Zendesk DKIM setup: digitally sign support emails
Set up Zendesk DKIM with two CNAME records, enable custom domain signing, avoid delivery failures, and verify DMARC alignment.
Zendesk DKIM lets Zendesk sign support emails with your domain instead of relying only on Zendesk’s own domain.
Zendesk’s DKIM documentation says the setup uses two CNAME records:
zendesk1._domainkey.your_email_domain.com -> zendesk1._domainkey.zendesk.com
zendesk2._domainkey.your_email_domain.com -> zendesk2._domainkey.zendesk.com
After the records are live, you enable Custom domain for DKIM in Zendesk.
Before you start
You need:
- Zendesk admin access.
- DNS access for the external support domain.
- A Zendesk support address using your own domain.
- SPF and DMARC reviewed for the same domain.
Zendesk says DKIM signing is supported for external email domains. It does not apply to sending as a Zendesk subdomain you do not own.
Step 1: publish the first CNAME
At your DNS provider, add:
| Type | Host | Points to |
|---|---|---|
| CNAME | zendesk1._domainkey |
zendesk1._domainkey.zendesk.com |
If your DNS provider requires full names, use:
zendesk1._domainkey.example.com
for the host, replacing example.com with your email domain.
Step 2: publish the second CNAME
Add the second record:
| Type | Host | Points to |
|---|---|---|
| CNAME | zendesk2._domainkey |
zendesk2._domainkey.zendesk.com |
Publish both records. The second selector supports key rotation and verification continuity.
Step 3: wait for DNS propagation
Zendesk says DNS changes can take from a few hours to a day, depending on TTL settings.
Use a DNS lookup tool to confirm:
zendesk1._domainkey.example.com
zendesk2._domainkey.example.com
both resolve as CNAME records pointing to Zendesk.
Step 4: enable DKIM in Zendesk
Only after DNS is correct, go to Zendesk Admin Center.
Open Channels > Talk and email > Email. In Email settings, select Custom domain for DKIM and save.
Zendesk warns that enabling digital signatures before adding the required CNAME records can cause delivery failures. Do DNS first, toggle second.
Step 5: verify real support email
Send a test support reply from Zendesk using your external support address.
Inspect the headers:
- DKIM passes.
- The DKIM
d=domain is your domain. - DMARC passes.
- SPF is valid and not duplicated.
Then use DMARCTrust to check public DNS and your DMARCTrust dashboard to confirm Zendesk appears as an authorized source.
Common mistakes
Enabling DKIM too early. Publish both CNAMEs first.
Only adding one selector. Zendesk documents two CNAME records.
Using full hostnames when DNS appends the domain. Check that you did not create zendesk1._domainkey.example.com.example.com.
Skipping SPF. Zendesk recommends SPF as well. Use include:mail.zendesk.com in your single SPF record.
SPF and DMARC
Set up Zendesk SPF too:
v=spf1 include:mail.zendesk.com ~all
If you already have SPF, merge Zendesk into the existing record.
Then publish or review DMARC:
v=DMARC1; p=none; rua=mailto:[email protected];
Monitor before moving to enforcement. Support email is too important to block accidentally.
FAQ
What are the Zendesk DKIM records?
Zendesk documents two CNAME records: zendesk1._domainkey and zendesk2._domainkey, both pointing to corresponding zendesk.com DKIM hosts.
When should I enable Custom domain for DKIM?
After both DNS CNAME records are published and resolving.
Does Zendesk DKIM help DMARC?
Yes. DKIM can give Zendesk mail an aligned authentication result for DMARC, assuming the support address uses your domain.
