What issues occur when adding DKIM record to DNS via CName with Cloudflare?

Key findings

• Proxy conflict: Cloudflare's default proxying (the orange cloud) is a common cause of DKIM CNAME validation failures, as it interferes with the direct DNS lookup required for authentication.
• DNS only mode: DKIM CNAME records must be set to 'DNS only' to allow proper email authentication.
• Activation step: Even if the CNAME is correctly entered and unproxied, a final 'activation' step might be required by the email service provider to complete the DKIM setup.
• Third-party management: Working through a third-party DNS vendor can add complexity and communication challenges to the troubleshooting process.

Key considerations

• Disable proxying: Ensure the Cloudflare CNAME record for DKIM has the proxy status (orange cloud) turned off, setting it to DNS-only mode.
• Exact values: Always add the CNAME record exactly as provided by your email service provider, including any underscores, which are required for DKIM.
• Verify propagation: Use DNS lookup tools like dig to confirm the CNAME record is publicly resolving correctly.
• Authentication steps: Beyond adding the record, ensure all necessary authentication steps are completed within your email service platform. For details on how CNAME records affect email authentication, consult our guide.
• Mailchimp specific advice: When setting up DKIM for services like Mailchimp via CNAMEs, remember to toggle off the Cloudflare proxy (the orange button) to ensure proper verification. More information can be found on DmarcDkim.com's setup guide.

Key opinions

• Proxy interference: Marketers frequently identify Cloudflare's orange cloud proxy as the culprit for DKIM authentication problems.
• Lack of direct access: Many find it challenging to troubleshoot when they don't have direct access to DNS settings, relying instead on third-party vendors.
• Verification gaps: There is a common struggle to independently verify if CNAME records are properly resolving, leading to guesswork.
• Activation oversight: A key realization among marketers is that simply adding DNS records isn't enough; an activation step within the email platform is often necessary.

Key considerations

• DNS-only setting: Always ensure the Cloudflare CNAME record for DKIM is set to DNS-only (gray cloud) to avoid proxy-related issues.
• Third-party communication: If using a third party, clearly communicate the need for DNS-only mode for email authentication records. Our guide on troubleshooting SPF authentication issues may offer further insight.
• Independent verification: Learn to use public DNS lookup tools to independently confirm your DKIM CNAME is resolving correctly.
• Underscore support: While Cloudflare supports underscores in CNAMEs, confirm your email provider's specific requirements, as some hosts may not support underscores. Our article on fixing DKIM record published errors provides additional help.

Key opinions

• Proxy is problematic: The consensus among experts is that the 'orange cloud' (proxy) on Cloudflare must be disabled for DKIM CNAME records.
• DNS query essential: Experts recommend using DNS query tools to confirm the CNAME records are correctly resolving at the DNS level, independent of the email platform's status.
• Activation crucial: Many issues stem from a missing final 'activation' or verification step within the email service provider's system, even if DNS records are set up correctly. This is often seen as a key aspect of a simple guide to DMARC, SPF, and DKIM.
• Holistic view: Experts stress the importance of looking at the entire authentication chain, from DNS configuration to the email service's internal settings.

Key considerations

• Disable Cloudflare proxy: Always ensure the CNAME record in Cloudflare for DKIM is set to DNS-only mode (gray cloud). This is the most common fix.
• Verify with tools: Utilize command-line tools like dig or online DNS lookup services to confirm the CNAME record is resolving correctly and pointing to the expected target. Our article on why CPanel DKIM records fail validation touches on verification.
• Complete activation: Confirm that all steps, including any internal activation or verification clicks within your email service platform, are completed after adding the DNS records. For more in-depth troubleshooting, see decoding DKIM TempError.
• Check email logs: If DKIM still fails after DNS verification, review your email sending logs for specific error messages from the receiving mail server. An Amazon Web Services, Inc. community discussion offers similar advice.

Key findings

• Proxy prohibition: Documentation frequently highlights that CNAME records for DKIM cannot be proxied by Cloudflare and must be DNS only.
• Underscore requirement: The need for underscores in DKIM record names is often specified, along with warnings about hosts that may not support them.
• Exact values: Guides stress the importance of adding CNAME values precisely as provided by the email service.
• Activation process: The documentation usually includes a final verification or activation step within the email platform itself after DNS changes.

Key considerations

• Follow proxy instructions: Adhere strictly to documentation that instructs to turn off Cloudflare's proxy for DKIM CNAMEs.
• Verify underscore compatibility: Ensure your DNS host supports underscores in record names for proper DKIM setup.
• Complete all steps: Do not overlook any activation steps provided by your email service after adding DNS records. For more info on how a missing DKIM record affects deliverability, read our article.
• Consult specific guides: Refer to the exact documentation from your email service provider (e.g., Mailchimp, Amazon SES) and DNS host (Cloudflare) for the most accurate instructions. Our guide on CNAME delegation for SPF and DKIM is also helpful.