TXT DKIM records not fully propagated after 4 days

Hi,

On December 24th (4 days) ago, I added TXT records to two domains for DKIM, in Cloudflare.

On the first domain, https://dnschecker.org/ almost immediately showed it propagated to all the clients it checks across the world.

However, for the second domains, a large number of servers still do not see the record:


(contents of the record removed)

The DKIM record is shown to be valid by tools like https://mxtoolbox.com/dkim.aspx

I tried deleteing the record and creating it again, but that did not change a thing.

Does anyone have an idea about what is happening?

What is the domain?

Likely you have a DNSSEC problem. When some resolvers can see a record and others can’t, it is because the latter use DNSSEC to validate the record (and will report nothing if it is invalid).

Thanks for your reply. I can’t share the domain name publicly, but I have checked that DNSSEC is not enabled:

  • It’s a paid option at the registrar, and it’s turned off.
  • dig ds DOMAIN +short returns nothing, dig DOMAIN +dnssec shows no signature.
  • It is also marked as disabled in Cloudflare

If you want, you can put the domain into my checker here, see if it finds the DKIM record if it is one of the selectors it tests for…

https://cf.sjr.org.uk/tools/check

(if it doesn’t, can you post the DKIM selector you are using without the domain).

I entered the domain into your nice tool at 09:25.
It confirms that DNSSEC is disabled.
It does not find the DKIM record. The selector is 20220626 (the record name is 20220626._domainkey). I can see the DKIM record if I enter this in https://mxtoolbox.com/dkim.aspx

_domainkey.[yourdomain] is delegated to ns41/42.[somethingelse].com. They are not answering queries for this.

Thanks, I actually just added these records, because they were present in the domain that worked and absent in the domain that doesn’t.
Are they supposed to be there? Are you saying that the ns41/42 domains are not properly replying?

Delete these NS records. If you want the _domainkey record in your Cloudflare DNS to be returned by the Cloudflare DNS, you must use the Cloudflare DNS for them :slight_smile:

Hm, Ok, then we’re back to square one, as these records were not present until a couple minutes ago :confused:

1.1.1.1 now returns the TXT record, previously it was complaining about the delegation.

On dnschecker.org all is working for that TXT record.

Interesting and very strange, all I did was to add the 2 delegation records and remove them.
And the other domain that worked directly had and still has the delegation records…

Anyway, thank you very much for your help!

Are they the nameservers from before you added Cloudflare? It may be they had (for this domain) or have (for your other domain) valid records still. If you want the TXT record set in your Cloudflare DNS to be used, you’ll need to remove the delegation.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.