Hey there, I’m sure that I’ve set this up correctly. Previously I’ve had a TXT record for DKIM, but Protonmail recently changed it so that these are setup as three CNAME records with corresponding values.
I’ve added the CNAME records as follows and made sure they are not proxied.
But I’m still failing the DKIM check with Protonmail. I’ve reached out to their support and they’ve directed me back to Cloudflare with the following email:
"In the screenshot and the PDF file you provided, the configuration seems to be in order.
However, it appears that the CNAME records are not propagating, while the old TXT record still is.
This seems to be the reason why the messages are signed with DKIM.
You can check this as well by performing a CNAME lookup on the following link:
Please select CNAME in the orange dropdown and write protonmail._domainkey.kesen.wang in the search bar.
At this point, we can suggest contacting Cloudflare so they can check on their end if the CNAME records are propagating or not and perform any fixes that may be needed.
Also, please let them know that the TXT record for DKIM should be deleted and not propagating."
I don’t have any TXT record in my DNS records for DKIM so it doesn’t make sense to me what I am doing wrong. For reference I’ve exported my DNS records and pasted them below, IP address has been omitted.
;; Domain: kesen.wang.
;; Exported: 2020-07-31 00:13:41
;; This file is intended for use for informational and archival
;; purposes ONLY and MUST be edited before use on a production
;; DNS server. In particular, you must:
;; – update the SOA record with the correct authoritative name server
;; – update the SOA record with the contact e-mail address information
;; – update the NS record(s) with the authoritative name servers for this domain.
;; For further information, please consult the BIND documentation
;; located on the following website:
;; And RFC 1035:
;; Please note that we do NOT offer technical support for any use
;; of this zone data, the BIND name server, or any other third-party
;; DNS software.
;; Use at your own risk.
;; SOA Record
kesen.wang. 3600 IN SOA kesen.wang. root.kesen.wang. 2034782102 7200 3600 86400 3600
;; A Records
*kesen.wang. 1 IN A *
;; CNAME Records
3c104890c1ebd8aea0d7aaeccde3967b.kesen.wang. 1 IN CNAME verify.bing.com.
91e0cae0671fc04fe1faa7bbd5883a86.kesen.wang. 1 IN CNAME verify.bing.com.
protonmail2._domainkey.kesen.wang. 1 IN CNAME protonmail2.domainkey.dvuip6oxwqft4an7k7trqtnni3xgjuogimeg34yms5clahuiq44xq.domains.proton.ch.
protonmail3._domainkey.kesen.wang. 1 IN CNAME protonmail3.domainkey.dvuip6oxwqft4an7k7trqtnni3xgjuogimeg34yms5clahuiq44xq.domains.proton.ch.
protonmail._domainkey.kesen.wang. 1 IN CNAME protonmail.domainkey.dvuip6oxwqft4an7k7trqtnni3xgjuogimeg34yms5clahuiq44xq.domains.proton.ch.
www.kesen.wang. 1 IN CNAME kesen.wang.
;; MX Records
kesen.wang. 1 IN MX 20 mailsec.protonmail.ch.
kesen.wang. 1 IN MX 10 mail.protonmail.ch.
;; TXT Records
_dmarc.kesen.wang. 1 IN TXT “v=DMARC1; p= quarantine; rua=mailto:[email protected]”
kesen.wang. 300 IN TXT “v=spf1 include:_spf.protonmail.ch mx ~all”
kesen.wang. 1 IN TXT “yandex-verification: 7f37e9d41c0e9490”
kesen.wang. 1 IN TXT “protonmail-verification=fa8d9f936f11f6e4åebac5b9b2ab14933fe09”
kesen.wang. 1 IN TXT “google-site-verification=A3PBX9cfmvYtIrHztX3Qk_gYCo4iyCw8oYVsJ-5_3b8”
kesen.wang. 1 IN TXT “facebook-domain-verification=qzc1acjcqyi5jlo23n1y7xhada90c9”
Thanks in advanced for any help with this issue. It seems some users on Reddit have resolved this but I haven’t been able to resolve this issue.