How to Create an SPF Record for Zendesk
Learn how to create an SPF record for Zendesk. Step-by-step guide with the correct include, common combinations, and verification tips.
Zendesk is a customer support platform that sends email on your behalf every time an agent replies to a support ticket. Those replies go out as your domain -- [email protected] or whatever address you've configured -- which means receiving mail servers check your domain's SPF record to verify the email is legitimate. If Zendesk isn't listed in your SPF record, your support ticket replies may fail authentication, landing in spam or getting blocked entirely.
This is one of the most commonly overlooked SPF entries. Businesses set up SPF for their primary email provider and forget that Zendesk also sends email as their domain. This guide walks you through adding Zendesk to your SPF record, combining it with other services, and making sure your support emails authenticate properly.
The SPF Include for Zendesk
Per Zendesk's SPF configuration guide, the SPF include mechanism for Zendesk is:
include:mail.zendesk.com
This covers all email sent through Zendesk's platform, including ticket replies from agents, automated notifications, triggers, and any other email Zendesk sends on behalf of your domain.
A basic SPF record for Zendesk looks like this:
v=spf1 include:mail.zendesk.com -all
In reality, no business uses Zendesk as its only email sender. You have a primary email provider (Google Workspace, Microsoft 365, etc.) and likely marketing or transactional email services too. Zendesk is always used alongside other services, so you need to include all of them in a single SPF record. The free SPF record generator makes this easy.
Zendesk is the service most commonly left out of SPF records. Because it's a support tool rather than an "email service," businesses don't think of it as an email sender. But every ticket reply Zendesk sends goes out as your domain -- and needs to be in your SPF record.
Step-by-Step: Creating Your SPF Record for Zendesk
Check for an existing SPF record
Your domain almost certainly has an SPF record already if you're using Google Workspace, Microsoft 365, or another email provider. Go to SPF Record Check and enter your domain to see what's currently published. You'll be editing this record, not creating a new one.
Identify all your email sending services
List every service that sends email as your domain. This typically includes your primary email provider, Zendesk, and possibly marketing platforms (Mailchimp, Constant Contact), transactional email services (SendGrid, Postmark), or other tools.
Build or update your SPF record
If you're adding Zendesk to an existing record, you just need to insert include:mail.zendesk.com before the -all at the end. If you're creating a new record from scratch, use the SPF Creator tool to assemble all your includes.
Edit the TXT record in your DNS provider
Log in to your DNS provider and find the existing TXT record that starts with v=spf1. Click edit and add the Zendesk include. Do not create a second TXT record with v=spf1 -- a domain can only have one SPF record.
Save and wait for propagation
Save your changes. DNS propagation usually takes a few minutes to a few hours. Providers like Cloudflare propagate in seconds, while others may take longer.
Verify the record
Check your updated record at SPF Record Check. Confirm that include:mail.zendesk.com appears in the record, the syntax is valid, and you haven't exceeded the 10 DNS lookup limit specified in RFC 7208.
Common SPF Record Combinations With Zendesk
Zendesk is always used alongside other email services. Here are the combinations you're most likely to need:
| Setup | SPF Record |
|---|---|
| Zendesk only | v=spf1 include:mail.zendesk.com -all |
| Zendesk + Google Workspace | v=spf1 include:mail.zendesk.com include:_spf.google.com -all |
| Zendesk + Microsoft 365 | v=spf1 include:mail.zendesk.com include:spf.protection.outlook.com -all |
| Zendesk + Google Workspace + Mailchimp | v=spf1 include:mail.zendesk.com include:_spf.google.com include:servers.mcsv.net -all |
| Zendesk + Google Workspace + SendGrid | v=spf1 include:mail.zendesk.com include:_spf.google.com include:sendgrid.net -all |
| Zendesk + Microsoft 365 + Klaviyo | v=spf1 include:mail.zendesk.com include:spf.protection.outlook.com include:spf.klaviyo.com -all |
The most typical setup is Zendesk paired with Google Workspace or Microsoft 365, often with a marketing email platform added as well. If you run an e-commerce business, you might have Zendesk for customer support alongside Shopify and Klaviyo -- that's four services all needing includes in a single SPF record.
When counting your services, think about every system that sends email appearing to come from your domain. Zendesk ticket replies, marketing campaigns, transactional emails, invoicing tools, and CRM notifications can all be separate senders that need SPF authorization.
Monitor your email authentication
Support emails are critical. Get daily monitoring on your SPF, DKIM, and DMARC records so authentication issues never affect your customer communication.
Verifying Your SPF Record
After updating your DNS, verify that the changes are live and correct.
Go to SPF Record Check and enter your domain. The tool displays your published SPF record, validates the syntax, counts DNS lookups, and flags any problems. Confirm that include:mail.zendesk.com is present alongside your other includes.
To test end-to-end, have a Zendesk agent send a reply to a test ticket. On the receiving end, check the email headers for Authentication-Results: spf=pass. If you see spf=fail, the Zendesk include may be missing from your record, or there could be a syntax error.
You can also check authentication from within Zendesk. Go to Admin Center > Channels > Email and review your domain's authentication status. Zendesk will flag issues if it detects that SPF isn't properly configured.
Common Mistakes With Zendesk SPF Records
Forgetting to Add Zendesk Entirely
This is by far the most common issue. A business sets up SPF for Google Workspace or Microsoft 365 and considers email authentication done. Months later, they notice support ticket replies are landing in customers' spam folders. The cause is almost always a missing Zendesk include in the SPF record. If Zendesk sends email as your domain, it needs to be in your SPF record.
Creating a Second SPF Record
When adding Zendesk, don't create a new TXT record starting with v=spf1. If your domain already has an SPF record, edit it and add the Zendesk include. Two SPF records on the same domain cause a permerror per RFC 7208 that breaks authentication for every email from your domain -- not just Zendesk.
Using the Wrong Include Value
The correct include is mail.zendesk.com -- not zendesk.com or support.zendesk.com. Using the wrong value means Zendesk's sending servers won't be authorized, and your ticket replies will fail SPF checks.
Not Updating SPF When Setting Up a Custom Email Domain in Zendesk
When you first set up Zendesk, you might use a default Zendesk email address. Later, when you configure a custom support email (like [email protected]), you need to add Zendesk to your SPF record at that point. Many businesses miss this step because SPF wasn't needed when they were using the default Zendesk address.
Complete Your Email Authentication
SPF is essential for Zendesk, but for full protection you need all three email authentication protocols:
- SPF authorizes which servers can send email for your domain (what you just configured)
- DKIM adds a cryptographic signature to outgoing emails, verifying they haven't been altered. Use DKIM Creator to generate your DKIM records
- DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Use DMARC Creator to create your DMARC policy
Zendesk supports DKIM signing -- you can enable it in the Admin Center under email settings. With all three protocols in place, your support ticket replies are authenticated, your domain is protected from spoofing, and your customers are more likely to see your responses in their inbox rather than their spam folder.
Related Articles
Monitor Your SPF Record
Your Zendesk SPF setup is complete -- but DNS records can change without warning. A domain migration, a well-meaning colleague, or a registrar transfer can remove your SPF record. When that happens, your support emails start failing authentication, and customers stop receiving your ticket replies. Daily monitoring catches these problems before they impact your customer support.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring