How to Set Up DMARC for Freshdesk: Configuration and Alignment Guide

Freshdesk is a popular helpdesk and customer support platform from Freshworks, used by thousands of businesses to manage support tickets via email. When Freshdesk sends ticket replies on behalf of your domain, those emails need to pass DMARC authentication. Without proper configuration, your support replies can land in spam folders or get rejected entirely — a terrible experience for customers who are already waiting for help.

This guide walks through DMARC configuration specifically for Freshdesk users, covering custom mailbox setup, SPF and DKIM alignment, and the troubleshooting steps that keep your support emails flowing.

How Freshdesk Handles Outbound Email

When a support agent replies to a ticket in Freshdesk, the platform sends that reply from your support email address (like support@yourdomain.com). Behind the scenes, Freshdesk's mail servers are the ones actually transmitting the message. This means the From address shows your domain, but the sending infrastructure belongs to Freshdesk.

This gap between the visible sender and the actual sender is exactly what DMARC is designed to detect. Without SPF and DKIM set up to authorize Freshdesk, your DMARC policy will treat those replies as unauthorized and potentially block them.

Custom Mailbox Configuration

Freshdesk allows you to configure custom mailboxes so ticket replies go out as your domain rather than a generic Freshdesk address. To set this up, navigate to Admin → Channels → Email → Advanced Settings in your Freshdesk dashboard. Here you can add your custom support email and configure the sender domain.

Custom mailbox setup is a prerequisite for DMARC alignment. If you are still using the default yourcompany.freshdesk.com address, Freshdesk emails will not align with your domain and DMARC will not apply to them. Configure your custom domain first before proceeding.

SPF and DKIM Alignment with Freshdesk

DMARC requires at least one of SPF or DKIM to "align" with your From domain. Alignment means the domain verified by SPF or DKIM matches (or shares a root with) the domain in the visible From header. For a deeper comparison of these protocols, see SPF vs DKIM vs DMARC.

SPF Alignment

SPF checks whether the sending server's IP address is authorized to send on behalf of the envelope sender domain. To authorize Freshdesk, you need to include their SPF mechanism in your domain's SPF record.

Add the following to your SPF record:

include:email.freshdesk.com

A complete SPF record might look like:

v=spf1 include:_spf.google.com include:email.freshdesk.com ~all

Under relaxed SPF alignment (the default DMARC setting), the envelope sender domain needs to share the same root domain as your From address. Freshdesk may use a subdomain or their own infrastructure as the envelope sender, which can cause SPF alignment to fail even when the SPF check itself passes. This is why DKIM alignment is the more reliable path for Freshdesk.

Build your SPF record at spfcreator.com to make sure all your sending services are included without exceeding the 10-lookup limit. Freshdesk plus your primary email provider plus any marketing tools adds up quickly.

DKIM Alignment

DKIM signs outgoing messages with a cryptographic key tied to your domain. When the receiving server verifies the signature, it confirms the message was authorized and unaltered. Freshdesk supports custom DKIM signing through CNAME records that you add to your DNS.

To enable DKIM for Freshdesk:

In your Freshdesk dashboard, go to Admin → Channels → Email → Advanced Settings.
Locate the DKIM configuration section for your custom domain.
Freshdesk will provide CNAME records that you need to publish in your DNS.
Add these CNAME records at your DNS provider.
Return to Freshdesk and verify the records.

Once verified, Freshdesk signs outgoing messages with DKIM using your domain. Since the DKIM signing domain matches your From domain, DKIM alignment passes. This is the most dependable alignment method for Freshdesk users because DKIM signatures survive email forwarding — something SPF cannot do.

Use dkimcreator.com to understand and generate DKIM records. If Freshdesk provides specific CNAME values, those take priority — but the tool helps you verify everything is in place.

Setting Up Your DMARC Record

With SPF and DKIM configured for Freshdesk, you are ready to publish a DMARC record for your domain.

Verify Freshdesk email authentication is complete

In your Freshdesk dashboard, confirm that your custom mailbox is set up under Admin → Channels → Email → Advanced Settings. Verify that your DKIM CNAME records are published and validated, and that your SPF record includes include:email.freshdesk.com.

Generate your DMARC record

Start with a monitoring-only policy: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; pct=100;. This tells receiving servers to send you reports without blocking any email, so you can verify alignment before enforcing.

Add the DMARC record to your DNS

Log in to your DNS provider and create a new TXT record. Set the name (host) to _dmarc and the value to your DMARC record string. The full record will resolve at _dmarc.yourdomain.com.

Wait for DNS propagation

Save the record and allow time for propagation. This typically takes a few minutes but can take up to a couple of hours depending on your DNS provider and TTL settings.

Verify the record is live

Check your record at dmarcrecordchecker.com. Confirm that the policy, reporting address, and alignment settings are correct.

Create your DMARC record

Use our free DMARC generator to build a valid record for your domain.

Generate DMARC Record

Recommended DMARC Record for Freshdesk Users

For most teams using Freshdesk, start with this record:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; pct=100;

The adkim=r and aspf=r tags explicitly set relaxed alignment for DKIM and SPF. Relaxed mode is the default, but including these tags removes ambiguity about your intent.

Monitor your DMARC aggregate reports for at least two weeks with p=none. Once you confirm that Freshdesk and all other legitimate senders are passing, move toward enforcement:

Soft enforcement: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25;

Full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

Increase the pct value gradually during the quarantine phase to catch issues before they affect all your email.

Troubleshooting Freshdesk DMARC Failures

DKIM Alignment Failing

If DMARC reports show DKIM failures for Freshdesk messages, check:

CNAME records are published and verified. Log into your DNS provider and confirm the CNAME records Freshdesk provided are present. Then verify them in the Freshdesk dashboard.
Your From address matches the authenticated domain. If you authenticated yourdomain.com but send from a different domain, DKIM alignment will fail.
DNS changes have not removed the records. Migrations between DNS providers or zone file imports can silently drop CNAME records. Verify after any DNS change.

SPF Alignment Failing

SPF alignment issues with Freshdesk typically come from:

Missing SPF include. Confirm your SPF record contains include:email.freshdesk.com. An SPF lookup tool or spfcreator.com can verify this.
Too many DNS lookups. SPF has a 10-lookup limit. If your record includes many services, you may be exceeding this limit, which causes SPF to fail entirely. Consolidate or remove unused includes.
Strict alignment mode. If your DMARC record uses aspf=s (strict), the envelope sender must exactly match your From domain. Freshdesk's envelope sender may use a subdomain that will not pass strict alignment. Use aspf=r instead.

Multiple Sending Services

Most businesses using Freshdesk also send email through other services — a primary email provider like Google Workspace or Microsoft 365, marketing platforms, transactional email APIs, and possibly other helpdesk tools. Each service needs its own SPF and DKIM authentication.

Review your DMARC aggregate reports to identify every source sending as your domain. Fix authentication for each one before tightening your DMARC policy.

Do not move to p=reject until every legitimate sending source passes DMARC. For support teams using Freshdesk alongside other platforms, a premature reject policy can block customer-facing ticket replies — exactly the emails you cannot afford to lose.

Freshdesk-Specific Best Practices

Always configure a custom sender domain. Sending from the default Freshdesk address means your domain's DMARC policy does not apply and customers see a generic address. A custom domain improves trust and enables DMARC protection.

Set up both SPF and DKIM. While DMARC only requires one to align, configuring both provides redundancy. If DKIM fails for any reason, SPF alignment can still save the message — and vice versa.

Test with a real ticket. After configuring everything, send a test email to your Freshdesk support address, then reply from Freshdesk. Check the received email's headers to confirm SPF, DKIM, and DMARC all pass. Look for dmarc=pass in the Authentication-Results header.

Coordinate with your Freshworks account. If you use other Freshworks products (Freshsales, Freshmarketer) that send email as your domain, each one needs its own authentication setup. Review the documentation for each product and ensure all are covered.

Complete your authentication stack

DMARC depends on SPF and DKIM working together. Build a valid SPF record at spfcreator.com, verify your DKIM setup at dkimcreator.com, and check your full DMARC configuration at dmarcrecordchecker.com.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DMARC issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring