D
DKIM Test

How to Set Up DKIM for Zendesk

Configure DKIM for Zendesk support emails. Step-by-step guide to authenticating your Zendesk domain with DKIM records.

Last updated: 2026-05-09

Zendesk sends support ticket replies, automated notifications, satisfaction surveys, and trigger-based emails from your domain every single day. If those messages fail DKIM (DomainKeys Identified Mail) authentication, your customers see spam warnings or never receive your responses at all. For a support platform, that is a direct hit to customer trust. Setting up DKIM for Zendesk ensures your support communications reach inboxes reliably and display your domain name cleanly without "via zendesk.com" warnings.

Why DKIM Matters for Zendesk

Your support team works hard to respond to customers quickly. But speed means nothing if the reply lands in a spam folder. Without DKIM, here is what can go wrong:

  • Ticket reply notifications get flagged as suspicious by Gmail, Outlook, and other providers
  • Automated responses from triggers and automations get silently dropped
  • Satisfaction survey emails never arrive, skewing your CSAT data
  • Email clients show "via zendesk.com" next to your From address, which looks unprofessional
  • Your domain reputation degrades over time from unauthenticated sends

DKIM solves these problems by cryptographically signing every outbound email so receiving servers can verify it genuinely came from your domain. Combined with SPF and DMARC, it forms the foundation of email authentication that major providers now require.

Before You Start

Make sure you have these three things ready:

  • Zendesk Admin access: You need access to the Zendesk Admin Center, not just agent access
  • DNS management access: You need to be able to add records in your domain's DNS provider (Cloudflare, GoDaddy, Namecheap, Route 53, etc.)
  • A custom domain already configured in Zendesk: Your support address should use your own domain (e.g., support@yourcompany.com), not a default Zendesk subdomain

Zendesk uses CNAME records for DKIM

Unlike some email services that provide TXT records with a public key, Zendesk uses CNAME records. These point to Zendesk's DNS infrastructure, where they host and automatically rotate the DKIM keys on your behalf. You will add two CNAME records to your DNS.

Setting Up DKIM in Zendesk

1

Open the Zendesk Admin Center

Log into your Zendesk account. Click the Admin Center icon (gear icon) in the sidebar, or navigate directly to yoursubdomain.zendesk.com/admin. In the left navigation, go to Channels then Talk and email then Email.

2

Locate the DKIM settings for your domain

Scroll down the email settings page until you find the DKIM section or Domain authentication area. If you have a custom support domain configured, you should see an option to enable or configure DKIM. Click into the DKIM configuration for the domain you want to authenticate.

3

Copy the CNAME records Zendesk provides

Zendesk will display two CNAME records. They typically look like this:

Record 1:

  • Host: zendesk1._domainkey
  • Points to: zendesk1._domainkey.zendesk.com

Record 2:

  • Host: zendesk2._domainkey
  • Points to: zendesk2._domainkey.zendesk.com

Copy both records exactly. The actual target values may differ slightly depending on your Zendesk account, so always use what Zendesk shows you rather than the examples above.

4

Add the first CNAME record to your DNS

Log into your DNS provider and create a new CNAME record. Set the Type to CNAME, the Host/Name to zendesk1._domainkey, and the Value/Points to field to the target Zendesk provided. If your DNS provider automatically appends your domain name, enter only zendesk1._domainkey without your domain suffix to avoid duplication.

5

Add the second CNAME record

Create a second CNAME record with the Host/Name set to zendesk2._domainkey and the Value/Points to field set to the second target from Zendesk. Save both records.

6

Wait for DNS propagation

DNS changes usually propagate within 15 to 30 minutes, though it can take up to 48 hours in edge cases. Give it at least 30 minutes before moving on.

7

Return to Zendesk and verify

Go back to the Zendesk Admin Center email settings and click Verify (or refresh the page). Zendesk will query your DNS for the CNAME records. Once both are detected, Zendesk enables DKIM signing for all outbound support emails from that domain.

Adding DNS Records: What to Watch For

Zendesk provides two CNAME records (zendesk1._domainkey and zendesk2._domainkey) because they use key rotation. When Zendesk rotates the signing key, it switches from one selector to the other seamlessly. You do not need to do anything when this happens, because the CNAME records point to Zendesk's infrastructure where the actual keys are managed.

Both records are required. Even if Zendesk only actively signs with one selector at any given time, both must be in DNS for rotation to work. Missing the second record means DKIM will break the next time Zendesk rotates keys.

Do not create TXT records. Zendesk requires CNAME records, not TXT. If you accidentally create TXT records with the Zendesk hostnames as their values, they will not work.

Test both selectors separately:

  • Selector zendesk1 with your domain
  • Selector zendesk2 with your domain

Both should resolve to valid DKIM records.

Testing Your Setup

After verification, send a test support ticket reply to an external email address (a personal Gmail or Outlook account works well). Open the received email and view the raw headers. Look for:

Authentication-Results: ... dkim=pass header.d=yourcompany.com header.s=zendesk1

A dkim=pass result confirms everything is working. If you see dkim=fail or dkim=none, the records may not have propagated yet, or there is a configuration issue.

Common Zendesk DKIM Issues

CNAME not resolving. Your DNS provider may have quirks with underscore characters in hostnames. Try adding the record without quotes around the target value, or check if your provider has a specific format for CNAME records. Some older providers do not support underscores at all. Consider switching to a modern DNS provider like Cloudflare.

Domain name duplication. If your DNS provider auto-appends your domain, entering zendesk1._domainkey.yourcompany.com creates a record at zendesk1._domainkey.yourcompany.com.yourcompany.com. Enter just zendesk1._domainkey instead.

Correct DNS EntryIncorrect DNS Entry
zendesk1._domainkey (host only)zendesk1._domainkey.yourcompany.com (full domain)
CNAME record typeTXT record type
zendesk1._domainkey.zendesk.com (as target)v=DKIM1; k=rsa; p=... (raw key as target)

Multiple domains in Zendesk. If you use multiple support addresses on different domains (e.g., support@brand1.com and help@brand2.com), you need to add CNAME records for each domain separately. Repeat the setup process for every custom domain.

Emails still show "via zendesk.com." The "via" label depends on both DKIM and SPF alignment. DKIM alone may not remove it. Make sure you have also added Zendesk's SPF include to your domain's SPF record.

SPF for Zendesk

DKIM is only one piece of the authentication puzzle. You also need to include Zendesk in your domain's SPF record so receiving servers recognize Zendesk's IP addresses as authorized senders for your domain. Zendesk's SPF include value is available in the same Admin Center email settings area where you found the DKIM records.

Check your current SPF record at spfrecordcheck.com to make sure Zendesk is included and your record is valid.

Complete Your Authentication

For the best deliverability on your Zendesk support emails, configure all three layers of email authentication:

  • SPF (Sender Policy Framework): Authorize Zendesk's servers to send on your behalf. Check at spfrecordcheck.com.
  • DKIM: Sign outbound emails with your domain's key (what you just set up).
  • DMARC (Domain-based Message Authentication, Reporting and Conformance): Tell receiving servers how to handle emails that fail SPF and DKIM. Check at dmarcrecordchecker.com.

If you need to generate a custom DKIM key for other services that do not provide their own, dkimcreator.com can create one with your chosen selector and key size.

Once everything is configured, set up ongoing monitoring with deliverabilitychecker.com to get daily checks and alerts if any record breaks.

Related Articles

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DKIM issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring