SPF for Zendesk: Setup Guide and Troubleshooting
Set up SPF for Zendesk Support emails. Covers the correct include value, adding to existing records, fixing errors, and verification.
Last updated: 2026-05-03
If you use Zendesk Support to handle customer emails, those messages need to authenticate properly. Without SPF configured for Zendesk, your support replies can end up in spam folders or get rejected entirely — not a great look when a customer is waiting for help.
For a comprehensive overview of SPF, see our complete SPF guide. This guide walks you through setting up SPF for Zendesk, adding it to your existing DNS records, and fixing the most common issue people run into.
Why Zendesk Needs SPF
When a customer emails your support address and you reply through Zendesk, the reply is sent from Zendesk's mail servers — not your own. The receiving email server sees the message coming from a Zendesk IP address, but the "From" address shows your company's domain.
Without SPF, the receiving server has no way to know that Zendesk is allowed to send on your behalf. SPF solves this by publishing a list of authorized senders in your DNS. When Zendesk is included in that list, receiving servers can verify the email is legitimate.
Setting up SPF is one part of a complete email authentication strategy. For the strongest protection, you should also configure DKIM and DMARC for your domain.
The Correct Zendesk SPF Include
Zendesk's SPF include value is (Zendesk Support):
include:mail.zendesk.com
This single include authorizes all of Zendesk's sending infrastructure to deliver email on behalf of your domain. You do not need to add individual IP addresses — the include handles everything.
Setting Up SPF for Zendesk
Before making any changes, check whether your domain already has an SPF record. You can only have one SPF record per domain, so you need to know if you are creating a new record or editing an existing one.
Find your SPF include in Zendesk
In your Zendesk Admin Center, go to Channels > Email. Under the support addresses section, look for your custom email domain. Zendesk will show you the DNS records you need to add, including the SPF include value (include:mail.zendesk.com).
Check for an existing SPF record
Use the checker tool above to see if your domain already has an SPF record. If it does, you will edit it. If it does not, you will create a new one.
Log into your DNS provider
Go to the website where your domain's DNS is managed — see our guides for Cloudflare, GoDaddy, or Namecheap. Look for a DNS management or DNS records section.
Add or edit your SPF record
If you do not have an existing SPF record, create a new TXT record with this value:
v=spf1 include:mail.zendesk.com ~all
If you already have an SPF record, add the Zendesk include to it. For example, if your current record is v=spf1 include:_spf.google.com ~all, change it to:
v=spf1 include:_spf.google.com include:mail.zendesk.com ~all
Set the Name/Host field to @ (or leave it blank, depending on your provider) and keep the TTL at the default value.
Enable SPF verification in Zendesk
Back in Zendesk Admin Center under Channels > Email, make sure your custom domain is verified. Zendesk will check your DNS records and confirm they are configured correctly. This can take a few minutes to several hours depending on DNS propagation.
Verify the change
After DNS propagation (typically 1-4 hours, though it can take up to 48 hours), use the checker tool above to confirm that include:mail.zendesk.com appears in your SPF record and that the record is valid.
Never create a second SPF record
Your domain must have exactly one SPF record. If you already have one, do not create a new TXT record — edit the existing one and add Zendesk's include to it. Having two SPF records causes a PermError, which is worse than having no SPF at all.
Fixing "SPF Does Not Include Zendesk Support"
This is the most common Zendesk SPF error, and it means exactly what it says: your domain's SPF record does not authorize Zendesk's mail servers.
Why it happens:
- Your domain has no SPF record at all
- Your SPF record exists but is missing the
include:mail.zendesk.comentry - You recently set up a custom email domain in Zendesk but have not updated your DNS yet
- A typo in the include value (for example,
mail.zenddesk.cominstead ofmail.zendesk.com)
How to fix it:
Check your current SPF record with the tool above. If the Zendesk include is missing, add it following the steps in the previous section. If you do not have an SPF record at all, create one. If you are not sure what other services to include, SPF Creator can help you build the complete record. For guidance on managing multiple providers, see SPF for multiple ESPs.
Zendesk with Other Email Services
Most businesses use Zendesk alongside a primary email provider and possibly other tools. Combine all authorized senders in a single SPF record.
Zendesk + Google Workspace:
v=spf1 include:_spf.google.com include:mail.zendesk.com ~all
Zendesk + Microsoft 365:
v=spf1 include:spf.protection.outlook.com include:mail.zendesk.com ~all
Zendesk + Google Workspace + Mailchimp:
v=spf1 include:_spf.google.com include:mail.zendesk.com include:servers.mcsv.net ~all
Each include statement adds DNS lookups toward the 10 DNS lookup limit. If you are using many services, check your total lookup count with the tool above. If you are approaching the limit, SPF flattening can help reduce lookup counts.
Setting Up DKIM for Zendesk
SPF alone is not enough for reliable email delivery. Zendesk also supports DKIM signing, which you should enable alongside SPF. In Zendesk Admin Center under Channels > Email, you will find DKIM configuration options including CNAME records to add to your DNS.
With both SPF and DKIM in place, set up a DMARC record to tell receiving servers how to handle emails that fail authentication. This three-layer approach — SPF, DKIM, and DMARC — gives your support emails the best chance of reaching your customers' inboxes.
Verifying Your Setup
After configuring SPF, confirm everything works:
1. Check your SPF record with the tool above. Confirm the record is valid, includes mail.zendesk.com, and stays within the 10 DNS lookup limit.
2. Check Zendesk verification status. In Zendesk Admin Center, your custom domain should show as verified.
3. Send a test email. Reply to a test support ticket from Zendesk. If the recipient uses Gmail, they can open the message, click the three dots, and select "Show original." Look for spf=pass in the authentication results.
If SPF is passing but emails still land in spam, check your DKIM and DMARC configuration. You can run a full check on all your email authentication records with the Email Deliverability Suite.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- Zendesk: Setting up SPF for email — Official Zendesk SPF documentation
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring