Underscore in CNAME required by SES not allowed by registrar [closed]

B

4

25

Amazon's SES mail service requires DKIM authentication. One step of authentication is to add a CNAME record to your domain's DNS.

Unfortunately the CNAME record has an underscore. My registrar, Network Solutions, does not allow underscores in CNAME records.

Is there a workaround for this? Transferring to a different registrar is an option, but obviously a horrible option.

Balm answered 30/11, 2012 at 17:35 Comment(8)

looks like it's never going to happen with Network Solutions – Anticlinorium 24/2, 2014 at 22:51

Attn GoDaddy Users: For the CNAMES you need to click the link Use classic DNS Manager because the new DNS manager doesn't work with Amazon SES DKIM CNAMES – Anticlinorium 22/6, 2014 at 0:15

Hi @Simon_Weaver, I'm having the same issue with Godaddy, can you please provide the link to the classic DNS manager? Thanks! – Malicious 19/9, 2016 at 13:11

did you report it to them? For me I go to dcc.godaddy.com/dcc50/Default.aspx and then click the domain, select the 'DNS zone file' tab and scroll down to make my changes. Clicking the 'See how' link just takes you to the new broken page – Anticlinorium 19/9, 2016 at 16:26

looks like maybe they removed the link I mentioned (two years ago!) but the control page is still there – Anticlinorium 19/9, 2016 at 16:27

It is 2017 and CPanel (I have version 64.0.21) are releasing a new "Zone Editor" to replace the old "Advanced Zone Editor" and guess what: the new Zone Editor has the same problem w.r.t _ characters... – Sansculotte 17/5, 2017 at 20:5

Just add "dmarc" CNAME record, and then edit and add an underscore, it would work :) – Gelhar 8/9, 2022 at 21:50

in godaddy, you can do this by creating a DNS template - as that interface lets you use underscores. Then just apply the template to your DNS record using the Append record option. – Elan 23/1, 2023 at 16:27

D

10

DKIM is done with TXT records. Of course you could have a CNAME record (or chain) that points to a TXT record, but it is much more common to just create a TXT record directly.

Your DNS authoritative nameservice provider should let you put labels with underscores (which DKIM requires) into your domain's zone file. If not, then select a different DNS nameservice provider or use your own nameservers.

What DNS registrar you are using has nothing to do with it. The registrar does not control the contents of the domain nor would they even be aware of it.

It may be that your registrar and DNS nameservice provider happen to be the same organization, but they are separate roles and should be considered separately.

Demilune answered 30/11, 2012 at 19:20 Comment(4)

My nameservice provider is the same as my registrar. My nameservice provider doesn't allow underscores. The solution is to use a different nameservice provider. Thanks @Celada. – Balm 6/12, 2012 at 14:56

It's been 3 years since this question is asked and still there are some DNS providers who do not allow underscore character for DKIM in TXT record. For me, the CNAME record pointing to the TXT record worked. Thanks. – Whiteness 25/1, 2016 at 12:18

@BaranitharanSelvasundaram as a general rule the Internet doesn't get smarter when you give it three years. 'nuff said. – Demilune 25/1, 2016 at 19:58

I faced the same issue. my DNS provider didn't let me add an underscore when I was trying to get the domain verified with the ACM. My solution was simple thing. I just add the record without the underscore and then edited it later adding the leading underscore. But a better alternative would be Route53 :) – Tribal 23/11, 2019 at 6:39

J

25

After over two hours on the phone with Network Solutions customer service, they are manually entering the Amazon SES DKIM authentication records for me.

Firstly, the fact that they do not allow underscores in their CNAME is INCORRECT behavior.

As per RFC 1034:

Names that are not host names can consist of any printable ASCII character.

DKIM standard REQUIRE the underscore, as per RFC 4871:

All DKIM keys are stored in a subdomain named "_domainkey". Given a DKIM-Signature field with a "d=" tag of "example.com" and an "s=" tag of "foo.bar", the DNS query will be for "foo.bar._domainkey.example.com".

RFC 1034 describes the CNAME record and indicate that the CNAME RR is not (necessarily) a hostname, so any printable ASCII character should be allowed. Network Solutions is WRONG on this.

While DKIM records CAN be stored as TXT records, Amazon SES uses CNAME records so that they can rotate the keys. Which should be possible, if not for Network Solution's inept policies.

For most information on this, I recommend this site, which explains that any DNS entries that are not hostnames (which the fields in a CNAME can be, but are not necessarily) should be allowed underscores.

In order to finally get them to manually enter the records, they needed to escalate the ticket. It had to be done on the phone, my initial email ticket was responded to with the disappointing response "You need to call in."

I had to explain several times that other nameservers allow underscores in the CNAME and that if they cannot accommodate us, we will be switching immediately.

They had to talk to the primary account holder (which was not me, and was not someone technical) in order to "confirm" that these DNS records should be put in place. Even though he was just calling in to "confirm" they gave him the run around on the phone for over 70 minutes. This confirmation seemed completely unnecessary, as my account was authorized to edit DNS records.

It was a rather frustrating experience, and I am planning to migrate away from network solutions as soon as I can. The required downtime has dissuaded us in the past, but at this point I believe it is justified.

While you might be able to convince them to manually enter the records, I would recommend switching nameservers if it is at all possible.

Jat answered 1/11, 2014 at 19:48 Comment(1)

Good info in this post and learned something new. => – Collude 24/5, 2015 at 19:32

D

10

DKIM is done with TXT records. Of course you could have a CNAME record (or chain) that points to a TXT record, but it is much more common to just create a TXT record directly.

Your DNS authoritative nameservice provider should let you put labels with underscores (which DKIM requires) into your domain's zone file. If not, then select a different DNS nameservice provider or use your own nameservers.

What DNS registrar you are using has nothing to do with it. The registrar does not control the contents of the domain nor would they even be aware of it.

It may be that your registrar and DNS nameservice provider happen to be the same organization, but they are separate roles and should be considered separately.

Demilune answered 30/11, 2012 at 19:20 Comment(4)

My nameservice provider is the same as my registrar. My nameservice provider doesn't allow underscores. The solution is to use a different nameservice provider. Thanks @Celada. – Balm 6/12, 2012 at 14:56

It's been 3 years since this question is asked and still there are some DNS providers who do not allow underscore character for DKIM in TXT record. For me, the CNAME record pointing to the TXT record worked. Thanks. – Whiteness 25/1, 2016 at 12:18

@BaranitharanSelvasundaram as a general rule the Internet doesn't get smarter when you give it three years. 'nuff said. – Demilune 25/1, 2016 at 19:58

I faced the same issue. my DNS provider didn't let me add an underscore when I was trying to get the domain verified with the ACM. My solution was simple thing. I just add the record without the underscore and then edited it later adding the leading underscore. But a better alternative would be Route53 :) – Tribal 23/11, 2019 at 6:39

S

5

DKIM requires subdomain named _domainkey (RFC 4871) (and underscores are completely valid for subdomains).

What if you DNS provider doesn't allow them?

Contact them, they should fix it, and if you can, consider changing provider.
As a temporary solution copy directly the TXT record (this is temporary because it's likely to change at some points and you'll have to update), see below:

For example for SendGrid it'll ask you to point CNAME s1._domainkey.example.com to s1.domainkey.u1234567.00000.sendgrid.net, so get the TXT record via:

$ host -t txt s1.domainkey.u1234567.00000.sendgrid.net
s1.domainkey.u1234567.00000.sendgrid.net descriptive text "k=rsa\; t=s\; p=SOMETHING+VERY+LOOOOOOOONG"

Now create a TXT record for subdomain s1._domainkey with as content (remember to un-escape \ for example):

k=rsa; t=s; p=SOMETHING+VERY+LOOOOOOOONG

Snakemouth answered 21/3, 2016 at 21:40 Comment(2)

This is great advice however mailchimp's server is 259 characters long. Network Solltuions limits it to 253 characters. – Gayden 15/7, 2016 at 12:50

Works great with Freenom domains and Amazon certificates – Chausses 18/12, 2018 at 8:19

F

-2

The Amazon forum (https://forums.aws.amazon.com/thread.jspa?threadID=119464) says that you can use a TXT record if the CNAME record doesn't work:

"Set a TXT entry on my DNS settings, this entry looks like: Name: ._domainkey.mydomain.com Type: TXT Value: "p=AAZZZZZZEEEEEERRRRRRRRTTTTTTTYYYYYYYYY..","

I have not been able to get this to work yet but I think it is the right direction since it is highly unlikely that I will be able to yahoo et.al. to change their DNS policies.

Fracas answered 7/5, 2013 at 20:40 Comment(1)

no you can't. that guy doesn't know what he's talking about. DKIM doesn't work like that. it looks like it can be made to work, but if AMazon rotates the key out it will break – Anticlinorium 24/2, 2014 at 21:32

Recommended topics

Hot tags