What issues occur when adding DKIM record to DNS via CName with Cloudflare?
Summary
What email marketers say9Marketer opinions
Email marketer from Reddit shares that enabling Cloudflare's proxy (orange cloud) for DKIM CNAME records can interfere with proper DNS resolution, preventing email servers from validating the DKIM signature. They suggest bypassing the proxy for DKIM records.
Email marketer from AuthSMTP explains about email marketing best practices and if a domain or subdomain is used with CNAME, there may be DNS policies that interfere with the DKIM lookup.
Email marketer from StackOverflow explains that pointing the DKIM CNAME record to an incorrect target (e.g., an outdated or non-existent domain) is a common issue. They recommend verifying the correct target provided by the email service provider and ensuring there are no typos.
Email marketer from SparkPost shares that there are DKIM CNAME records that include a selector which isn't properly setup with a matching TXT record, so it will prevent validation.
Marketer from Email Geeks suggests ensuring no proxy with the orange cloud is active when adding a DKIM record to the DNS via CName with Cloudflare.
Email marketer from DNS Made Easy Blog explains that CNAME flattening, which is automatically implemented by Cloudflare, can cause issues with DKIM records if not properly configured. CNAME flattening can mask the underlying DKIM record, making it appear as if it's not properly set up.
Marketer from Email Geeks identifies that the missing activation piece is likely the issue when adding a DKIM record to the DNS via CName with Cloudflare.
Email marketer from MXToolbox shares that their tool to check DNS records for issues such as propagation, errors and incorrect entries - particularly useful to validate the CNAME record
Email marketer from Cloudflare Community points out that DNS propagation delays after adding or modifying the DKIM CNAME record can lead to temporary validation failures. They advise waiting for the propagation to complete before troubleshooting further.
What the experts say2Expert opinions
Expert from Word to the Wise shares that those using shared hosting providers can experience delays or difficulties when updating DNS records, including CNAME records for DKIM. These providers often have slower update cycles and might not provide immediate propagation.
Expert from Word to the Wise highlights that incorrect or incomplete CNAME setup can cause problems. If the CNAME record isn't pointing to the correct DKIM key provided by your email service provider, or if any part of the CNAME is missing (like the trailing dot in some cases), it will fail to validate.
What the documentation says4Technical articles
Documentation from Google Admin recommends that the length of the DKIM Key needs to be long enough (2048bit) otherwise it will be rejected by mail systems. Therefore the DKIM CNAME record will not validate the DKIM signature.
Documentation from EasyDMARC explains that misconfigured DNSSEC settings on a domain can interfere with DKIM validation, even if the DKIM CNAME record is correctly set up in Cloudflare. It can cause DNS lookups to fail or return incorrect results.
Documentation from Cloudflare explains that exceeding the DNS record limit for a Cloudflare plan can prevent the addition of a DKIM CNAME record. This requires upgrading the plan or removing existing records.
Documentation from RFC Editor explains that CNAME records cannot coexist with other record types (e.g., TXT) for the same name. If other records exist, the DKIM CNAME record will conflict.