DMARC for Freshdesk/Freshworks Email
Set up DKIM in the Freshworks admin, configure SPF for Freshdesk outbound email, and verify DMARC alignment for your support replies.
Freshdesk (part of the Freshworks suite) is a popular helpdesk for small and mid-sized businesses. A single Freshdesk instance can easily send thousands of customer replies per month from addresses like [email protected]. That means it's a first-class outbound sender in your email stack, and if it's not authenticated correctly, your support replies can silently land in spam. This guide walks through DKIM, SPF and DMARC setup for Freshdesk specifically.
How Freshdesk sends email
Freshdesk has two modes for outbound email:
| Mode | How it sends | DMARC implication |
|---|---|---|
| Default Freshdesk mailbox | Via Freshdesk's SMTP, signed by freshdesk.com | Fails alignment with your domain |
| Forwarded via your own SMTP | Through your Google Workspace / M365 server | Passes alignment easily |
| Custom mailbox + DKIM | Freshdesk with custom signing | Passes alignment once configured |
Most teams end up on mode 1 or 3. Mode 2 (forwarding outbound replies through your own mailbox) is the simplest for DMARC but has downsides — it ties your helpdesk availability to your mail server and adds latency.
Step 1: Decide where DKIM should come from
If you route Freshdesk replies through your own mail server, your server's existing DKIM signature covers everything. No Freshdesk-specific DKIM setup is needed.
If Freshdesk sends directly from its own SMTP, you need to enable custom DKIM in the Freshworks admin so the signature uses your domain.
Step 2: Enable DKIM for your support mailbox
In Freshdesk, go to Admin → Email → Mailboxes → (your support mailbox) → DKIM. Freshdesk generates a TXT record for DKIM like:
freshdesk._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=MIGfMA0..."
The selector name (freshdesk in the example) may differ between accounts. Publish the TXT record at your DNS provider exactly as shown.
Step 3: Add Freshdesk to your SPF record
Freshdesk will also suggest an SPF include:
v=spf1 include:_spf.google.com include:email.freshdesk.com ~all
Add it to your existing SPF record. As always, watch the 10-lookup limit — if you're close, prioritise DKIM over SPF.
Step 4: Verify in Freshworks
Return to the Freshdesk admin and click Verify DKIM. Freshdesk queries DNS and checks the record matches the one it generated. On success, the mailbox shows as authenticated.
Step 5: Send a test and confirm alignment
Reply to a test ticket from Freshdesk and inspect the raw headers of the reply. You want to see:
dkim=pass header.d=yourdomain.com
dmarc=pass header.from=yourdomain.com
If header.d still shows freshdesk.com, the custom DKIM isn't active yet. Wait for DNS propagation and retry.
Step 6: Validate your DMARC record
Confirm your DMARC record is well-formed using the free DMARC record checker. A reasonable record for a helpdesk-heavy organisation:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; adkim=r; aspf=r
Relaxed alignment is important here because Freshdesk may sign on support.yourdomain.com if you use a subdomain mailbox. If you need to build a new record from scratch, dmarccreator.com will generate one.
Common Freshdesk DMARC issues
| Issue | Cause | Fix |
|---|---|---|
| Replies go to customer spam | Default Freshdesk signing | Enable custom DKIM |
| DKIM verify fails | TXT record truncated | Ensure full key is published |
| Only some replies fail | Multiple mailboxes, only one configured | Configure DKIM per mailbox |
| Automations don't align | Using different sender | Authenticate automation sender |
Multiple product lines and mailboxes
Many Freshdesk accounts have several mailboxes: support@, sales@, billing@, sometimes one per product line. Each mailbox is configured independently in Freshdesk, and each needs DKIM verified separately. A partially configured account will have some mailboxes passing DMARC and others failing — which is harder to debug than a blanket failure.
Freshsales and other Freshworks apps
If you also use Freshsales CRM or Freshservice, they send mail through the same Freshworks infrastructure but with different DKIM selectors. Each app's admin has its own email authentication section. Authenticate each one separately using the records it provides.
Keeping it working
Helpdesks are mission-critical. A silent DKIM failure means customers stop getting replies, tickets pile up, and your CSAT tanks before anyone notices. deliverabilitychecker.com monitors authentication for every sending domain continuously so a helpdesk regression doesn't become a customer service crisis.
Don't let support replies disappear
Monitor DKIM, SPF and DMARC for every Freshdesk mailbox and catch authentication breakage instantly.
Start Monitoring