Edit:: After making a modification to the CNAME record in question, Cloudflare DNS resumed serving it up normally. Other than the link to Microsoft’s explanation of what how they rotate their DKIM keys and possibly a hint that forcing a change and/or deleting and recreating a DNS entry that is causing trouble might resolve an issue, this post isn’t worth reading.
Cloudflare DNS does not respond to requests for a TXT record when the requested DNS entry is a CNAME record that points to a different server which has the TXT record. ((At least that’s what seemed to be the case)) The server responds and seems to say “there’s no information for you”. Other DNS providers will reach out to the CNAME’s target, look up the requested TXT record and return. I discovered this because we switched to Cloudflare DNS a little over 28 days ago (28 days is the TTL set by Microsoft) and at 28 days in, our Microsoft 365 outbound emails started being discarded by destination servers that perform DKIM analysis.
My first brush with support suggested that I not use the CNAME record, but instead create my own TXT entry for the DKIM record. The trouble with that suggestion is that even if I figure out what the proper public key is TODAY and create a TXT DKIM record with it, Microsoft will rotate the key at some point and our email will fail again. Well… my choices were switch to a different DNS provider or make a band-aid by renaming my active TXT record and ‘hard coding’ a DKIM record that copies the one Microsoft made for us. The band-aid was quicker, but is not the long term fix.
I’m posting this out here for two reasons: 1) as a resource for others who encounter this problem and 2) pleading for Cloudflare to allow this horribly inefficient third party lookup to occur. To prevent abuse, only let it work for the *.onmicrosoft.com domain.
Thanks for reading!
The site below explains how Microsoft does the key rotations and shows that the CNAME to TXT record lookup are essential in the process.
These are sample CNAME records Microsoft asks us to create when enabling DKIM for an Office 365 tennant:
selector1._domainkey.microsoft.com. 3600 IN CNAME selector1-microsoft-com._domainkey.microsoft.onmicrosoft.com. (Microsoft publishes this in DNS)
selector1-microsoft-com._domainkey.microsoft.onmicrosoft.com. 3600 IN TXT “v=DKIM1; k=rsa; p=<public key#1 >n=1024,1435867504,1” (Office 365 publishes this in its DNS)
selector2._domainkey.microsoft.com. 3600 IN CNAME selector2-microsoft-com._domainkey.microsoft.onmicrosoft.com. (Microsoft publishes this in DNS)
selector2-microsoft-com._domainkey.microsoft.onmicrosoft.com. 3600 IN TXT “v=DKIM1; k=rsa; p=<public key #2> n=1024,1435867505,1” (Office 365 publishes this in its DNS)