Make Zendesk DMARC-compliant
How to authenticate Zendesk as a sender on your domain - so its mail passes SPF, DKIM and DMARC, and you can safely reach enforcement.
Three steps to authenticate Zendesk
Zendesk needs to pass SPF and DKIM, and align with your domain so DMARC passes. Here’s how – confirm the exact values against Zendesk’s current documentation as you go.
Add Zendesk to your SPF record
SPF lists the services allowed to send as your domain. Add Zendesk’s include to your existing SPF record – don’t create a second SPF record, merge it into the one you have.
Watch the 10-lookup limit: every include counts, and going over makes SPF fail silently. Hosted SPF keeps you safely under it automatically.
Add this mechanism to your SPF record
include:mail.zendesk.com
Turn on DKIM signing
DKIM cryptographically signs each message so receivers can prove it really came from you and wasn’t tampered with. In Zendesk Admin Center (Channels -> email), enable DKIM and publish the two CNAME records (zendesk1._domainkey and zendesk2._domainkey) - two exist because Zendesk rotates keys.
DKIM is what keeps you authenticated even when a message is forwarded – so it’s worth getting right. More on how DKIM works →
- Enable DKIM inside Zendesk
- Publish the DNS records it gives you
- Wait for it to verify, then send a test
Confirm alignment, then enforce
With SPF and DKIM set up, check that Zendesk aligns – that the authenticated domain matches your visible From address. Once every legitimate sender aligns, you can move DMARC to p=reject safely.
DMARCER’s enforcement journey shows you exactly when it’s safe to advance – no guesswork.
Good to know
Add your external support address in Zendesk first or SPF won't validate. Keep the include exactly as-is - don't run it through an SPF-flattening tool.
Check you got it right
Look up your records instantly, or run a full free check to confirm Zendesk passes SPF, DKIM and DMARC – and get your score out of 100.
Check SPF Full free check