The Authenticated SMTP Connector allows you to connect a non-Zendesk email server to your Zendesk Support instance for the outbound sending of email traffic. It is specifically designed for organizations that prefer to use their own email servers for outbound sending, or those cannot use third-party email servers due to internal corporate policies, data regulations, or specialized encryption needs.
By establishing a secure connection using authenticated and TLS-encrypted SMTP for outbound traffic (using your own domain credentials), the connector allows you to run your business in ways that meet both your internal and external security and regulatory requirements. It also gives you more visibility into the flow of your email traffic. This flexibility is essential for industries like healthcare, financial services, and government agencies, which often must adhere to strict security protocols.
This article includes the following topics:
- About the outbound Authenticated SMTP Connector
- Considerations
- Configuring the Authenticated SMTP Connector
- Signing your outbound email traffic with your DKIM signature
- Important information about email headers
- Rotating or changing credentials
- Disconnecting the Authenticated SMTP Connector
About the outbound Authenticated SMTP Connector
SMTP is not new to Zendesk; Zendesk currently uses SMTP relays for almost all inbound and outbound emails.
The outbound Authenticated SMTP Connector functions like the current SMTP process for email traffic, except that it relays email to your company’s mail server from Zendesk and passes/receives secure credentials - username and password - as part of that outbound relay. The inbound portion of forwarding remains the same. This is so that services like Office365 cloud can use standard auto-forwarding in to Zendesk (they don't support outbound authentication - our setup recommendations), but can let us pass over the authenticated outbound traffic for those services to then send to the intended recipients.
Email flow with Auto-Forwarding and the Authenticated SMTP Connector:
The main advantage of this solution is that it allows you to send email traffic to your customers using your domain’s email services, taking advantage of all those sending and security features, while also ensuring encrypted and secure relays from Zendesk.
Once configured, here’s how the Authenticated SMTP Connector works in a typical email workflow:
- User submits support request: When an end user or agent emails a support request to your domain’s support address, that email will be forwarded to Zendesk using a standard email auto-forward.
- Ticket created: The email is received, and a ticket is created in Zendesk.
- Ticket notifications: Notifications are sent back to your email domain/service using your designated and authenticated SMTP-ready support address for outbound sending to the intended recipients from your email service.
Considerations
- Because the Authenticated SMTP Connector feature relies on outbound authenticated relays to occur, we recommend testing this feature in your Zendesk sandbox environment before using it in production. This is to give your domain admin, IT team, or email provider time to understand the workflow and relationship between the two resources fully.
- Do not add the same support address in your sandbox and production accounts. This may result in inconsistent behavior, either with Zendesk or your email server. It is recommended that you use your sandbox environment to test, then delete all the test domains and support addresses before adding them to your production account.
- During initial setup there may be some traffic leaving from the default address for that account or brand. Adding a support address for outbound sending is what completes the integration and allows us to send through the authenticated address/domain.
- Up to fifty support addresses can be added to Zendesk for outbound sending through a single SMTP domain. You can add up to four domains, for a total of 200 addresses, but only fifty support addresses can be added for each domain.
- Adding unique credentials is recommended for each address or brand so you can track traffic with greater specificity. This can be helpful in rotating credentials or in mitigating a possible security issue in which a set of credentials may have become compromised.
- It is advised that you do not employ graylisting for this traffic, particularly for the verification emails, as these emails completing the outbound relay is what will allow the feature to function and confirm to us that traffic is being successful.
- You should allowlist the Zendesk hosts/IPs to ensure a robust connection.
- If you disable the support addresses using the feature and continue to forward traffic to us it will still create and update tickets, though any updates for those tickets will not be using an authenticated outbound connection. Those notifications will be sent from our servers.
Configuring the Authenticated SMTP Connector
Share these configuration steps with your domain admin or IT team, as they involve obtaining and providing credentials that must be securely transferred and added to your business email servers and Zendesk account.
There are three steps to configuring the connector:
- Forwarding Email In To Zendesk
- Adding a support address for outbound sending
- Verifying the connection
Forwarding Email In To Zendesk
The forwarding portion of this feature that occurs at your domain is the same as that which has existed for many years and is outlined in this article, though the correct steps to follow when adding the new support address differ slightly to use this feature.
To forward email in to Zendesk
Refer to your email provider's documentation for more information about forwarding email. Zendesk can't provide support for third-party products, such as email clients. Contact your email provider if you need assistance setting up automatic forwarding.
The steps to add a forwarding address:
- Navigate to your Admin>>Email page
- Select "Connect External Address"
- From the drop-down menu choose Email Forwarding/Authenticated SMTP Connector and enter the support address.
- You will need the secure credentials for your domain (host, username, and password), obtained from your domain administrator, IT team, or service provider to complete this step. This is what allows us to relay outbound traffic to your domain for sending outbound traffic to your users and ensures outbound TLS-encryption.
- The next popup modal will instruct you to set up auto-forwarding. Ideally this would have already been done.
- Once you have confirmed that and clicked "Next" then we will send a test verification email that may take a few minutes to complete its round-trip circuit.
- If all goes well the next screen you should see will be this.
- If there were any problems with the test verification email for auto-forwarding then you may see this screen. If so, you may need to contact your email admin or provider to ensure that you have setup auto-forwarding correctly.
If you have confirmed with your provider that forwarding is functioning as expected then you may need to open a ticket with Zendesk support. Please keep in mind that we have limitations as to how much we can troubleshoot your email configurations and performance.
Verifying the connection
After you have successfully added your support address, you must verify the outbound SMTP configuration. This will send a verification email that verifies that you have successfully completed the connection. This verification email must be received and should be forwarded successfully back to Zendesk for the integration to function.
Signing your outbound email traffic with your DKIM signature
As described in Digitally signing your email with DKIM, Zendesk Support allows DKIM authentication. DKIM provides a way to authenticate that an email was indeed sent from the domain it claims to be from. This is done by attaching a digital signature to the outgoing emails, which can be verified against a public cryptographic key published in the domain's DNS records.
When using the Authenticated SMTP Connector, Zendesk will not sign outbound traffic with our d=zendesk.com DKIM tag within the header. If you have enabled digital signatures in Zendesk after adding the required CNAME records at your domain, we will sign the outbound traffic on your behalf and add the d=yourdomain.com DKIM tag to the outbound header.
Your domain can re-sign with your DKIM signature, if you choose. If you opt not to do this, test and ensure you’re not inadvertently over-writing the signature we’ve added for your domain before sending outbound production traffic.
Your domain may need to ignore SPF authority when we relay outbound traffic from Zendesk to your email service, as we will be creating a “trusted sender” relationship with your email service and you will be doing the final authoritative outbound sending (SPF and/or DKIM) to your users.
We strongly recommend testing in a sandbox environment with test end-users to validate that the SPF/DKIM/DMARC checks are all passing.
Important information about email headers
Email headers, (such as To, From, CC, and Reply-To) contain important data and metadata about an email message. Your administrator might want to change or manipulate headers for several reasons. However, it’s important to note that some header fields should never be altered since some are critical for ensuring the correct delivery and to ensure the integrity of the message. Changing standard headers at the account's email domain before outbound sending is not a currently supported aspect of this feature. Any issues that emerge as a result of this should be investigated and corrected at the external domain.
Changing your email header fields doesn’t change how Zendesk works, it only changes how you do your outbound sending and how you might receive responses. The relationships between requester, agents and CCs in the email and subsequent ticket should not change.
This feature does not give you the ability to send email on behalf of your Zendesk system support addresses (example: support@subdomain.zendesk.com).
The below headers should persist throughout the outbound relay process:
Auto-Submitted: auto-generated
X-Auto-Response-Suppress: All
X-Mailer: Zendesk Mailer
X-Zendesk-From-Account-Id: ******
X-Zendesk-Email-Id: ************************
Rotating or changing credentials
- If it becomes necessary to change the credentials associated with one or many support addresses then you will need to edit or delete the address or addresses and update or re-add them with the new credentials inputed.
- If there was no change to your auto-forwarding rules then this transition should be relatively simple and painless, as you should only need to add the new credentials.
Disconnecting the Authenticated SMTP Connector
- The process - in the event that you wish to discontinue use of the feature you may want to consider doing so during a low-traffic time, as the process will take a few minutes and you may need to coordinate with your Zendesk team to hold up on making any ticket updates until the feature has been disabled and support addresses have been re-added, to maintain the use of your branded addresses.
- The API - Depending on how many connected support addresses you have you may want to leverage the API’s support addresses endpoint for faster results. Only one address can be deleted at a time, but once you have the list of SMTP Connected address IDs then the calls can be made in a very rapid sequence. It is worth noting that Authenticated SMTP Connector support addresses can not be added via the API at this time, as credentials must be added within the UI to create the necessary connection.