Problems with CNAME and punycode when I try to verify a domain with AWS SES

I’m using AWS SES and to verify my domain I need to create a CNAME record with a name that uses punycode, like this: ioplx9f1io5l2teyfvlh6osjw7rcakww._domainkey.xn--80atghbm.xn--j1amh. But after saving, Cloudflare auto-substitute this to ioplx9f1io5l2teyfvlh6osjw7rcakww._domainkey.комора.укр. And it looks like AWS SES is expecting the original record so it can’t verify my own domain.

How can you keep the original name?

This is unlikely to be the issue, it internally all domain names are Punycode, the rendering as комора.укр is just a visual representation.

The most common issue in this situation is setting the CNAME to be :orange:. Can you make sure it is :grey:.

Can you share a screenshot of the DNS record on the dashboard?

By the way, I have successfully configured the domain before, but without punicode. Here is my screenshot:

That looks different to the selector name in your original post, ioplx9f1io5l2teyfvlh6osjw7rcakww.

Yes, that’s because I think it might be not security to show the original.

I’ve been trying to use the dig utility to look up the CNAME, but haven’t figured out how to do it yet. Could you please help me with this?

If your CNAME is set to :orange: you will not be able to resolve it with dig.

:orange: CNAMEs are published as A and AAAA records.

This is why @michael was emphasizing the importance of your CNAME being set to :grey: DNS Only.

As for your question:
dig cname

1 Like

Based on what you shared privately, the issue is that you entered the full record in the name field.

Just enter ioplx9f1io5l2teyfvlh6osjw7rcakww._domainkey in the name field. You are currently entering ioplx9f1io5l2teyfvlh6osjw7rcakww._domainkey.xn--80atghbm.xn--j1amh, so you are actually creating a record at ioplx9f1io5l2teyfvlh6osjw7rcakww._domainkey.xn--80atghbm.xn--j1amh.xn--80atghbm.xn--j1amh.


Thank you. Just updated CNAME, hope after completion of TTL verification successful. But this is strange, because before for other domain I just copied and pasted what AWS SES gave me and it passed verification (but without punycode).

Yes, it’s works! @michael and thank you.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.