I am using Netlify as my custom DNS provider. I am using ProtonMail for email, and I moved over the DNS records for ProtonMail from Namecheap to Netlify. In my research regarding this issue, I found this forum post which is exactly the same issue I am facing. However, the original poster (and consequently, the support engineer) misrepresented the core issue of what is happening.
ProtonMail uses DKIM to sign emails. I recently got a notification from ProtonMail saying that everything about the DNS configuration is correct, except for the DKIM values. I believe there is a bug in Netlify with CNAME records containing a period (which is entirely valid in DNS).
As a proof of concept, I’ve created two CNAME records. One CNAME record is simply _domainkey. Here is the result from dig:
% dig _domainkey.cerne.xyz
...omitted for brevity...
;; QUESTION SECTION:
;_domainkey.cerne.xyz. IN A
;; ANSWER SECTION:
_domainkey.cerne.xyz. 3600 IN CNAME protonmail2.domainkey.dw55lrwez7cfocnrv4xc6hftjlupqkmjfsov4oaex7abms6f5hrwa.domains.proton.ch.
...omitted for brevity...
The above output indicated that the DNS record was saved successfully.
The original CNAME record I was trying to create, which is required by ProtonMail, is protonmail._domainkey. Please see the following dig command:
% dig protonmail._domainkey.cerne.xyz
...omitted for brevity...
;; QUESTION SECTION:
;protonmail._domainkey.cerne.xyz. IN A
...omitted for brevity...
This dig command resulted in no ANSWER SECTION, leading me to believe that the CNAME value was not added. Here is a screenshot of my records:
My previous DNS provider did not have this issue with the CNAME DKIM records. I am setting the TXT records now, but I don’t expect it to work. Will check it out in the morning.
Per this site, “The key will either be inserted directly into your zone as a TXT record, or it will be a CNAME pointing to the key in your provider’s DNS.”
ProtonMail seems to use the latter authentication for DKIM. Regardless of whether or not I set up DKIM right, I still think there is an issue with CNAME records in Netlify. DNS host names are allowed to be “sub-subdomains”, but it seems this is a technical limitation of Netlify, unless I’m misunderstanding something.
Could you also keep the CNAME records active till we debug this? We now see that you’ve removed the CNAME records, thus we can’t check what was happening in the past.
Hi, @cernec1999. I also see them working now. I checked the logs for your team and I don’t see anything to explain why the DNS records didn’t work last time.
For example of things that might explain it, a NETLIFY type DNS record for the same name would block the CNAME. Again, though, I don’t see any indication of that. There are no such records now and there are no logs showing those record having been created or deleted either.
So, I cannot explain why it didn’t work before. I am glad to learn they are working now, though.
If there are other questions or new information to share, please feel free to reply here anytime.
