DKIM Failue upon switching to Cloudflare nameservers
What steps have you taken to resolve the issue?
After changing my nameservers from GoDaddy to Cloudflare, I got notice from my proton email that DKIM weren’t valid The records were still there.
What are the steps to reproduce the issue?
Existing DNS on GoDaddy worked just fine until domain nameservers switched to Cloudflare as ‘required’… switching back to GoDaddy immediately resolved the issue.
Of course it isn’t, I switched back to the original GoDaddy nameservers, which immediately “fixed” the DKIM failure. What I’m hoping for is some hint as to why using Cloudflare nameservers provoked the failure. If you are implying that Cloudflare needs to dictate what DNS records I can use, that’s… unfortunate.
That is not what was implied. The records can’t be proxied they need to be set to DNS only to confirm to what the receiving MTAs are expect and can validate.
Ensure you have all the required entries and they are set to DNS only.
The scan is a best effort attempt to guess common hostnames and records the answer queried if they resolve. Your protonmail DKIM selectors may not be among the list of names that are queried. It is best to manually validate your DNS records.
Yes, I did. I discover that Cloudflare will NOTput them out as DNS responses.Looking further at their docs, they say waaaah, the RFC calls for TXT records, not CNAME records, so I switched them. Query right at Cloudflare, no records. They must not really want my money.
I don’t know why you are having trouble with it. Countless domains use CNAMEs pointed at TXT records for DKIM. That is how every Microsoft 365 custom domain works. If the CNAMEs shown in your GoDaddy DNS screenshot worked, they would also work in Cloudflare, as long as they were set to DNS Only.
There is no prohibition against using CNAMEs at DKIM labels. If it’s explained well in the selected answer in this post: