Welcome to the Authenticated SMTP Connector EAP

The Authenticated SMTP Connector in Zendesk will exist in two different versions. It is not possible to use a combination of these two different workflows for the same domain, you must use either one or the other:

• One version allows an account to create a secure and authenticated two-way inbound/outbound connection with your email domain or service and Zendesk's inbound/outbound servers (ideal for On-Premise servers, or domains that are leveraging additional layers of security on inbound/outbound traffic, like Mimecast). This setup requires more setup and configuration with your domain or email service but offers two-way authentication.
• Another version allows accounts to use a standard auto-forward for inbound email traffic to Zendesk, but allows for an authenticated outbound connection with your email domain only so that all outbound sending for the connected addresses will occur through your domain or email service (ideal for cloud-based email services that do not offer authenticated outbound relays to other systems, like Office365 cloud). 

This feature ensures outbound TLS encryption (inbound also with the two-way version); allows for authoritative sending and delivery tracking from your domain; more easily satisfies information handling, redaction, and compliance requirements or policies; and provides actionable visibility into unauthenticated email ticket creation/update events. This feature is platform-agnostic and relies on well established protocols that already exist within most email services. 

We are targeting an EAP release-date of July 1st. If you would like to participate please fill out the EAP Form to get started. 

As a participant in the EAP, we kindly ask for your active engagement. This may include responding to surveys, providing feedback on your experience, and reporting any issues or unexpected behavior you encounter. We also want to give you an opportunity to make feature requests for future iterations. Your insights and suggestions will be invaluable in helping us refine our products and ensure they meet the needs of our customers.

Because this connection replaces the support addresses that might already exist in your account we recommend that you first test in a sandbox account. We also recommend that when you are ready to implement this feature within your production account that you coordinate making these changes with your email domain admin or IT team, as they will likely provide the credentials that allow you to make the outbound connection from Zendesk to your organization's domain, and you will want to provide them with the inbound credentials we present to you during setup. 

There may be a brief window of down-time while you make the transition to an authenticated connection in your production account, which requires deleting any addresses currently associated with the domain you wish to use. We recommend you set up this integration during slow traffic times, and use the API for bulk address deletion actions, if needed. Each address must be re-added manually within the Zendesk Admin page. 

If you have any questions or need further clarification, please either open a support ticket or ask questions and add comments in the article's comments section. We greatly value your input and look forward to your participation in our Early Access Program.

Getting Started

Once you receive the confirmation email that your account has been enabled follow the steps below to add your domain and addresses to Zendesk (first version). 

To create an authenticated two-way inbound/outbound connection with Zendesk (Click here for more detailed setup instructions on this version):

1. Log into your sandbox or production account instance
2. Navigate to Admin Center > Channels > Email (you may need to refresh the page)
   • Go to the Authenticated SMTP Connectors section
3. To add a new domain for inbound traffic, click “Add Domain”
   • Follow the instructions on the screen to create a new inbound connection
   • It is very important that you copy and paste the credentials securely, as these will need to be added at the forwarding email domain. 
4. You will need to obtain credentials (host, username, and password) from your domain admin before proceeding to the next step
5. To add support addresses for the outbound connection
   • Navigate to the Brand that you wish to add an address
   • Click on the Add address dropdown menu associated with that Brand
   • Select Connect External address
   • From the SMTP section choose the domain associated with the address you wish to add (the outbound domain used in a connected address must match the inbound domain)
   • Follow the instructions on the screen to complete the process, adding the username and credentials provided to you by your domain administrator or IT team
6. Once you have successfully added your inbound domain and for every outbound support address we will send two verification emails that will help us verify that you have successfully completed the connection. 
   • These verification emails must be received and forwarded successfully for the integration to function
   • If you see any warnings then the connection was likely not established and outbound traffic may be getting sent from a default support address 

To create a standard auto-forward in to Zendesk with an authenticated outbound connection (click here for more detailed setup instructions on this version: https://support.zendesk.com/hc/en-us/articles/8043218178842-Connecting-your-Outbound-Email-Server-to-Zendesk-using-the-Authenticated-SMTP-Connector-EAP):

1. Log into your sandbox or production account instance
2. Navigate to Admin Center > Channels > Email (you may need to refresh the page)
   • You will want to ensure that an auto-forward rule is already in place for the address you wish to use and that you have already obtained the credentials to allow Zendesk to make the authenticated outbound connection to your domain or mail service for that address
3. Add a support address by clicking on the “Add Address” dropdown
   • Choose Connect External Address
4. Next you will add the credentials (host, username, and password) from your domain admin before proceeding to the next step
5. Click the button to go to the next popup page 
   • We will attempt to use those credentials to send a test relay to your domain or email service
   • If it passes then you will see a green check mark, if it fails you may need to confirm with your domain admin that the credentials are valid and active
6. Once you have successfully added your support address(es) and the auto-forward for inbound is confirmed as well as the authenticated outbound connection you can start testing 
   • These verification checks must pass successfully for the integration to function
   • If you see any warnings then the connection was likely not established and outbound traffic may be getting sent from an unauthenticated default support address 

Product Functionality

With the Authenticated SMTP Connector businesses can:

• Relay authenticated and TLS-encrypted inbound email traffic to Zendesk (though the second version only support TLS encryption for inbound)
• Receive authenticated and TLS-encrypted outbound traffic from Zendesk to then send to the intended recipients (both versions)
• Sign your traffic with your DKIM key and send from your own SPF authority (both versions)
• Ability to test functionality in a sandbox environment before implementing in a production account (both versions)
• Conduct compliance protocols and produce deliverability reports (both versions)
• Surface information, and act upon, authentication within Tickets, Business Rules, and Views (two-way version only)

Product Limitations

• As an early access feature, there are some limitations to the Authenticated SMTP Connector. 
• It is important to remember that Zendesk is not responsible for the functionality and security of your external email service. 
• You can add 4 domains with up to 50 addresses each, for a total of 200 support addresses spread across 4 connected domains.
• Suspended Tickets - emails remain subject to the same suspension causes 
• During setup there may be a brief time before you add any support addresses for outbound traffic where email notifications might be sent from a default support address not associated with the SMTP Connector. 
• If you are using the two-way version, once you add a domain you will want to add a support address quickly to ensure inbound/outbound traffic is being handled by the feature. 
• Some system notifications will continue to be sent from our infrastructure. Ticket updates, Side Conversations, and others will be relayed through the Connector.
• Do not have Automatic Ticket Tagging enabled. We will be adding tags to tickets that should only be added when the authenticated connection is verified. 
• We’re working on prioritizing, developing, and releasing a series of follow-on features. We seek your feedback in understanding the relevance and priority to rank these iterative features 
• We have some ideas of what customers might need and want, though we will depend on your feedback to give those requests the appropriate context

Management, Access, and Feedback

• This feature can only be accessed by Admins within your account
• We highly recommend coordinating implementation with your domain admin, IT team, or email specialist within your organization
• Once you have been approved it can take up to 5 days to have your production account and sandbox added
• Please provide feedback in the comments section of this or the relevant article. If you feel that you have discovered unexpected behavior please open a support ticket with Zendesk

Ticket Tags (two-way version only)

• Tags - a tag will be added to each newly created authenticated email ticket, another will be added if an unauthenticated update appears in that ticket via email 
• Business Rules - you will be able to programmatically act on authenticated email tickets
• Absence of a Tag -  similarly to how you would act upon the presence of a tag you will also be able to act upon email ticket creation and update events in which a tag is absent
• Views - you can organize tickets by authenticated and unauthenticated to better understand and preserve the security of your workflows

Explore (two-way version only)

• Tags associated with Authentication can be reported on in Explore