Some CNAME records do not work at all

What is the name of the domain?

Redacted for privacy. Happy to provide to Cloudflare support but not to public.

What is the issue you’re encountering

CNAME records with Microsoft’s DKIM targets do not resolve at all and are missing the grey cloud next to the “DNS Only” words that other CNAME and A records have.

What steps have you taken to resolve the issue?

Tested that CNAME records to other external targets work fine. Tried re-creating the records. Tried turning proxy on and off again.

What feature, service or problem is this related to?

DNS not responding/updating

What are the steps to reproduce the issue?

Create a CNAME record with the target going to (With xxxx being specific to me) selector1-xxxx._domainkey.xxxx.onmicrosoft.com

Screenshot of the error

The Cloudflare dashboard is being smart, CNAMEs for DKIM records must never be proxied so the missing grey cloud is indicating you cannot proxy this record (as with the MX and TXT records).

Without the domain I can’t check, but it’s likely the CNAMEs resolve but maybe 1 or both of the TXT records at Microsoft haven’t been created. You can rotate your DKIM keys in your Microsoft account to make this happen.

If you don’t want to give your domain you can put it in here which does check for selector1 and selector2 records. If any problem you can post the test ID and I can take a look.
https://cf.sjr.org.uk/tools/check

2 Likes

I can’t even nslookup selector1._domainkey.mydomain . It just comes back as a non-existent domain.

Sorry I couldn’t figure out how to edit my other reply and add that I can nslookup other cname records on my domain just fine.

Without the domain name, it’s impossible to check.

2 Likes

I can’t find the ability to edit replies on here but I found a delete button sorry.

I think it’s sorted. Microsoft don’t create the TXT record until you enable DKIM signing but their guide says don’t enable DKIM signing until the CNAME check passes BUT it seems the CNAME does not respond correctly until the target exists! I’ve enabled DKIM signing and now the CNAME returns something.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.