Freshdesk SPF, DKIM & DMARC Setup Guide

Overview

Freshdesk (by Freshworks) is a customer support platform used for ticket management, agent communication, and automated customer responses. Freshworks Freshdesk is particularly popular among mid-market organizations that use other Freshworks products like Freshservice and Freshsales. Its SPF record uses include:email.freshdesk.com, costing 1 DNS lookup. Freshdesk sends email on behalf of your domain for ticket notifications, agent replies, satisfaction surveys, and workflow automations.

DKIM Setup (4 CNAME Records)

DKIM configuration in Freshdesk requires publishing 4 CNAME records — more than most providers. The selectors use an fs-prefixed naming convention (fs, fs1, and additional numbered selectors). All 4 records must be published and propagated before clicking Verify in the Freshdesk admin panel. Partial publication will cause verification to fail. Allow up to 24 hours for DNS propagation before retrying verification, though most DNS providers propagate CNAME records within 1-4 hours.

Shared DKIM Across Freshworks Products

The DKIM infrastructure is shared across Freshworks products. If you also use Freshservice (IT service management) or other Freshworks tools that send email from your domain, they use the same DKIM configuration — you do not need separate DKIM records for each Freshworks product. The CNAME delegation model allows Freshworks to manage key rotation behind the records without requiring DNS changes after initial setup.

DMARC Alignment

DMARC alignment works through the CNAME-delegated DKIM signing. With include:email.freshdesk.com in your SPF record and DKIM properly configured, both alignment mechanisms are available for DMARC evaluation under relaxed alignment. For organizations enforcing strict DMARC policies (p=reject), ensure both SPF and DKIM are fully configured before policy enforcement — Freshdesk emails will be rejected outright if neither mechanism passes.

Troubleshooting

DKIM Verification Fails After Publishing Records

Freshdesk requires all 4 CNAME records to be present and resolvable before verification succeeds. If verification fails, check each record individually using a DNS lookup tool. Common causes: one of the four records has a typo in the CNAME target, the DNS provider auto-appended the domain to the hostname (creating a doubled domain like fs._domainkey.example.com.example.com), or one record was published on the wrong zone (root domain vs. subdomain). Fix the offending record, wait for propagation, and retry verification.

Freshdesk Still Sending From Shared Domain

If outbound messages show a Freshworks domain in the return-path or DKIM signature instead of your domain, the domain verification process is incomplete. Go to Admin > Channels > Email and check the status of your custom support email address. Freshdesk requires both domain ownership verification and DKIM setup before it sends fully authenticated mail from your domain. Simply adding your email address is not enough — the DKIM CNAME records must be verified and the domain must show "Verified" status.

Ticket Emails Quarantined After DMARC Enforcement

Organizations that tighten their DMARC policy from p=none to p=quarantine or p=reject frequently discover that Freshdesk was never fully authenticated. The symptoms: customer-facing ticket replies start landing in spam or being rejected entirely. To diagnose, pull a recent Freshdesk-sent message and inspect the Authentication-Results header. If DKIM shows fail or none, the CNAME records are either missing, incorrect, or DKIM signing was never enabled in the admin panel. If SPF shows fail, the include:email.freshdesk.com is missing from your domain's SPF record.

Notification Emails vs. Agent Replies

Freshdesk sends two categories of email: system notifications (ticket created, status changed, SLA breach) and agent replies (the actual response to the customer). Both go through the same authentication infrastructure, but notification emails sometimes use a different From address than agent replies. Verify that all sending addresses configured in Freshdesk — including notification-only addresses — are on your authenticated domain to prevent alignment failures on a subset of messages.

Additional Setup Notes

Why Support Desks Get Configured Last

Support desk email is frequently the last sender configured during email authentication rollout. Organizations prioritize their primary email platform and marketing tools, leaving Freshdesk sending unauthenticated messages. Without completed DKIM setup, Freshdesk sends using shared infrastructure that fails DMARC alignment checks — customer support replies get filtered or quarantined at the recipient's mail server.

Lookup Budget with Freshdesk Stacks

When adding Freshdesk to an existing SPF record alongside a primary email provider and other senders, the lookup from include:email.freshdesk.com counts toward the 10-lookup limit. Organizations running Freshdesk alongside Google Workspace, a marketing platform, and a transactional sender are already at 4 lookups before adding email security gateways. A common Freshworks-heavy stack — Zoho Mail or Google Workspace, Freshdesk, Freshsales (outbound email), and a marketing platform — can consume 4-5 lookups before adding any email filtering service like Mimecast or MailRoute.

Migrating Between Support Platforms

When moving to Freshdesk from Zendesk, Intercom, or another help desk, add include:email.freshdesk.com to your SPF record and publish the 4 DKIM CNAME records before migrating any support traffic. Run both providers' SPF includes in parallel during migration. After confirming all email is flowing through Freshdesk, remove the old provider's include. When migrating away from Freshdesk, remove the SPF include and DKIM CNAME records only after confirming no traffic remains on the platform.

Custom Mailbox and Forwarding Configurations

Freshdesk supports custom mailbox configurations where support email is forwarded from your mail server to Freshdesk. In this setup, the forwarding chain can break SPF because the forwarding server's IP is not in Freshdesk's SPF include. DKIM survives forwarding intact (signatures are header-based), so organizations using mail forwarding to Freshdesk should ensure DKIM is properly configured — it becomes the primary DMARC alignment mechanism when SPF alignment fails due to the forwarding chain.

Managed SPF can flatten nested includes into direct IP references, freeing up lookup budget for additional providers.