Txt domainkey records not showing up more CAA records then I have entered

I am trying to figure out why I get more CAA records then I actually entered (I have 2 entries and I see 10 in the test) and why am I not seeing DKIM records
yes the domain name server is Cloudflare
I also noticed I do not see some TXT or cname records but they are working for example
cname: autodiscover
txt records dmarc, BIMI

I used these tools to check

Cloudflare adds their own CAA records to prevent Universal SSL from breaking when you add your own.


Cloudflare will automatically add a few hidden CAA records in two situations.

  1. If you add any CAA records of your own then Cloudflare will add CAA records to allow them to issue Universal SSL Certs.

  2. If you enable AMP Real URL they will add the CAA records with the cansignhttpexchanges attribute. This is a requirement for the SXG certificates.

BIMI (like DKIM) requires a selector, and you have a BIMI record with the default selector.

% dig +short txt default._bimi.ejura.eu
"v=BIMI1; l=https://ejura.eu/image/sq_logo.svg"

You do have a DMARC policy in place:

% dig +short txt _dmarc.ejura.eu
"v=DMARC1; p=reject; adkim=s; aspf=s; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;"

Do you have an example of a record that is missing?

yes I do see some txt records but I do not see others for example DKIM TXT records
also how did you teste the BIMI and DMARC records?

DKIM TXT records need a selector. For example, if you use Office 365 your selectors are selector1 and selector2. You can then query for those selectors using standard tools:

dig +short txt selector1._domainkey.microsoft.com

If you run your own email servers your own configuration will define the selector. Most third party email senders use well known selectors, such as Google (google), Mailchimp (k1), Zendesk (zendesk1 and zendesk2) etc.

Similarly, BIMI records need a selector. This is so that you can send emails for Black Friday with a customised image, or have brand specific logos, all on the same domain. BIMI also allows for a default selector, and that is what I used in the above example.

There is no way to query a zone and say “give me every TXT record for every subdomain”, you have to know the location within the zone.

DMARC records are always a TXT record at _dmarc.<example.com>, and the command I showed above will retrieve it.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.