DMARC for Freshdesk/Freshworks Email

Set up DKIM in the Freshworks admin, configure SPF for Freshdesk outbound email, and verify DMARC alignment for your support replies.

Freshdesk (part of the Freshworks suite) is a popular helpdesk for small and mid-sized businesses. A single Freshdesk instance can easily send thousands of customer replies per month from addresses like [email protected]. That means it's a first-class outbound sender in your email stack, and if it's not authenticated correctly, your support replies can silently land in spam. This guide walks through DKIM, SPF and DMARC setup for Freshdesk specifically.

How Freshdesk sends email

Freshdesk has two modes for outbound email:

ModeHow it sendsDMARC implication
Default Freshdesk mailboxVia Freshdesk's SMTP, signed by freshdesk.comFails alignment with your domain
Forwarded via your own SMTPThrough your Google Workspace / M365 serverPasses alignment easily
Custom mailbox + DKIMFreshdesk with custom signingPasses alignment once configured

Most teams end up on mode 1 or 3. Mode 2 (forwarding outbound replies through your own mailbox) is the simplest for DMARC but has downsides — it ties your helpdesk availability to your mail server and adds latency.

Step 1: Decide where DKIM should come from

If you route Freshdesk replies through your own mail server, your server's existing DKIM signature covers everything. No Freshdesk-specific DKIM setup is needed.

If Freshdesk sends directly from its own SMTP, you need to enable custom DKIM in the Freshworks admin so the signature uses your domain.

Step 2: Enable DKIM for your support mailbox

In Freshdesk, go to Admin → Email → Mailboxes → (your support mailbox) → DKIM. Freshdesk generates a TXT record for DKIM like:

freshdesk._domainkey.yourdomain.com   TXT   "v=DKIM1; k=rsa; p=MIGfMA0..."

The selector name (freshdesk in the example) may differ between accounts. Publish the TXT record at your DNS provider exactly as shown.

Step 3: Add Freshdesk to your SPF record

Freshdesk will also suggest an SPF include:

v=spf1 include:_spf.google.com include:email.freshdesk.com ~all

Add it to your existing SPF record. As always, watch the 10-lookup limit — if you're close, prioritise DKIM over SPF.

Step 4: Verify in Freshworks

Return to the Freshdesk admin and click Verify DKIM. Freshdesk queries DNS and checks the record matches the one it generated. On success, the mailbox shows as authenticated.

Step 5: Send a test and confirm alignment

Reply to a test ticket from Freshdesk and inspect the raw headers of the reply. You want to see:

dkim=pass header.d=yourdomain.com
dmarc=pass header.from=yourdomain.com

If header.d still shows freshdesk.com, the custom DKIM isn't active yet. Wait for DNS propagation and retry.

Step 6: Validate your DMARC record

Confirm your DMARC record is well-formed using the free DMARC record checker. A reasonable record for a helpdesk-heavy organisation:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; adkim=r; aspf=r

Relaxed alignment is important here because Freshdesk may sign on support.yourdomain.com if you use a subdomain mailbox. If you need to build a new record from scratch, dmarccreator.com will generate one.

Common Freshdesk DMARC issues

IssueCauseFix
Replies go to customer spamDefault Freshdesk signingEnable custom DKIM
DKIM verify failsTXT record truncatedEnsure full key is published
Only some replies failMultiple mailboxes, only one configuredConfigure DKIM per mailbox
Automations don't alignUsing different senderAuthenticate automation sender

Multiple product lines and mailboxes

Many Freshdesk accounts have several mailboxes: support@, sales@, billing@, sometimes one per product line. Each mailbox is configured independently in Freshdesk, and each needs DKIM verified separately. A partially configured account will have some mailboxes passing DMARC and others failing — which is harder to debug than a blanket failure.

Freshsales and other Freshworks apps

If you also use Freshsales CRM or Freshservice, they send mail through the same Freshworks infrastructure but with different DKIM selectors. Each app's admin has its own email authentication section. Authenticate each one separately using the records it provides.

Keeping it working

Helpdesks are mission-critical. A silent DKIM failure means customers stop getting replies, tickets pile up, and your CSAT tanks before anyone notices. deliverabilitychecker.com monitors authentication for every sending domain continuously so a helpdesk regression doesn't become a customer service crisis.

Don't let support replies disappear

Monitor DKIM, SPF and DMARC for every Freshdesk mailbox and catch authentication breakage instantly.

Start Monitoring