What issues occur when adding DKIM record to DNS via CName with Cloudflare?

Summary

Adding a DKIM record via CNAME with Cloudflare can encounter various issues. Cloudflare's proxy may interfere with DNS resolution, and CNAME flattening can mask the DKIM record if not correctly configured. Incorrect CNAME targets or incomplete setups, DNS propagation delays, and missing activation steps also lead to validation failures. Exceeding DNS record limits, conflicts with other record types, misconfigured DNSSEC, and inadequate DKIM key length are further complications. Subdomain policies, incorrect selector names, and delays due to shared hosting providers can also impede proper DKIM setup.

Key findings

  • Proxy Interference: Cloudflare's proxy (orange cloud) can disrupt DNS resolution for DKIM CNAME records.
  • CNAME Flattening Issue: CNAME flattening can mask the DKIM record if not properly configured.
  • Incorrect CNAME Target: Pointing the CNAME to an incorrect or outdated target leads to validation failure.
  • DNS Propagation Delay: DNS propagation delays can cause temporary validation problems.
  • Record Limit Exceeded: Exceeding DNS record limits on the Cloudflare plan prevents DKIM record addition.
  • CNAME Conflict: CNAME records conflict with other record types sharing the same name.
  • DNSSEC Misconfiguration: Improperly configured DNSSEC settings interfere with DKIM validation.
  • Inadequate Key Length: DKIM keys with insufficient length (less than 2048bit) are rejected by mail systems.
  • Missing Activation: Missing activation steps can cause issues if working with two different third parties and not having your own access.
  • Selector Issue: DKIM CNAME records that include a selector which isn't properly setup with a matching TXT record, will prevent validation.
  • Hosting Issues: Those using shared hosting providers can experience delays or difficulties when updating DNS records.
  • Incorrect CNAME Setup: Incorrect or incomplete CNAME records, including wrong DKIM keys or missing parts (e.g., trailing dots), cause validation failures.

Key considerations

  • Bypass the Proxy: Ensure Cloudflare's proxy is bypassed for DKIM-related DNS records.
  • Confirm CNAME Target: Double-check the CNAME target supplied by the email service provider.
  • Awaiting Propagation: Allow adequate time for DNS propagation after making changes.
  • Subdomain Policies: If using a domain or subdomain with CNAME, there may be DNS policies that interfere with the DKIM lookup.
  • Monitor DNS Settings: Keep an eye on DNS settings if using shared hosting for any changes

What email marketers say
9Marketer opinions

When adding a DKIM record to DNS via CNAME with Cloudflare, several issues can arise. These include Cloudflare's proxy interfering with DNS resolution, missing activation steps, CNAME flattening masking the DKIM record, incorrect CNAME targets, DNS propagation delays, exceeding DNS record limits, conflicts with other record types, misconfigured DNSSEC settings, incorrect DKIM key length, domain/subdomain DNS policies, and incorrect selector names.

Key opinions

  • Proxy Interference: Cloudflare's proxy (orange cloud) can interfere with DNS resolution for DKIM CNAME records.
  • CNAME Flattening: CNAME flattening can mask the DKIM record if not configured properly.
  • Incorrect Target: Pointing the CNAME to an incorrect or outdated target will cause validation failure.
  • Propagation Delays: DNS propagation delays can lead to temporary validation issues.
  • Missing Activation: Missing activation steps can occur if working with two different third parties and not having your own access.
  • Selector Issues: DKIM CNAME records that include a selector which isn't properly setup with a matching TXT record, will prevent validation.

Key considerations

  • Bypass Proxy: Ensure the Cloudflare proxy is bypassed for DKIM records.
  • Verify Target: Double-check the CNAME target provided by the email service provider.
  • Wait for Propagation: Allow sufficient time for DNS propagation after making changes.
  • Check DNS Policies: If using a domain or subdomain with CNAME, there may be DNS policies that interfere with the DKIM lookup.
Marketer view

Email marketer from Reddit shares that enabling Cloudflare's proxy (orange cloud) for DKIM CNAME records can interfere with proper DNS resolution, preventing email servers from validating the DKIM signature. They suggest bypassing the proxy for DKIM records.

April 2021 - Reddit
Marketer view

Email marketer from AuthSMTP explains about email marketing best practices and if a domain or subdomain is used with CNAME, there may be DNS policies that interfere with the DKIM lookup.

November 2024 - AuthSMTP
Marketer view

Email marketer from StackOverflow explains that pointing the DKIM CNAME record to an incorrect target (e.g., an outdated or non-existent domain) is a common issue. They recommend verifying the correct target provided by the email service provider and ensuring there are no typos.

October 2024 - StackOverflow
Marketer view

Email marketer from SparkPost shares that there are DKIM CNAME records that include a selector which isn't properly setup with a matching TXT record, so it will prevent validation.

June 2024 - SparkPost
Marketer view

Marketer from Email Geeks suggests ensuring no proxy with the orange cloud is active when adding a DKIM record to the DNS via CName with Cloudflare.

July 2024 - Email Geeks
Marketer view

Email marketer from DNS Made Easy Blog explains that CNAME flattening, which is automatically implemented by Cloudflare, can cause issues with DKIM records if not properly configured. CNAME flattening can mask the underlying DKIM record, making it appear as if it's not properly set up.

September 2023 - DNS Made Easy Blog
Marketer view

Marketer from Email Geeks identifies that the missing activation piece is likely the issue when adding a DKIM record to the DNS via CName with Cloudflare.

April 2021 - Email Geeks
Marketer view

Email marketer from MXToolbox shares that their tool to check DNS records for issues such as propagation, errors and incorrect entries - particularly useful to validate the CNAME record

July 2024 - MXToolbox
Marketer view

Email marketer from Cloudflare Community points out that DNS propagation delays after adding or modifying the DKIM CNAME record can lead to temporary validation failures. They advise waiting for the propagation to complete before troubleshooting further.

October 2021 - Cloudflare Community

What the experts say
2Expert opinions

When adding a DKIM record to DNS via CNAME with Cloudflare, issues can arise from incorrect or incomplete CNAME setup, such as pointing to the wrong DKIM key or omitting parts of the CNAME. Users on shared hosting providers might also experience delays or difficulties due to slower DNS update cycles.

Key opinions

  • Incorrect CNAME Setup: Incorrect or incomplete CNAME records, including wrong DKIM keys or missing parts (e.g., trailing dots), cause validation failures.
  • Shared Hosting Delays: Shared hosting providers may have slower DNS update cycles, leading to delays in DKIM validation.

Key considerations

  • Verify CNAME Details: Ensure the CNAME record accurately points to the DKIM key provided by your email service provider and includes all necessary parts.
  • Hosting Provider: Be aware of potential delays in DNS updates if using a shared hosting provider.
Expert view

Expert from Word to the Wise shares that those using shared hosting providers can experience delays or difficulties when updating DNS records, including CNAME records for DKIM. These providers often have slower update cycles and might not provide immediate propagation.

December 2022 - Word to the Wise
Expert view

Expert from Word to the Wise highlights that incorrect or incomplete CNAME setup can cause problems. If the CNAME record isn't pointing to the correct DKIM key provided by your email service provider, or if any part of the CNAME is missing (like the trailing dot in some cases), it will fail to validate.

March 2022 - Word to the Wise

What the documentation says
4Technical articles

When adding a DKIM record to DNS via CNAME with Cloudflare, issues can stem from exceeding DNS record limits, conflicts with other record types on the same name, misconfigured DNSSEC settings, or using an insufficient DKIM key length.

Key findings

  • DNS Record Limit: Exceeding the DNS record limit for a Cloudflare plan prevents adding the DKIM CNAME record.
  • CNAME Conflict: CNAME records cannot coexist with other record types for the same name, causing conflicts.
  • DNSSEC Misconfiguration: Misconfigured DNSSEC settings can interfere with DKIM validation.
  • DKIM Key Length: A DKIM key that is not long enough will be rejected by mail systems.

Key considerations

  • Check Record Limit: Ensure the Cloudflare plan allows sufficient DNS records.
  • Avoid Conflicts: Ensure no other record types exist for the same name as the DKIM CNAME.
  • Review DNSSEC: Verify that DNSSEC settings are correctly configured.
  • Valid DKIM Key: Ensure that the DKIM key is long enough (2048bit).
Technical article

Documentation from Google Admin recommends that the length of the DKIM Key needs to be long enough (2048bit) otherwise it will be rejected by mail systems. Therefore the DKIM CNAME record will not validate the DKIM signature.

April 2024 - Google Admin
Technical article

Documentation from EasyDMARC explains that misconfigured DNSSEC settings on a domain can interfere with DKIM validation, even if the DKIM CNAME record is correctly set up in Cloudflare. It can cause DNS lookups to fail or return incorrect results.

January 2023 - EasyDMARC
Technical article

Documentation from Cloudflare explains that exceeding the DNS record limit for a Cloudflare plan can prevent the addition of a DKIM CNAME record. This requires upgrading the plan or removing existing records.

August 2021 - Cloudflare
Technical article

Documentation from RFC Editor explains that CNAME records cannot coexist with other record types (e.g., TXT) for the same name. If other records exist, the DKIM CNAME record will conflict.

March 2021 - RFC Editor