Cloudflare does not recognize DKIM record (DMARC Mgmt)

I’m using Mailerlite and I’ve added SPF and DKIM records a while ago.
In my Mailerlite dashboard I can see that my domain is correctly authenticated.
I returned to Cloudflare to add a DMARC record.
When doing so I enable DMARC Management and I noticed that the DMARC dashboard of Cloudflare does not recognize my DKIM record (it says there’s none).
(the DKIM record of Cloudflare does not start with “v=” but with “k=rsa”)
I wonder if this can cause any problems when using DMARC or when delivering mails in general.

If you can share the domain name and the specific record’s name, we can take a look at the record.

Alternatively, a screenshot of the record.

However, -

Given this, I would try adding "v=DKIM1; " in front of it, to see if that solves the problem.

1 Like


I’m starting to see the first results in my DMARC mgmt portal and they show DMARC pass, SPF aligned and DKIM aligned so I suppose all is OK.

1 Like

Yep, according to that screenshot, the email authentication part looks OK.

100% DMARC pass, 100% DKIM alignment, 100% SPF alignment. :slight_smile:

That said, -

  1. If the DKIM alignment stays on 100% going forward, I would change your DMARC policy to “p=reject;”.

  2. You should move that “?allSPF policy to “-all

  3. You should also sanitize your SPF record as much as possible, and e.g. remove useless stuff from it.
    a”: Remove this one from your SPF, Cloudflare’s HTTP reverse proxies does NEVER send messages from your domain.

4 Likes

I now start to see a small number of fails. (pass rate is above 99%).
Looking at the details for the mails I send through mailerlite I see that the envelop is sometimes empty, sometimes gmail(dot)com, and in 1 case a completely different domain (dekielectronics(dot)com). I suppose these are instances where they indeed try to fraudulently use your domain and those are thus correctly flagged as failed?

There’s 1 source that shows a 100% fail rate. That is my hosting provider and looking at the IP this seem to be the mails that I sent from my personal address.

Mails from our personal account have an envelop wapititravel(dot)com and are sent through relay(dot)mailprotect(dot)be host.
Mails from mailerlite have an envelop emails(dot)wapititravel(dot)com and are sent through mlsend(dot)com.

There’s an SPF record for the latter, not for the first.
I read you can only have one SPF record per domain.

I’m not sure how to continue from here. I cannot combine the two into one SPF record as one uses the root and the other the emails subdomain but I cannot create multiple SPF records…

In the context of SPF records, a subdomain is considered as a separate domain and needs its own SPF record.

1 Like

Thanks for this info. If I understand correctly I can add a second SPF DNS entry. Where the existing one has emails as name and is dedicated to the respective subdomain I can add one with @ as name for the root domain?

1 Like

Yes. Entering @ will indeed create the SPF record used by the apex or root domain.

1 Like