DNS DKIM CNAME Values For ProtonMail Not Working

I am using Netlify as my custom DNS provider. I am using ProtonMail for email, and I moved over the DNS records for ProtonMail from Namecheap to Netlify. In my research regarding this issue, I found this forum post which is exactly the same issue I am facing. However, the original poster (and consequently, the support engineer) misrepresented the core issue of what is happening.

ProtonMail uses DKIM to sign emails. I recently got a notification from ProtonMail saying that everything about the DNS configuration is correct, except for the DKIM values. I believe there is a bug in Netlify with CNAME records containing a period (which is entirely valid in DNS).

As a proof of concept, I’ve created two CNAME records. One CNAME record is simply _domainkey. Here is the result from dig:

% dig _domainkey.cerne.xyz

...omitted for brevity...
;_domainkey.cerne.xyz.		IN	A

_domainkey.cerne.xyz.	3600	IN	CNAME	protonmail2.domainkey.dw55lrwez7cfocnrv4xc6hftjlupqkmjfsov4oaex7abms6f5hrwa.domains.proton.ch.
...omitted for brevity...

The above output indicated that the DNS record was saved successfully.

The original CNAME record I was trying to create, which is required by ProtonMail, is protonmail._domainkey. Please see the following dig command:

% dig protonmail._domainkey.cerne.xyz

...omitted for brevity...
;protonmail._domainkey.cerne.xyz. IN	A
...omitted for brevity...

This dig command resulted in no ANSWER SECTION, leading me to believe that the CNAME value was not added. Here is a screenshot of my records:

If this isn’t resolved soon, I will likely have to move back to Namecheap as my DNS provider. Thank you!

Hi, @cernec1999. DKIM records should be type TXT and not type CNAME.

If you make that change, it should resolve the issue. If not, please let us know.

1 Like

ProtonMail specifically requests that these records be CNAME records, per the following screenshot:

My previous DNS provider did not have this issue with the CNAME DKIM records. I am setting the TXT records now, but I don’t expect it to work. Will check it out in the morning.

Per this site, “The key will either be inserted directly into your zone as a TXT record, or it will be a CNAME pointing to the key in your provider’s DNS.”

ProtonMail seems to use the latter authentication for DKIM. Regardless of whether or not I set up DKIM right, I still think there is an issue with CNAME records in Netlify. DNS host names are allowed to be “sub-subdomains”, but it seems this is a technical limitation of Netlify, unless I’m misunderstanding something.

Hey @cernec1999

I have DKIM CNAME records too and have no issues with them.

Mine follow the same format <selector>._domainkey.example.com.

Quick edit: I’ve put in TXT records with the DKIM key, and that seems to work, but the point of the CNAME is to do DKIM key rotation. See this link: Anti-spoofing for Custom Domains

“We use CNAME records to manage automatic DKIM key rotation, which is an accepted security best practice.”

I still need these CNAME records to work.

Hey @cernec1999,

Could you also keep the CNAME records active till we debug this? We now see that you’ve removed the CNAME records, thus we can’t check what was happening in the past.

I added the CNAME records earlier today. Seems like they work now. Not sure why.

Hi, @cernec1999. I also see them working now. I checked the logs for your team and I don’t see anything to explain why the DNS records didn’t work last time.

For example of things that might explain it, a NETLIFY type DNS record for the same name would block the CNAME. Again, though, I don’t see any indication of that. There are no such records now and there are no logs showing those record having been created or deleted either.

So, I cannot explain why it didn’t work before. I am glad to learn they are working now, though.

If there are other questions or new information to share, please feel free to reply here anytime.

Thanks for your help, Luke! I’ll be sure to ping you if any issues come up. BTW, love your product!

1 Like