SPF and DKIM are fundamental components of email authentication and help protect email senders and receivers from spam, phishing, and spoofing. If your business uses a custom email domain, it is recommended that you add email domain authentication to prove to your recipients that your communications are coming from a legitimate source and improve their deliverability.
By default, the emails that you send via the Freshservice Mail Server are SPF and DKIM compliant and are digitally signed by Freshservice. When they reach a recipient, they go via the security processes and protocols they have in place to prevent malicious emails from reaching their inbox. By setting up authentication for your email domain, your communications will get signed by your domain name instead of Freshservice and so, to the recipients, they will appear to come from you which would improve trust, help the recipient validate that the email is actually being sent by you, and prevent it from being marked as spam. This will also remove the "via freshservice.com" path that may appear next to your emails in the inbox of some ISPs.
Your organization can also add a DMARC policy after completing this setup to further ensure the integrity of emails coming from your domain.
How can you set this up in Freshservice?
Before we start, please ensure that it is an email domain that your organization owns and controls. Public email domains such as google.com cannot be authenticated by this mechanism.
1. Log in to your Freshservice account as an admin.
2. Go to Admin > Channels > Email Settings and Mailboxes > Set up SPF and DKIM email authentication. If your account has more than one workspace, navigate to Admin > Global Settings > Channels > Email Settings and Mailboxes > Set up SPF and DKIM email authentication
3. If you've set up an email address that uses a custom domain name and choose to send emails via Freshservice Mail Server, the domain name will appear on this page automatically if the email address is verified. You cannot add or update the domain name here.
4. Click on "Get Started" for the email domain(s) present on this page.
5. Copy the 4 CNAME records one by one to add them to your DNS server/domain provider’s account. This is a one-time configuration step per domain name.
6. To update your DNS records in your domain registrar:
Login to your domain registrar’s control panel with the credentials used to register your domain name.
To change the DNS records, locate and click on the option called 'Manage DNS', 'Name Server Management', 'DNS Management', or 'Advanced Settings'.
Look for an option to create a CNAME record.
Add the values copied from your service desk into the new CNAME record and save it.
- By doing this, the recipient will be able to verify the signature in your email by performing a lookup in your DNS records.
Note: Each selector key ('fs', 'fs1', etc) in your DNS settings has to be unique so that the recipient is able to identify the right records.
7. Once you have completed adding the records, you need to return to Freshservice and verify your domain. Expand the domain settings on the same page and click on 'Verify'. If the DNS settings are published correctly, it will show the status as "Verified". The status of each record will also be reflected by a tick/cross.
After Verification in Freshservice
An email is sent to the account and super admins when the verification is complete. One email is sent for each domain name you have configured and verified.
To remove your DKIM settings, click on 'Remove Records' after expanding your domain's settings.
Common Problems and How to Troubleshoot them
I cannot paste the generated records because I have common selectors in my DNS records
To solve this, you can remove the records and repeat the same process to generate a new set of records and obtain different selector keys. However, the keys for the fourth record will not change despite re-generation.
I have set up email authentication for this domain in a different Freshservice account already
You will have to set up email authentication again as we associate your authentication settings with the account they are set up in. Since you will not be able to add the records generated in the second account as they most likely have the same selectors as the first one, you will have to remove these records first and repeat the process to re-generate records. These records will have a new set of selector keys.
If the second Freshservice account is in the same organization (aka Freshworks Neo Admin Center) as the first one, you can copy the first two records only and verify the domain by returning to Freshservice. If the second account is not in the same organization, you can copy the first three records and verify the domain. The keys for the fourth record will not change on regeneration but that will not impact domain verification.
My CNAME record isn't updating correctly
Depending on the domain provider you are using, you may require to modify your "Host Value". For example, if you add “fs1._domainkey.acme.com” and it auto-changes to “fs1._domainkey.acme.com.acme.com” on creation, modify your CNAME record to only “fs1._domainkey”.
My domain name is not verifying even after adding all the records in my DNS settings
Please ensure that you've copied the records correctly and that there are no omissions made by mistake. If you're still unable to authenticate your records, please wait for some time (up to 48 hours) because servers can take some time to recognize any changes.
If you continue to experience issues, please reach out to your domain provider's support team to help you with troubleshooting this problem.
If you still have any questions about adding email authentication, please feel free to reach out to firstname.lastname@example.org and we'll be happy to assist you.