TXT records same, one is not propagating correctly to Fastmail

Looking into the TXT records added for the domains, I can see that:

  • the TXT/SPF added for octocatsup dot com is shown correctly:
  • the one for extrahacked dot com isn’t propagated and is not a cache issue:

The TXT (SPF) records are identical except for the domain name so they should both get the same results at Fastmail, right? Yet, the SPF is not propagating correctly for extrahacked dot com.

Anyone know what could be happening here?

You have a DNSSEC issue.


Update the values at your registrar.


I do believe that you are right. However, Cloudflare is now my registrar and the DNSSEC portion shows no change. I tried to cancel DNSSEC on the original registrar before moving to CF, but it did not work. Not sure what to do now…

I cancelled the “Enable DNSSEC” section and re-enabled it to see what happens. I will wait 24 hours and see if that fixes it.

If anyone else if looking for how to set up DNSSEC, this article seems to outline the steps:

It’s best to leave DNSSEC disabled while troubleshooting DNS issues like this. Once it’s working again, I usually give it 48 more hours before I re-enable it.

1 Like

Thanks for the tip. I have disabled DNSSEC at CF and will wait for 48 hours before I re-enable it.

I bet I need to contact my previous registrar to remove those records. I will reach out to them and see what they say about this. :blush:

As Cloudflare is your current registrar, it should be able to set and clear your domain’s DNSSEC up and down the pipeline. The old registrar should have no more control over your domain at the registry.


Most likely you will need support here as there’s not much you can do. They need to fix that manually. Open a ticket, that will automatically close, then reply twice to it to keep it open and also post the ticket number here.

1 Like

@domjh also just pointed out Cloudflare API v4 Documentation. You could try that API call as well, in that case you wouldn’t have to jump through the support hurdles.


Thank you so much for the link to CF’s API documentation. I have deleted my DNSSEC zone successfully and will now be able to fix my email issue :tada:

You are all amazing for helping and I appreciate it so much @sandro @domjh and @sdayman. The community is so much better than emailing support :blush:


My pleasure. Though, Whois doesn’t list the domain as signed any more, but there still is a DS record.

$ dig +short @a.gtld-servers.net extrahacked.com DS
22376 13 2 4B6ED1EEF2DDC36B3DC220F4D12BF23015361617F2DCDE8AF2D63201 1946C286

Wait a bit, but if that doesn’t get fixed you’ll most likely still have to contact support. My assumption would be that API call only removes the DNSSEC configuration on the nameserver side, but not on the registrar side, which in your case is always Cloudflare.

IMHO support will have to fix this manually.

1 Like

@purnima, if you could reset the DNSSEC configuration of extrahacked.com, I’d think that would fix the issue.

Or @tobi :slight_smile:

You should also cancel the DNSSEC setup from Cloudflare dashboard (DNS tab → DNSSEC) and try again. That will be a way to reset this.

I understand the OP already did that and on top of that run the API call, so IMHO that’s all he can do.

I tried enabling the DNSSEC from the dashboard again after using the API to DELETE > DNSSEC. It’s stuck just like the last time.

You are correct

Yep, support needs to fix this I am afraid.