What does the 'Mail From' mean in DMARC reports and how does it relate to SPF and DKIM for Zendesk?
Michael Ko
Co-founder & CEO, Suped
Published 25 Apr 2025
Updated 17 Aug 2025
7 min read
When delving into DMARC reports, you might encounter a field labeled 'Mail From.' This field often causes confusion, especially when sending emails through third-party platforms like Zendesk. It is not the 'From' address that your recipients see in their email client, but rather a more technical identifier crucial for email authentication.
Understanding this distinction is vital for ensuring your emails are delivered correctly and don't end up in the spam folder. Misinterpreting this field can lead to DMARC authentication failures, affecting your domain's reputation and email deliverability. Let's unpack what 'Mail From' truly signifies within the context of SPF, DKIM, and DMARC, particularly when using a service like Zendesk.
The 'Mail From' address, also known as the Return-Path or Envelope From address, is the email address specified in the SMTP (Simple Mail Transfer Protocol) session. It is where bounce messages are sent if an email cannot be delivered. This is distinct from the 'From' header, which is the display address that recipients see in their inbox.
For Sender Policy Framework (SPF), the 'Mail From' domain is the one that gets checked against your SPF record. If the sending IP address is authorized by the SPF record associated with the 'Mail From' domain, then SPF passes. If it's not, SPF fails. This is a critical point of authentication.
With third-party sending services, like Zendesk, they often use their own subdomain (e.g., subdomain.zendesk.com) for the 'Mail From' address. This allows them to handle bounces and maintain their sending reputation. While the 'From' header (the one your customers see) will display your domain, the underlying 'Mail From' might be zendesk.com or a similar variant. This is a common setup, and it has important implications for DMARC alignment.
A DMARC report showing subdomain.zendesk.com as the 'Mail From' means those emails were sent with Zendesk's return path. If your domain is not authorized in Zendesk's SPF record, it would explain why SPF might fail alignment.
Email header snippettext
Return-Path: <bounce-XXXXXXXXXX@subdomain.zendesk.com>
From: Your Company <support@yourcompany.com>
To: recipient@example.com
Subject: Your support ticket update
SPF, DKIM, and DMARC alignment
DMARC (Domain-based Message Authentication, Reporting & Conformance) relies on SPF and DKIM authentication, but it adds an extra layer: alignment. For DMARC to pass, either your SPF or DKIM checks must not only pass, but also align with the domain in the RFC5322.From header, which is the address your recipients actually see.
SPF alignment requires the 'Mail From' domain to match or be a subdomain of the RFC5322.From domain. If Zendesk uses subdomain.zendesk.com as the 'Mail From' for emails sent on behalf of yourdomain.com, then SPF alignment will fail because zendesk.com is not yourdomain.com. This is a common reason for DMARC failures, or why SPF shows as unaligned.
However, DKIM alignment is often the savior in these situations. DKIM verifies email authenticity using a digital signature. For DMARC alignment, the domain in the DKIM signature (the 'd=' tag) must match or be a subdomain of the RFC5322.From domain. If you've configured DKIM correctly for your domain within Zendesk, then DKIM should pass alignment, even if SPF does not.
The key takeaway is that DMARC only requires *one* of these, SPF or DKIM, to pass and align. So, if your SPF is failing alignment because of Zendesk's 'Mail From' domain, but your DKIM is correctly configured and aligning, your emails should still pass DMARC.
SPF alignment
Requirement: The 'Mail From' (Return-Path) domain must align with the RFC5322.From (Header From) domain.
Challenge: Zendesk often uses its own subdomain for 'Mail From', causing SPF to fail alignment with your primary domain.
DKIM alignment
Requirement: The domain in the DKIM signature ('d=' tag) must align with the RFC5322.From (Header From) domain.
Solution: Zendesk allows you to set up DKIM for your domain, which usually ensures DMARC passes even if SPF alignment fails.
Zendesk and DMARC reporting
For Zendesk, the optimal setup for DMARC compliance revolves around correctly configuring DKIM for your domain. As discussed, it's common for Zendesk to use a subdomain.zendesk.com as the 'Mail From' address, which will lead to SPF misalignment with your primary domain.
This is where DKIM becomes crucial. Zendesk provides clear instructions on how to digitally sign your outbound emails with DKIM using your own domain. By following their guidance for setting up DKIM, you ensure that the DKIM signature on your emails uses your domain, allowing it to align with the RFC5322.From header.
Even if your DMARC report shows SPF failures for subdomain.zendesk.com, as long as your domain's DKIM is properly configured and aligning, your emails will pass DMARC checks. This means they are authenticated and less likely to be marked as spam or blocked (or blacklisted).
If you're seeing both SPF and DKIM failures in your DMARC reports for Zendesk emails, it indicates that your DKIM setup for Zendesk is likely incorrect or incomplete. This would be the primary area to troubleshoot.
Important: DKIM for Zendesk
Ensure you have correctly set up DKIM for your domain with Zendesk. This is the most crucial step for DMARC pass when using third-party senders that manage their own Return-Path. Zendesk's support documentation is the best resource for precise instructions.
Interpreting DMARC reports for Zendesk emails
DMARC aggregate reports provide an overview of your email traffic, showing how many emails passed or failed SPF and DKIM, and importantly, whether they achieved DMARC alignment. When analyzing reports for Zendesk traffic, you'll typically see a 'Mail From' domain that points to Zendesk's infrastructure.
Don't be alarmed if the SPF authentication shows a pass but an SPF alignment failure when the 'Mail From' is subdomain.zendesk.com. The SPF record of zendesk.com is likely valid and authorizes Zendesk's sending IPs, which results in an SPF pass. However, SPF alignment with your RFC5322.From domain will naturally fail because the 'Mail From' domain is zendesk.com, not your domain.
The crucial part is verifying that the DKIM authentication and alignment for your domain pass. If your DKIM is aligning, DMARC will pass for those emails. This is generally the intended behavior when using a shared platform like Zendesk. Interpreting DMARC reports means looking at the overall DMARC result, not just individual SPF or DKIM alignment columns in isolation.
If both SPF and DKIM fail authentication and alignment in the report, that's a red flag. It indicates an issue with your setup, most likely with your DKIM records for Zendesk. You'll need to re-check the DNS records provided by Zendesk for DKIM to ensure they are correctly published and propagated.
Scenario
Mail From (Envelope From)
RFC5322.From (Header From)
SPF Result
DKIM Result
DMARC Outcome
Ideal setup
subdomain.zendesk.com
yourdomain.com
Pass (No alignment)
Pass (Aligned)
Pass
SPF & DKIM failure
subdomain.zendesk.com
yourdomain.com
Fail (No alignment)
Fail (No alignment)
Fail
Views from the trenches
Best practices
Ensure your DMARC DNS record is published correctly and monitored.
Always prioritize DKIM setup for third-party senders like Zendesk to achieve DMARC alignment.
Regularly review your DMARC reports to identify new sending sources or authentication issues.
Utilize subdomains for different sending purposes to better isolate reputation and simplify authentication.
Common pitfalls
Confusing 'Mail From' (Return-Path) with the 'From' header (RFC5322.From) in DMARC reports.
Failing to set up DKIM for your domain through third-party services like Zendesk, leading to DMARC failures.
Assuming an SPF pass means DMARC alignment, especially when using external senders.
Focus on DKIM alignment for third-party senders, as SPF alignment is often not achievable due to their Return-Path domains.
If DMARC reports show SPF and DKIM failures, the first step is to check your DKIM DNS records and Zendesk configuration.
Remember that DMARC only requires either SPF or DKIM to pass alignment, not both.
Forwarding can break SPF and DKIM, leading to DMARC failures, but DMARC reporting can help identify these cases.
Expert view
Expert from Email Geeks says the 'Mail From' in DMARC reports refers to the return-path, which is where SPF checks are performed.
2023-08-15 - Email Geeks
Expert view
Expert from Email Geeks says if emails are passing DKIM, then SPF alignment should not be a concern for DMARC compliance.
2023-09-20 - Email Geeks
Ensuring secure and reliable email delivery
The 'Mail From' address in your DMARC reports is a crucial element for understanding email authentication, particularly SPF. While it might show a third-party domain like Zendesk's, your primary focus for DMARC compliance should be on achieving DKIM alignment with your primary domain.
By ensuring that your DKIM records are correctly configured through Zendesk, you can guarantee that your emails pass DMARC, even if the 'Mail From' SPF alignment doesn't match. This approach ensures your legitimate emails reach their intended recipients while protecting your brand from spoofing and phishing attempts.
Zendesk.
