Unfortunately, it's less a Zendesk thing and more of the end user deciding to turn off the security features to make it easier for their users to use. SPF/DKIM signing happens on all outbound mail I get from Zendesk. On the inbound email, SPF/DKIM/ARC verification is on by default but people keep turning it off. That's before weak spots like chat come in where the customers turn off captcha and just let any email get entered in.

Unfortunately, too many company admins keep saying "we don't want our customers to have to be configured correctly, we might miss a message from them" and disable all the built in protections. Hopefully the option to disable protections will go away soon.