalf of your email domain for more information.
- Whether there is evidence of tampering. See Digitally signing your email with DKIM or DMARC for more information.
Flagged comments appear with a warning icon (
). Click the icon to display the warning message:
If you enable the Sender Authentication feature and you have integrations between your Zendesk instance and external tools (e.g. Salesforce), you will want to ensure you have SPF and DKIM correctly set up. Otherwise it may result in those automated emails getting suspended or rejected and your integrations will break. See Setting up SPF for Zendesk to send email on behalf of your email domain for more information.
Causes for ticket suspension
Email Authentication Failed
Description: This indicates that the email is spoofed. The email appears to have originated from someone or somewhere other than the actual source. This can also occur when the sender of the email is an agent and the sender or forwarding domain fails DMARC.
Solution: The sender of this email must be permitted to send mail from your domain. Consider configuring SPF and DKIM for this sending source, or disabling Sender Authentication in email channel settings. Please contact Zendesk Customer Support for further assistance.