DKIM failure after switching to Cloudflare nameservers

What is the name of the domain?

deepstate.wiki

What is the issue you’re encountering

DKIM Failue upon switching to Cloudflare nameservers

What steps have you taken to resolve the issue?

After changing my nameservers from GoDaddy to Cloudflare, I got notice from my proton email that DKIM weren’t valid The records were still there.

What are the steps to reproduce the issue?

Existing DNS on GoDaddy worked just fine until domain nameservers switched to Cloudflare as ‘required’… switching back to GoDaddy immediately resolved the issue.

That domain is not using Cloudflare DNS.

When a domain on Cloudflare uses Protonmail, those DNS records would need to be :grey: DNS-Only.

2 Likes

Of course it isn’t, I switched back to the original GoDaddy nameservers, which immediately “fixed” the DKIM failure. What I’m hoping for is some hint as to why using Cloudflare nameservers provoked the failure. If you are implying that Cloudflare needs to dictate what DNS records I can use, that’s… unfortunate.

That’s the DNS records for the domain, over on GoDaddy, which “works”…

That is not what was implied. The records can’t be proxied :logo: they need to be set to DNS only to confirm to what the receiving MTAs are expect and can validate.

Ensure you have all the required entries and they are set to DNS only.

2 Likes

NoDKIM

Not looking promising… I’ll give it an hour or two to sort itself out…

The scan is a best effort attempt to guess common hostnames and records the answer queried if they resolve. Your protonmail DKIM selectors may not be among the list of names that are queried. It is best to manually validate your DNS records.

1 Like

Did you create the required CNAMEs and configure them as :grey: DNS Only?

You need to that. It is not something that will

on its own.

1 Like

Yes, I did. I discover that Cloudflare will NOTput them out as DNS responses.Looking further at their docs, they say waaaah, the RFC calls for TXT records, not CNAME records, so I switched them. Query right at Cloudflare, no records. They must not really want my money.

I don’t know why you are having trouble with it. Countless domains use CNAMEs pointed at TXT records for DKIM. That is how every Microsoft 365 custom domain works. If the CNAMEs shown in your GoDaddy DNS screenshot worked, they would also work in Cloudflare, as long as they were set to :grey: DNS Only.

There is no prohibition against using CNAMEs at DKIM labels. If it’s explained well in the selected answer in this post:

1 Like