It’s easy for some people to spoof email — that is, send email that pretends to be from somebody else. To combat spoofing, you can digitally sign outbound email from Zendesk to prove that an email actually came from somebody in your organization and not somebody pretending to be from your organization.

Digitally signing outbound email is supported only if you use an external email domain for your Zendesk email, as described in Forwarding incoming email to Zendesk Support and Setting up SPF for Zendesk to send email on behalf of your email domain.

Zendesk Support allows DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) authentication. Email service providers that support DKIM or DMARC, such as Gmail and Yahoo!, check inbound email to see whether an organization that claimed to have signed a message actually did. The signature is associated with the organization’s registered domain name. If the message is properly signed, the email service provider delivers the message normally. If the message is not signed or is improperly signed, the email service provider may deliver it with a caution to the user, or discard it.Note: Third parties are not permitted to send email on behalf of any Zendesk subdomain. You’ll still be able to forward messages to your external support address. However, you cannot send emails from [email protected]. Email recipients will reject any email with a Zendesk subdomain that was not sent from one of Zendesk’s servers.

You need to perform the following configuration steps to digitally sign your email:

Updating your DNS records to use the Zendesk domain key

Before you can digitally sign your outbound email from Zendesk, you must update the Domain Name System (DNS) records of your domain so that the Zendesk domain key can be located and used for verifying signatures. The DNS update creates a redirect to the domain key on the Zendesk domain. When an email service provider receives an email with your domain name, the provider looks up the Zendesk domain key to verify the signature of the email.

As an added security measure, Zendesk rotates its DKIM encryption keys every quarter. As long as you use the method described below to add domain keys to your DNS record, you won’t have to make any changes when the keys are updated. The lookup will automatically locate the current Zendesk domain keys.Note: Working with domain names can be confusing because it’s something most of us rarely do. Consult your system administrator, if you have one, before proceeding.

The UI and terminology may vary depending on your registrar, but the concepts are the same.

To add the domain key to your DNS records

  1. Log in to your domain registrar’s control panel.Use the login name and password that you created when you registered the domain name.
  2. Look for the option to change DNS records.The option might be called something like DNS Management, Name Server Management, or Advanced Settings.
  3. Locate the CNAME records for your domain.A CNAME record, or Canonical Name record, is a type of alias used by the Domain Name System (DNS). CNAME records let you point to the Zendesk domain to use its domain key.
  4. Look for an option to add a CNAME record.
  5. Create a CNAME record with the following values:
    • In the Host Record field (or equivalent), enter:zendesk1._domainkey.your_email_domain.comwhere is the external email domain you use for your Zendesk email. Example: “”. The domain can have a different top-level domain, such as .net, .org, or .ca.Example host record
    • In the Points To field (or equivalent), enter: zendesk1._domainkey.zendesk.comExample:
  6. Create a second CNAME record with the following values:
    • In the Host Record field, enter: zendesk2._domainkey.your_email_domain.comwhere is the external email domain you use for your Zendesk email.Example host record
    • In the Points To field, enter:

Note: It takes time for changes to the DNS system to be implemented. Typically, it can take anywhere from a few hours to a day, depending on your Time To Live (TTL) settings in the registrar’s control panel.

Enabling digital signatures in Zendesk

  1. In Admin Center, click the Channels icon () in the sidebar, then select Talk and email > Email.
  2. In the Custom Domain for DKIM section, select Enable.
  3. Click Save.

You can use third party validation tools to confirm that DKIM is enabled and running properly. See How do I know if my DKIM records are configured correctly? for more information.