"Flatten CNAME at apex" cannot be turned off

I am trying to verify my domain for use with custom email and Firebase

The 2 TXT records have propagated, but the 2 CNAME records have not. All support articles point to the fact that CNAME flattening breaks verification with some 3rd parties like Google and Firebase.

When going to DNS => Settings => CNAME Flattening, the dropdown has only 1 option: “Flatten CNAME at Apex” and cannot be changed (it is not grayed out, just only has 1 option).

I need to disabled this (I believe) in order to get my CNAME records to propagate.

My CNAME records are both set to DNS Only (gray cloud) and TTL to 1 min.

I have 2 A records for the naked domain (iloomi dot com) that point to ip addresses assigned by Webflow.

Please help! Thanks in advance.

Hey there,

When setting records to validate external services, its important to ensure that they are set to DNS Only (grey cloud) in your Cloudflare DNS settings, which you’ve already done.

Unfortunately CNAME flattening at the apex cannot be turned off on Cloudflare. This is a feature that allows users to set a CNAME as their root domain - which isn’t without flattening, more on this can be found here: CNAME flattening · Cloudflare DNS docs

More on this can be found in quite a few Cloudflare community threads: How to disable cname flattening

That being said, you can see that currently your CNAME record is publicly available here: DNS Checker - DNS Check Propagation Tool

You may wish to check with your services provider if there is an issue with the CNAME content, and replace as required

1 Like

Oh - interesting. I was looking under the naked domain when checking the CNAME (stupidly). Thanks for pointing that out. So that appears to be correct.

I do notice that my TXT record resolves with:

v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyDvXK961gziQ7Huc5YjX5xQRV+fAyXLU0d/YY8H1xgWIdmOj/9GmrZ1Av+uXtpcYw4hgff8lHEL0O6bGJr68Xhy0NVqRI7d6Vsh4h3eVBlGp+SW77d9fFmoa7YchHmEPl4WQFxQDZWCy4e3ovihzT+XS3WO4xB7QzS7BjLex7/ SWmbluFxu7FFNtoVJiaWh0NCW6q+RKCGM09lKLqKOiEnNh0lu5YfrrNd7JVGL2Z72wimH3vvcksASgTKfKTW5D4Qrsee5D9ZFlfFla7ffYWlNBZAURfo95JqZpSB/jJynaaNm0/hMn3I9i13Kys8dn1tuFN4nn9vn11b3sfdcPUQIDAQAB

When these are the 2 records that I have:

firebase=iloomi-b34f8
v=spf1 include:_spf.firebasemail dot com ~all

Which appear nowhere in there. Is there some obfuscation that happens with TXT records or is this indicating a problem with my TXT record?

Your DKIM TXT record shouldn’t be under the apex domain. It’s normally under something._domainkey.

The two you listed look like they would be under the apex domain. You don’t see them when you look up TXT records on the apex?

What’s the domain name?

Domain is Iloomi.com

When I use DNSChecker, the home tab returns the DKIM record, but when I tap into DNS Checker and select TXT, I do get the correct 2 records that I need for Firebase

firebase=iloomi-b34f8
v=spf1 include:_spf.firebasemail dot com ~all

Yes, those TXT records are correctly there under the apex domain. You have Firebase DKIM records on firebase1._domainkey and firebase2._domainkey.

You have two A records on the apex, and a CNAME on www. Is the www CNAME correct?

Yes. The CNAME on the www is a validation for WebFlow.
So seemingly, everything looks correct to you?

Yes. I was wondering about the www entry because it is different from the apex, but if that’s the CNAME for verification, then it all looks good to me.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.