Emails being blocked for delivery to addresses

Emails to clients with Comcast dot net email addresses are being blocked by Comcast. Comcast support answer is below. I have no idea how to change the Cloudflare DNS settings to fix this. Any ideas?

" It appears this is a DNS issue on your side of things. Our systems utilize DNSSEC to evaluate DNS data. If I perform a lookup as the MTAs do, we get a “SERVFAIL” (for example: dig -t MX [retirementsmarts dot com](retirementsmarts dot com/)). However, if we disable the DNSSEC checking (dig +cd -t MX [retirementsmarts dot com](retirementsmarts dot com/)), we do see results).

It’s not just our systems that are having issues: dnsviz dot

We have a policy that all sending domains (RFC5321) must resolve to some subset of DNS records. At this point, we can’t resolve anything at all for that domain. Please let me know if we can provide more information.

Welcome to the Cloudflare Community. :logodrop:

Make sure that you have DNSSEC enabled at Cloudflare and that you have updated GoDaddy with your DNSSEC material.

It appears DNSSEC is enabled at Cloudflare. Registar is Godaddy. Not sure what else is wrong. Could I pay someone to take a look at this for me?

You can always hire a consultant, but before you do that, did you log into GoDaddy and make sure that your DNSSEC values set there match the ones in your Cloudflare account?

1 Like

I logged in and since the domain is not hosted at godaddy, the DNS button is unclickable. I don’t know how to get to those values.

You can find your Cloudflare DS record information at https://

These get set at GoDaddy in the same area where you changed your nameservers to the pair assigned by Cloudflare.

I found it. Screenshot attached. It appears to match.

Can you share a screenshot of the DS record information from Cloudflare?

1 Like

Sure. I appreciate the help. See attached.

1 Like

There doesn’t seem to be a DNSSEC issue with your domain anymore now. Dnsviz also no longer shows any problems.

1 Like

That wasn’t what I was asking for in a screenshot, but as @Laudian has indicated, your DNSSEC is now valid, so we can safely conclude without it. :slightly_smiling_face:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.