Amazon's SES mail service requires DKIM authentication. One step of authentication is to add a CNAME record to your domain's DNS.
Unfortunately the CNAME record has an underscore. My registrar, Network Solutions, does not allow underscores in CNAME records.
Is there a workaround for this? Transferring to a different registrar is an option, but obviously a horrible option.
TL;DR yes underscore is valid in a CNAME record on both sides, read below for why. RFC 1034 and others define records based on "domain names" which are labels with any character, so including _ . But some records have stricter rules for either the owner name and/or the resource data (RDATA).
The use of underscore characters is a little confusing. Underscore characters are not permitted in domain names in accordance with RFC 1035, which only allows letters, digits and hyphens. As such, you cannot register a domain name with an underscore character.
A CNAME cannot be placed at the root domain level, because the root domain is the DNS Start of Authority (SOA) which must point to an IP address. CNAME records must point to another domain name, never to an IP address.
After over two hours on the phone with Network Solutions customer service, they are manually entering the Amazon SES DKIM authentication records for me.
Firstly, the fact that they do not allow underscores in their CNAME
is INCORRECT behavior.
As per RFC 1034:
Names that are not host names can consist of any printable ASCII character.
DKIM standard REQUIRE the underscore, as per RFC 4871:
All DKIM keys are stored in a subdomain named "_domainkey". Given a DKIM-Signature field with a "d=" tag of "example.com" and an "s=" tag of "foo.bar", the DNS query will be for "foo.bar._domainkey.example.com".
RFC 1034 describes the CNAME record and indicate that the CNAME RR
is not (necessarily) a hostname
, so any printable ASCII character should be allowed. Network Solutions is WRONG on this.
While DKIM records CAN be stored as TXT
records, Amazon SES uses CNAME records so that they can rotate the keys. Which should be possible, if not for Network Solution's inept policies.
For most information on this, I recommend this site, which explains that any DNS entries that are not hostnames
(which the fields in a CNAME
can be, but are not necessarily) should be allowed underscores.
In order to finally get them to manually enter the records, they needed to escalate the ticket. It had to be done on the phone, my initial email ticket was responded to with the disappointing response "You need to call in."
I had to explain several times that other nameservers allow underscores in the CNAME and that if they cannot accommodate us, we will be switching immediately.
They had to talk to the primary account holder (which was not me, and was not someone technical) in order to "confirm" that these DNS records should be put in place. Even though he was just calling in to "confirm" they gave him the run around on the phone for over 70 minutes. This confirmation seemed completely unnecessary, as my account was authorized to edit DNS records.
It was a rather frustrating experience, and I am planning to migrate away from network solutions as soon as I can. The required downtime has dissuaded us in the past, but at this point I believe it is justified.
While you might be able to convince them to manually enter the records, I would recommend switching nameservers if it is at all possible.
DKIM is done with TXT
records. Of course you could have a CNAME
record (or chain) that points to a TXT
record, but it is much more common to just create a TXT
record directly.
Your DNS authoritative nameservice provider should let you put labels with underscores (which DKIM requires) into your domain's zone file. If not, then select a different DNS nameservice provider or use your own nameservers.
What DNS registrar you are using has nothing to do with it. The registrar does not control the contents of the domain nor would they even be aware of it.
It may be that your registrar and DNS nameservice provider happen to be the same organization, but they are separate roles and should be considered separately.
DKIM requires subdomain named _domainkey
(RFC 4871) (and underscores are completely valid for subdomains).
What if you DNS provider doesn't allow them?
For example for SendGrid it'll ask you to point CNAME s1._domainkey.example.com
to s1.domainkey.u1234567.00000.sendgrid.net
, so get the TXT record via:
$ host -t txt s1.domainkey.u1234567.00000.sendgrid.net
s1.domainkey.u1234567.00000.sendgrid.net descriptive text "k=rsa\; t=s\; p=SOMETHING+VERY+LOOOOOOOONG"
Now create a TXT record for subdomain s1._domainkey
with as content (remember to un-escape \
for example):
k=rsa; t=s; p=SOMETHING+VERY+LOOOOOOOONG
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With