How to Set Up DMARC for Zendesk: Configuration and Alignment Guide

Zendesk is one of the most widely used customer support platforms, handling ticket notifications, agent replies, and automated messages on behalf of your domain. When Zendesk sends email as your company, those messages need to pass authentication checks — and that means setting up DMARC alongside SPF and DKIM. Without proper configuration, your support emails risk landing in spam folders or being rejected entirely.

This guide walks through DMARC configuration specifically for Zendesk, covering the alignment details that determine whether your support emails pass or fail authentication.

How Zendesk Handles Email Sending

Understanding how Zendesk sends email is important before configuring DMARC. When a customer submits a ticket or an agent replies, Zendesk sends the message from your support address (like support@yourdomain.com), but the actual sending infrastructure belongs to Zendesk.

The Envelope Sender

Zendesk uses its own subdomain for the envelope sender (Return-Path address). This means the Return-Path on outgoing messages points to a Zendesk-controlled domain rather than your own. This distinction matters for SPF alignment, as we will cover below.

Branded Email and Multiple Brands

Zendesk supports branded email addresses, allowing you to send from custom addresses tied to your domain. If your Zendesk instance manages multiple brands, each brand may use a different domain. Every domain that appears in the From header of your Zendesk emails needs its own SPF, DKIM, and DMARC configuration.

Understanding SPF and DKIM Alignment with Zendesk

DMARC requires at least one of SPF or DKIM to "align" with the From domain in your email. Alignment means the domain validated by SPF or DKIM matches the domain your recipients see in the From header. For a detailed comparison of these protocols, see SPF vs DKIM vs DMARC.

SPF Alignment

To authorize Zendesk's mail servers to send on your behalf, you add include:mail.zendesk.com to your domain's SPF record. This ensures that SPF checks pass when Zendesk's infrastructure delivers your messages.

However, SPF alignment for DMARC is evaluated against the envelope sender (Return-Path), not the From address. Since Zendesk uses its own subdomain as the envelope sender, the Return-Path domain will not match your From domain. Under relaxed alignment, the envelope sender and From domain must share the same organizational domain — and because Zendesk's Return-Path uses a Zendesk subdomain, relaxed SPF alignment will not pass either.

This means SPF alone is not enough for DMARC alignment with Zendesk. You need DKIM.

DKIM Alignment

DKIM alignment is the reliable path to DMARC compliance with Zendesk. When you enable custom DKIM signing in Zendesk, outgoing messages are signed with a DKIM key tied to your domain. If your From address is support@yourdomain.com and the DKIM signature uses yourdomain.com, DKIM alignment passes.

DKIM signatures also survive email forwarding, which is common in support workflows where customers forward ticket replies to colleagues. This makes DKIM the strongest alignment mechanism for helpdesk platforms like Zendesk.

Configuring SPF and DKIM for Zendesk

Before adding a DMARC record, you need to set up both SPF and DKIM for your Zendesk-sending domain.

Adding Zendesk to Your SPF Record

Even though SPF will not provide DMARC alignment with Zendesk, you should still include Zendesk in your SPF record. SPF authorization prevents Zendesk messages from failing SPF checks entirely, which some receiving servers factor into their filtering decisions.

Add include:mail.zendesk.com to your existing SPF record. For example:

v=spf1 include:_spf.google.com include:mail.zendesk.com ~all

If you do not yet have an SPF record, you can build one at spfcreator.com that includes Zendesk and all your other sending services.

Enabling DKIM Signing in Zendesk

Zendesk supports custom DKIM signing, which is essential for DMARC alignment. Here is how to set it up:

1. In your Zendesk Admin Center, navigate to Channels > Email.
2. Locate your support address and find the DKIM settings section.
3. Enable DKIM signing for your domain. Zendesk will provide two CNAME records that you need to add to your DNS.
4. Log in to your DNS provider and create the two CNAME records exactly as Zendesk specifies. These records point to Zendesk's DKIM key infrastructure and allow Zendesk to sign messages with your domain.
5. Return to Zendesk Admin Center and verify the DKIM records. Once DNS propagation completes, Zendesk will confirm the records are detected and begin signing outgoing email.

You can verify your DKIM setup is working correctly using dkimcreator.com.

Setting Up Your DMARC Record

With SPF and DKIM configured for Zendesk, you are ready to add your DMARC record.

Recommended DMARC Record for Zendesk Users

Since DKIM is your primary alignment mechanism with Zendesk, your DMARC record should use relaxed DKIM alignment:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; pct=100;

Monitor with p=none for at least two to four weeks. Review your aggregate reports carefully to confirm Zendesk messages are consistently passing DKIM alignment. Also verify that any other services sending as your domain (your primary email provider, marketing tools, transactional email platforms) are passing as well.

Once everything looks clean, move toward enforcement:

Soft enforcement: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=25;

Full enforcement: v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

For a deeper explanation of each policy level, see DMARC Policy Levels.

Troubleshooting Zendesk DMARC Failures

DKIM Alignment Failing

If your DMARC reports show DKIM failures for Zendesk messages, check the following:

• DKIM is enabled and verified in Zendesk. Go to Admin Center, Channels, Email and confirm DKIM status shows as active for your domain.
• CNAME records are still in your DNS. DNS provider migrations or accidental deletions can remove the records Zendesk needs. Verify both CNAME records are still published.
• The From address matches the DKIM-signed domain. If you enabled DKIM for yourdomain.com but a Zendesk brand sends from otherdomain.com, DKIM alignment will fail for that brand.

SPF Failing Entirely

While SPF will not provide DMARC alignment for Zendesk, a complete SPF failure can still hurt deliverability. If SPF is failing:

• Confirm include:mail.zendesk.com is in your SPF record. Check your domain's TXT records to verify.
• Check for SPF record errors. Multiple SPF records on the same domain, exceeding the 10-lookup limit, or syntax errors can invalidate your entire SPF record. Build a clean record at spfcreator.com.

Multiple Brands Not Authenticating

Each brand domain in your Zendesk instance needs its own set of DNS records. If you added a new brand or changed a brand's email domain, repeat the full SPF and DKIM setup process for that domain. Each domain also needs its own DMARC TXT record published at _dmarc.brandomain.com.

Zendesk-Specific Best Practices

Always enable DKIM signing. This is non-negotiable for DMARC compliance with Zendesk. Without custom DKIM, your Zendesk emails have no viable path to DMARC alignment.

Authenticate every brand domain. If you operate multiple Zendesk brands, treat each domain as a separate authentication project. Audit all brands periodically to ensure DNS records are intact.

Monitor aggregate reports closely during rollout. Zendesk sends a high volume of automated messages — ticket confirmations, satisfaction surveys, SLA notifications, and trigger-based emails. Any of these can reveal alignment issues in your reports.

Coordinate with other sending services. Most organizations using Zendesk also send email through a primary email provider, a marketing platform, and possibly other tools. Review your full sending landscape before tightening your DMARC policy. Our guide on how to set up DMARC covers multi-service environments in detail.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.