What issues occur when adding DKIM record to DNS via CName with Cloudflare?
Matthew Whittaker
Co-founder & CTO, Suped
Published 20 Jun 2025
Updated 18 Aug 2025
8 min read
Setting up email authentication can often feel like navigating a maze, especially when dealing with various DNS record types and providers like Cloudflare. One common area of confusion arises when attempting to add a DKIM record using a CNAME, rather than the more traditional TXT record. While some email service providers (ESPs) recommend CNAMEs for DKIM, it's crucial to understand the potential pitfalls, particularly with Cloudflare’s proxying services.
Incorrect configuration can lead to authentication failures, resulting in your legitimate emails landing in spam folders or being rejected outright. This can severely impact your email deliverability rates and ultimately harm your sender reputation. I often see people run into these issues, and knowing how to troubleshoot them is key to maintaining a healthy email program.
DKIM (DomainKeys Identified Mail) is a vital email authentication method that allows an organization to claim responsibility for a message in a way that can be validated by recipients. It involves adding a digital signature to outgoing emails, which is then verified against a public key published in your domain's DNS. Typically, this public key resides in a TXT record, but some larger email service providers offer a convenient alternative.
Many email service providers, particularly those handling high volumes, manage DKIM keys on your behalf. Instead of giving you a long, complex TXT record to publish directly, they provide you with CNAME records. These CNAMEs (Canonical Name records) essentially point to a TXT record that the ESP itself hosts. This approach simplifies key rotation and management for users, as the ESP can update the underlying TXT record without you needing to make changes in your DNS.
For instance, services like Microsoft 365 and Salesforce often require DKIM to be set up via CNAME records. This method effectively delegates the DKIM lookup process to their infrastructure. Understanding how CNAME records affect other DNS records, including DKIM, is fundamental to avoiding common configuration headaches.
The critical Cloudflare proxying issue
The most frequent issue encountered when adding DKIM CNAME records with Cloudflare stems from its proxying feature, often referred to as the orange cloud. Cloudflare’s primary function is to act as a reverse proxy, caching web content and protecting your website from attacks. When a DNS record is proxied, traffic to that hostname flows through Cloudflare's network before reaching your origin server. This is excellent for web performance and security but problematic for DKIM.
DKIM validation requires a direct DNS lookup of your DKIM record. When you proxy a CNAME record on Cloudflare, the lookup for your DKIM public key doesn't go directly to your email service provider's DNS. Instead, it hits Cloudflare’s edge servers, which may not return the correct DKIM TXT record. This discrepancy causes authentication to fail, and recipients' email servers cannot verify the email's authenticity. Consequently, emails may be flagged as suspicious or spam, impacting your inbox placement.
The
Orange cloud issue
When adding DKIM CNAME records in Cloudflare, it is imperative that these records are set to DNS Only mode (represented by a grey cloud icon). Proxying them (the orange cloud icon) will prevent proper DKIM validation and lead to email deliverability issues. Many providers explicitly state this in their documentation.
To resolve this, simply ensure that the proxy status for your DKIM CNAME records is toggled off in your Cloudflare DNS settings. This directs email servers to query the CNAME directly, allowing them to resolve to the correct TXT record held by your ESP.
Common DNS conflicts and errors
Beyond proxying, several other issues can arise when setting up DKIM CNAME records. One common problem is CNAME flattening. While less common for the specific subdomain-based DKIM CNAMEs, Cloudflare can sometimes convert CNAME records at the root domain into A records to avoid conflicts. This behavior, if it were to affect your DKIM CNAME, could prevent proper resolution. Always ensure your DKIM CNAME targets a subdomain, such as selector._domainkey, not your apex domain.
Typos are another common culprit. Even a single misplaced character, an extra space, or the automatic appending of your domain name by Cloudflare’s interface can cause a DKIM CNAME record to fail validation. It's crucial to copy the CNAME name and target values exactly as provided by your email service provider. Remember that DKIM keys can sometimes be quite long, increasing the chance of errors.
While Cloudflare generally supports underscores in DNS records, some older or less compliant DNS providers may not. This isn't usually a direct Cloudflare problem, but if your domain was recently migrated or you’re encountering persistent issues, it’s worth checking if underscores are the root cause. However, a more common scenario is a simple missing activation piece on the email service provider's end, even if the DNS record itself is published correctly.
Propagation delays and external factors
DNS changes, including DKIM CNAME records, do not propagate instantly across the entire internet. While Cloudflare updates records quickly within its network, it can still take up to 48 hours for changes to fully propagate globally due to DNS caching by various ISPs and recursive resolvers. Patience is often a virtue in these situations, though persistent failures warrant deeper investigation into DKIM temporary errors or DKIM failing altogether.
Working with third-party providers or agencies to manage your DNS records can also introduce communication gaps or delays. When you don't have direct access to your Cloudflare account, verifying that the DNS settings are precisely as required becomes more challenging. Always request screenshots or direct confirmation of the configuration to ensure everything is set up correctly, especially the proxy status.
Strategies for successful DKIM CNAME implementation
To ensure successful DKIM CNAME implementation with Cloudflare, always start by verifying your email service provider’s exact instructions. Then, carefully input the CNAME records into your Cloudflare DNS manager, paying close attention to the proxy status. Using an online DNS checker or a command-line tool like dig to confirm the record resolves correctly can save you significant troubleshooting time.
Regularly monitoring your DMARC reports is the best way to catch any DKIM authentication failures early. These reports provide valuable insights into whether your emails are passing authentication checks and can alert you to issues before they escalate into serious deliverability problems or cause you to land on a blocklist (or blacklist). Proper configuration of SPF, DKIM, and DMARC is foundational for optimal email deliverability.
Issue
Solution
DKIM CNAME is proxied (orange cloud)
Set the proxy status to DNS Only (grey cloud) in Cloudflare’s DNS settings.
Typo or incorrect record entry
Double-check the CNAME name and target against your ESP’s instructions. Pay attention to automatically appended domain names or extra characters. Refer to Cloudflare's DKIM documentation.
DNS propagation delay
Wait for 24-48 hours. Use a DNS lookup tool to verify propagation globally.
Missing activation on ESP side
Contact your email service provider to confirm if any additional activation steps are required after publishing the CNAME record.
CNAME at apex domain issue
Ensure your DKIM CNAME is always on a subdomain, not the root domain, to avoid flattening issues. This is crucial for avoiding DKIM record not found errors.
By understanding these common issues and following best practices, you can avoid frustrating deliverability problems and ensure your emails are properly authenticated. This leads to better inbox placement and ultimately, more successful email campaigns.
Views from the trenches
Best practices
Always set your DKIM CNAME records to 'DNS Only' (grey cloud) in Cloudflare to prevent proxying interference.
Verify the exact CNAME name and target values from your email service provider, paying attention to extra characters or automatic domain appending.
Use DNS lookup tools like 'dig' or online DNS checkers to confirm your DKIM CNAME record resolves correctly to the ESP's TXT record.
Monitor your DMARC reports consistently to detect any DKIM authentication failures early and address them promptly.
Common pitfalls
Forgetting to disable Cloudflare's proxy (orange cloud) for DKIM CNAME records, leading to authentication failures.
Incorrectly typing the CNAME name or target value, even a small error can cause the record not to resolve.
Expecting instant propagation of DNS changes; allow up to 48 hours for global DNS updates.
Assuming the issue is always with Cloudflare, neglecting to check for an activation step with the email service provider.
Expert tips
If DKIM validation fails despite correct DNS settings, check your ESP's dashboard for an activation button or status indicator, as some providers require manual activation.
When dealing with multiple third parties for DNS and email sending, establish clear communication channels and request direct verification of DNS settings.
For complex setups or persistent issues, consider reaching out to Cloudflare's support, specifically mentioning DKIM CNAMEs and the 'DNS Only' requirement.
Implement a robust DMARC policy with reporting to gain visibility into your DKIM authentication status and pinpoint problems quickly.
Expert view
Expert from Email Geeks says ensuring that Cloudflare's orange cloud proxying is disabled for DKIM CNAME records is a critical step, as proxying will prevent the record from resolving correctly.
2024-08-08 - Email Geeks
Marketer view
Marketer from Email Geeks says issues often arise when working with third-party DNS vendors and not having direct access to Cloudflare settings.
2024-08-08 - Email Geeks
Ensuring proper DKIM authentication
Proper DKIM setup is a cornerstone of strong email authentication and plays a significant role in your email deliverability. While adding DKIM records via CNAME with Cloudflare can introduce unique challenges, the majority of these can be resolved by correctly configuring the proxy status, ensuring accuracy in your record entries, and patiently waiting for DNS propagation. Remember, a correctly authenticated email is much more likely to reach the inbox, avoiding spam folders and protecting your sender reputation.
Regularly reviewing your DNS settings and monitoring your email authentication status, particularly through DMARC reports, will help you proactively identify and resolve any issues. This attention to detail will help ensure your emails consistently reach their intended recipients.
Cloudflare. One common area of confusion arises when attempting to add a DKIM record using a CNAME, rather than the more traditional TXT record. While some email service providers (ESPs) recommend CNAMEs for DKIM, it's crucial to understand the potential pitfalls, particularly with Cloudflare’s proxying services.
Microsoft 365 and 
Salesforce often require DKIM to be set up via CNAME records. This method effectively delegates the DKIM lookup process to their infrastructure. Understanding how CNAME records affect other DNS records, including DKIM, is fundamental to avoiding common configuration headaches.
