Cloudflare Stripping Down CNAME Records for DKIM

Hi. I’m trying to add a CNAME record for dkim.ipzmarketing .com (without the space). In the first field, Cloudflare strips out the mydomain.com part of the ipz._domainkey.mydomain.com field. It also strips out the trailing period I was told to add to dkim.ipzmarketing .com. Nothing is recognizing the DKIM. It’s configured wrong. The TXT record with the public key seems to be recognized by various DKIM testing websites.

Another thing that’s not clear is whether to make the cloud orange or gray when creating the record(s). In my case, neither works. MailChimp directs its customers to make it gray. I’m using MailRelay, which is similar to MailChimp. Their selector is ipz rather than k1 or whatever MailChimp’s is.

It’s supposed to strip out the domain, just as it does for your ‘www’ entry. And it should be set to :grey:

What’s the domain?

OK. It’s still not working. It strips out the period, too.

It’s not showing up for me either for the ipzmarketing domain. Can you post a screenshot of that DNS record?

You can ignore the missing period too, assuming this is a CNAME (or SRV, but SRV doesn’t make sense here).

Cloudflare implicitly adds a trailing period to target records, and your domain to the record label on the backend (and as a result the UI removes them).

Set the records then post back, we can review.

I’m not completely sure what the dkim. record would be though. _dmarc or _adsp or similar maybe? If it’s _adsp skip it as that’s depreciated but still in some documentation.

1 Like

Here is one screenshot. I’ll post another in a second reply.

Here’s the CNAME for MailRelay and MailChimp.

… And the domain is deepermeditation.net.

DKIM for ipz is valid:

Those CNAMEs look somewhat valid, but your mail services should know for sure. Do they have diagnostics for all of this? Below is my CNAME setup for Sendgrid.

All they did is send me this: https://blog.mailrelay.com/en/2019/03/22/mailrelay-v3-configuring-spf-custom-domain-and-dkim#_What_is_the_DKIM_key

It says to first create the subdomain. They don’t say how, but other sources say that this process is the same one as creating the CNAME record. I even tried creating the subdomain in Hostgator, it it says it’s invalid.

When I try to go to that subdomain, it gives me this:

"# Error 1014 Ray ID: 4f59e6284edbd35a • 2019-07-13 08:31:10 UTC

## CNAME Cross-User Banned

## What happened?

You’ve requested a page on a website that is part of the Cloudflare network. The host is configured as a CNAME across accounts on Cloudflare, which is prohibited by security policy.

## What can I do?

If you are interested in learning more about Cloudflare, please visit our website.

Cloudflare Ray ID: 4f59e6284edbd35a • Your IP: 24.119.149.214 • Performance & security by Cloudflare"

Dude! This is almost as hard as voting in the USA as a natural born citizen while living in the wrong neighborhood! Holy ■■■■!

That error isn’t a problem. For DKIM, email software only uses the TXT records. _domainkeys subdomains don’t need to have A or AAAA records at all; if they exist, it doesn’t matter if they run a working website or not.

2 Likes

I believe those _domainkey CNAMEs are just for reference during mail delivery. That error looks like a violation of cross-account CNAMEs which is a Business or Enterprise plan feature and requires a special setup…but only looks like an issue if you actually try to visit that URL…which really isn’t a website.

That looks poorly worded. There’s no need to create a subdomain at your host, and then turn it into a CNAME. A CNAME isn’t even hosted by you. It’s just a DNS record.

That MailRelay blog entry talks about testing by sending yourself a message. If you can, use this to test your message delivery. It’s easier.
https://www.mail-tester.com

Here’s a screenshot of mail-tester. I also checked the email header in Gmail. No mention of DMIK in the header. SPF passes. About MailRelay’s blog: They’re from Spain, and there’s usually a language barrier to some degree.

Now wait a minute. What does this mean? Do I need to do all this in Hostgator?

Adding DNS records
When you first add a domain to Cloudflare, a scan of common DNS records is performed in a attempt to automatically add all of the domain’s DNS records to the Cloudflare DNS app. If you need to add records manually for a domain, follow the procedure below:

If your domain is added to Cloudflare via one of our hosting partners, manage your DNS records via the hosting partner. In this case, the Cloudflare DNS app informs customers to manage DNS outside of Cloudflare.

  1. Log in to the Cloudflare dashboard.

  2. Click the appropriate Cloudflare account for the domain where you will add records.

  3. Ensure the proper domain is selected.

  4. Click the DNS app.

  5. The UI interface for adding DNS records appears under DNS Records:

Not signed with DKIM? The mail host needs to insert DKIM into a mail header as your message goes out.

Do DMARC record? DMARC is another DNS record that tells the world how strict to spam-test your mail.
I have a couple of DMARC records. One is for regular email from my regular domain, such [email protected]. The other is from a newsletter that goes out through Sendgrid with a return address of [email protected] (Sendgrid handles all newsletter and reply mail for my list.example.com domain).

For more help with DNS records and spam, Google around a bit, but dmarcian.com has a quick overview of these records in the footer of their website.

DKIM has to be configured first. Apparently, it’s not. DMARC depends entirely on DKIM and SPF, so those need to come first before adding DMARC records from what I understand.

1 Like

I just sent a test to mail-tester from Gmail (not MailRelay), and DKIM is valid:

Your DKIM signature is valid
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

The DKIM signature of your message is:

v=1;
a=rsa-sha256;
c=relaxed/relaxed;
d=deepermeditation-net.20150623.gappssmtp.com;
s=20150623;
h=mime-version:from:date:message-id:subject:to;
bh=xcag5XMOesjfWZ7MzNS9n5DacyAidguw3DDUiVVUfWM=;
b=rNdFDQxzvesnCY6s61ymmdEPA48nyE6WCLcD6MEUMORpQ2SOngPcdXXGvhwAmVNSkwGnXV6LVVykP/LB2rCzFmkBaDNpE7YDGkM1+P3RK/k8eEHF+rFiNx0phV9HP8mYjchHKFbwvd12VYMrzl11Yid9xi73X531ekuvSlHIODT/+I4tNMG/aTPK52zOEemcTk1BVw3a/xWobbgoNrSm2V0Jm2nHfLIFEgMBt1Ekp/tZo140j5awITZDZ/PdhzEQISJ9nxJZlQZ5t37vBmmbBanL6hmGwCacQcxXCz4FRF36MPwea+nKZo/emT1ipemOj/XwCx2ybsvbQP6Pfh389g==

Your public key is:

“v=DKIM1;
k=rsa;
p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2UMfREvlgajdSp3jv1tJ9nLpi/mRYnGyKC3inEQ9a7zqUjLq/yXukgpXs9AEHlvBvioxlgAVCPQQsuc1xp9+KXQGgJ8jTsn5OtKm8u+YBCt6OfvpeCpvt0l9JXMMHBNYV4c0XiPE5RHX2ltI0Av20CfEy+vMecpFtVDg4rMngjLws/ro6qT63S20A4zyVs/V19WW5F2Lulgv+l+EJzz9XummIJHOlU5n5ChcWU3Rw5RVGTtNjTZnFUaNXly3fW0ahKcG5Qc3e0Rhztp57JJQTl3OmHiMR5cHsCnrl1VnBi3kaOoQBYsSuBm+KRhMIw/X9wkLY67VLdkrwlX3xxsp6wIDAQAB”

Key length: 2048bits

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.