Cname records not propagating for Protonmail DKIM

Hey there, I’m sure that I’ve set this up correctly. Previously I’ve had a TXT record for DKIM, but Protonmail recently changed it so that these are setup as three CNAME records with corresponding values.

I’ve added the CNAME records as follows and made sure they are not proxied.

protonmail._domainkey protonmail.domainkey.dvuip6oxwqft4an7k7trqtnni3xgjuogimeg34yms5clahuiq44xq.domains.proton.ch.

CNAME protonmail2._domainkey protonmail2.domainkey.dvuip6oxwqft4an7k7trqtnni3xgjuogimeg34yms5clahuiq44xq.domains.proton.ch.

CNAME protonmail3._domainkey protonmail3.domainkey.dvuip6oxwqft4an7k7trqtnni3xgjuogimeg34yms5clahuiq44xq.domains.proton.ch.

But I’m still failing the DKIM check with Protonmail. I’ve reached out to their support and they’ve directed me back to Cloudflare with the following email:

"In the screenshot and the PDF file you provided, the configuration seems to be in order.
However, it appears that the CNAME records are not propagating, while the old TXT record still is.

This seems to be the reason why the messages are signed with DKIM.

You can check this as well by performing a CNAME lookup on the following link:
https://mxtoolbox.com/SuperTool.aspx

Please select CNAME in the orange dropdown and write protonmail._domainkey.kesen.wang in the search bar.

At this point, we can suggest contacting Cloudflare so they can check on their end if the CNAME records are propagating or not and perform any fixes that may be needed.
Also, please let them know that the TXT record for DKIM should be deleted and not propagating."

I don’t have any TXT record in my DNS records for DKIM so it doesn’t make sense to me what I am doing wrong. For reference I’ve exported my DNS records and pasted them below, IP address has been omitted.

;;
;; Domain: kesen.wang.
;; Exported: 2020-07-31 00:13:41
;;
;; This file is intended for use for informational and archival
;; purposes ONLY and MUST be edited before use on a production
;; DNS server. In particular, you must:
;; – update the SOA record with the correct authoritative name server
;; – update the SOA record with the contact e-mail address information
;; – update the NS record(s) with the authoritative name servers for this domain.
;;
;; For further information, please consult the BIND documentation
;; located on the following website:
;;
;; http://www.isc.org/
;;
;; And RFC 1035:
;;
;; http://www.ietf.org/rfc/rfc1035.txt
;;
;; Please note that we do NOT offer technical support for any use
;; of this zone data, the BIND name server, or any other third-party
;; DNS software.
;;
;; Use at your own risk.
;; SOA Record
kesen.wang. 3600 IN SOA kesen.wang. root.kesen.wang. 2034782102 7200 3600 86400 3600

;; A Records
*kesen.wang. 1 IN A *

;; CNAME Records
3c104890c1ebd8aea0d7aaeccde3967b.kesen.wang. 1 IN CNAME verify.bing.com.
91e0cae0671fc04fe1faa7bbd5883a86.kesen.wang. 1 IN CNAME verify.bing.com.
protonmail2._domainkey.kesen.wang. 1 IN CNAME protonmail2.domainkey.dvuip6oxwqft4an7k7trqtnni3xgjuogimeg34yms5clahuiq44xq.domains.proton.ch.
protonmail3._domainkey.kesen.wang. 1 IN CNAME protonmail3.domainkey.dvuip6oxwqft4an7k7trqtnni3xgjuogimeg34yms5clahuiq44xq.domains.proton.ch.
protonmail._domainkey.kesen.wang. 1 IN CNAME protonmail.domainkey.dvuip6oxwqft4an7k7trqtnni3xgjuogimeg34yms5clahuiq44xq.domains.proton.ch.
www.kesen.wang. 1 IN CNAME kesen.wang.

;; MX Records
kesen.wang. 1 IN MX 20 mailsec.protonmail.ch.
kesen.wang. 1 IN MX 10 mail.protonmail.ch.

;; TXT Records
_dmarc.kesen.wang. 1 IN TXT “v=DMARC1; p= quarantine; rua=mailto:[email protected]
kesen.wang. 300 IN TXT “v=spf1 include:_spf.protonmail.ch mx ~all”
kesen.wang. 1 IN TXT “yandex-verification: 7f37e9d41c0e9490”
kesen.wang. 1 IN TXT “protonmail-verification=fa8d9f936f11f6e4åebac5b9b2ab14933fe09”
kesen.wang. 1 IN TXT “google-site-verification=A3PBX9cfmvYtIrHztX3Qk_gYCo4iyCw8oYVsJ-5_3b8”
kesen.wang. 1 IN TXT “facebook-domain-verification=qzc1acjcqyi5jlo23n1y7xhada90c9”

Thanks in advanced for any help with this issue. It seems some users on Reddit have resolved this but I haven’t been able to resolve this issue.

And at the bottom of your DNS records page, it says your two Cloudflare name servers are Adam and Nelly?

Yes thats correct!

It looks like those DNS records aren’t on the name servers at all, yet they’re in your exported BIND file. I can’t see any reason for them to not work.

I suggest you open a Support ticket so they can track this down.

Login to Cloudflare and then contact Cloudflare Support by clicking on the Get More Help button.

While you’re waiting, delete and then re-add them. Maybe that will help. I don’t think anything else will, except someone from Cloudflare fixing it.

1 Like

Sounds good, thank you for your help! I sent them an email and got a couple automated responses back and one about STMP but that didn’t address this issue. Hoping they’ll get back to me in a bit, I let them know about opening this issue with the community as well and your advice to contact them. Thank you very much for your help!!

Can you post that ticket # here? The mods sometimes take a look at tickets to make sure they’re in the right queue.

For sure, the link to the ticket number is below!

https://support.cloudflare.com/hc/requests/1938108

1 Like

This looks to me like CNAME flattening. Compare the two records, they’re identical.

Go to the very bottom of your DNS page, is CNAME flattening set to Flatten CNAME at root? If not, change it to that and check the record again?

1 Like

Your search was TXT records. Protonmail now uses CNAMEs for domainkeys.

1 Like

Yes, this is expected.

Compare these two where both have a CNAME, one uses flattening while the other does not. I’m still doing a query for TXT since this will return a CNAME if a CNAME exists.

2 Likes

I can’t specify to flatten Cnames or not the option is greyed out, this might be because I downgraded from a Pro subscription to a free subscription, would upgrade again if this would resolve the issue.

In terms of TXT records for the domain keys, I don’t have any in my DNS records so not sure why they would be showing up.

Also to clarify its set to “flatten all CNAMES” and I can’t change that value.

The reason it is showing up is because of CNAME flattening. With CNAME flattening enabled, Cloudflare checks the target records and returns those records directly rather than the CNAME (which leaves the initial resolver to follow the CNAME and repeat the original query).

The functional results are the same, but validation tools that check for a CNAME specifically rather than the resulting record will fail.

You probably need to wait for support to help, but mention the CNAME flattening issue specifically to help them understand exactly what is happening, you don’t want them getting bogged down thinking about _domainkeys records specifically. Alternatively, you could upgrade to Pro again to get access to this option, although you’re really just paying $20 rather than waiting for support to get back to you.

2 Likes

Oooh I get it now. I’ve reached out to support already so I’ll be hearing back from them either way, but I’ll go ahead and upgrade to the Pro subscription again and see if this resolves the issue. Thanks for the help!!

I’m going to post this solution in the Reddit thread as well, I’ve been trying to figure this out FOREVER, thank you so much.

This is a weird option, it is only available on Pro and up, but it isn’t removed when you downgrade back to free. Or put another way, the paid feature is the ability to make changes, not the feature itself. I don’t know of anything else in Cloudflare that works this way.

And I’m glad to hear it worked! Happy ProtonMailing :slight_smile:

1 Like