DKIM record not verified...dunno why

Trying to add a DKIM TXT record to a domain and it’s not coming back as verified…dunno what to do @fool

Added an SPF TXT record and that is working, but cannot get the DKIM to work…copied it from google verbatim, but still not verified, and don’t know what is wrong or how to fix…

site is https://alma.vacations

record looks like this:

If you can think of anything that we’re not doing, then please share :slight_smile:

Hey @arrowgtp,

You may not need to append your URL to the name: DKIM verification process keeps failing

Let me know if this helps!

I did not do that…netlify keeps adding it…

Here is what I did:

and this is what i get from netlify after I save the record:

and there is no edit button, so I can’t take that off…I don’t know what to do…

This looks correct to me, but for some reason it’s not showing when your DNS is polled.

Hi, @arrowgtp, this is what I see when I query the record currently:

$ dig google._domainkey.alma.vacations TXT  +noall +answer

; <<>> DiG 9.10.6 <<>> google._domainkey.alma.vacations TXT +noall +answer
;; global options: +cmd
google._domainkey.alma.vacations. 3599 IN TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho0dO5/TQdyzkSiQaL6oUMki9e1ZzfxS80dRJwyrm4ZTjaP3HL0IqNVxMYMPSZ7on2YCAIqVux9EStMMeY6sXx/UHOGlxppoHje+UEygREjcK60Bdh9O6TIX+HcGhmTvg0443ExHMSHDEHqSw0h9TsSA6A3pe+bNDiFSXi4409eZBPk1YAHfZAu4TL8dhjVTi" "f1Peh5LoX+Age4DXgJnVwYNUkd+TSxhV6hpWc6RuHSB8MC9TwrgshcaGELrzP6XV+IfOs6nsUf/jj9FTh5HLepbns6eutRXKZMAePZMhXw0F9+oVEAaepp0A8VLSRY1tNmvdg4Sny9u/TudXFgSxQIDAQAB"

Regarding the apex domain being appended, it will alway be appended for any DNS record for any
DNS service. Your DNS records are always relative to the apex domain (which is alma.vacations in this case).

Also, you are correct there is no edit button. The only way to change a DNS record currently is to delete it and recreate it.

Note, the only difference between the DNS record shown in your screenshot and the one returned when I test is that the value returned is split each 255 characters (which is part of how DNS works). There is more about this here:

Would you please test this locally with dig and/or nslookup and let us know what you find?

The output of the following would be helpful for example:

nslookup -type=TXT google._domainkey.alma.vacations

Would you please post the results of that command here?

@luke Right you are. I was hitting the apex domain, not the subdomain. I see it now, as do you, so Google should be able to find this for verification.

Here is what I got from nslookup:

RN:~ rchrdnsh$ nslookup -type=TXT google._domainkey.alma.vacations

Server: 192.168.1.1

Address: 192.168.1.1#53

Non-authoritative answer:

google._domainkey.alma.vacations text = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho0dO5/TQdyzkSiQaL6oUMki9e1ZzfxS80dRJwyrm4ZTjaP3HL0IqNVxMYMPSZ7on2YCAIqVux9EStMMeY6sXx/UHOGlxppoHje+UEygREjcK60Bdh9O6TIX+HcGhmTvg0443ExHMSHDEHqSw0h9TsSA6A3pe+bNDiFSXi4409eZBPk1YAHfZAu4TL8dhjVTi" "f1Peh5LoX+Age4DXgJnVwYNUkd+TSxhV6hpWc6RuHSB8MC9TwrgshcaGELrzP6XV+IfOs6nsUf/jj9FTh5HLepbns6eutRXKZMAePZMhXw0F9+oVEAaepp0A8VLSRY1tNmvdg4Sny9u/TudXFgSxQIDAQAB"

Authoritative answers can be found from:

RN:~ rchrdnsh$

I don’t really know what I’m looking at here…so new toDNS in general and I have no knowledge about DKIM SPF and the like…

…does any of this mean that any of this is working now?

Here is a screenshot from a website that tests DKIM and SPF records…is this good now?

@arrowgtp The “nslookup” command is short for “name server lookup.” It’s roughly the equivalent of dig google._domainkey.alma.vacations -t TXT.

The “-type=txt” switch specifies what specific DNS records you want to query.

Because this record is set up as a subdomain by Google, you have to query the subdomain, thus google._domainkey.alma.vacations.

The next two lines – the Server and the Address – simply show the source of the information to be presented.

The “answer” is the key bit. This shows the contents of the TXT DNS entry for this subdomain. It’s similar to the results from the dig command, which are:

google._domainkey.alma.vacations. 3599 IN TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho0dO5/TQdyzkSiQaL6oUMki9e1ZzfxS80dRJwyrm4ZTjaP3HL0IqNVxMYMPSZ7on2YCAIqVux9EStMMeY6sXx/UHOGlxppoHje+UEygREjcK60Bdh9O6TIX+HcGhmTvg0443ExHMSHDEHqSw0h9TsSA6A3pe+bNDiFSXi4409eZBPk1YAHfZAu4TL8dhjVTi" "f1Peh5LoX+Age4DXgJnVwYNUkd+TSxhV6hpWc6RuHSB8MC9TwrgshcaGELrzP6XV+IfOs6nsUf/jj9FTh5HLepbns6eutRXKZMAePZMhXw0F9+oVEAaepp0A8VLSRY1tNmvdg4Sny9u/TudXFgSxQIDAQAB"

If this string deviates in even the smallest way from what Google is expecting, they will not verify / validate your control of this domain name.

This should – actually, must – match the text string that Google gave you to complete the validation process.

So, I seem to have same problem with google apps DKIM, google._domainkey and netlify dns editor.
First dns editor I’ve seen that appends domain name automatically.
I put in: google._domainkey and netlify changes to google._domainkey.mydomainname.com

Google apps do not verify the setting even after 48 hours.

@henrikeh When you add google._domain key to your DNS records, you are actually adding a subdomain for hedget.com. Different online DNS dashboards display it differently, but the FQDN would be google._domainkey.hedget.com.

As for your TXT record not showing up, I would try deleting that record and re-entering it. I’m not seeing it either, even though I’m able to see your A records and NS records.

If deletion and re-entry doesn’t fix this, someone at the Netlify mothership is going to have to step in.

It worked after removing and re-adding, but with some changes, not sure what made it.

  1. Other prefix than google (they let you edit).
  2. Shorter keylength 1024
  3. Made sure no tralining CR/LF in text entry.

Thanks!

1 Like