DKIM record not verified...dunno why

Trying to add a DKIM TXT record to a domain and it’s not coming back as verified…dunno what to do @fool

Added an SPF TXT record and that is working, but cannot get the DKIM to work…copied it from google verbatim, but still not verified, and don’t know what is wrong or how to fix…

site is https://alma.vacations

record looks like this:

If you can think of anything that we’re not doing, then please share :slight_smile:

Hey @arrowgtp,

You may not need to append your URL to the name: DKIM verification process keeps failing

Let me know if this helps!

I did not do that…netlify keeps adding it…

Here is what I did:

and this is what i get from netlify after I save the record:

and there is no edit button, so I can’t take that off…I don’t know what to do…

This looks correct to me, but for some reason it’s not showing when your DNS is polled.

Hi, @arrowgtp, this is what I see when I query the record currently:

$ dig google._domainkey.alma.vacations TXT  +noall +answer

; <<>> DiG 9.10.6 <<>> google._domainkey.alma.vacations TXT +noall +answer
;; global options: +cmd
google._domainkey.alma.vacations. 3599 IN TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho0dO5/TQdyzkSiQaL6oUMki9e1ZzfxS80dRJwyrm4ZTjaP3HL0IqNVxMYMPSZ7on2YCAIqVux9EStMMeY6sXx/UHOGlxppoHje+UEygREjcK60Bdh9O6TIX+HcGhmTvg0443ExHMSHDEHqSw0h9TsSA6A3pe+bNDiFSXi4409eZBPk1YAHfZAu4TL8dhjVTi" "f1Peh5LoX+Age4DXgJnVwYNUkd+TSxhV6hpWc6RuHSB8MC9TwrgshcaGELrzP6XV+IfOs6nsUf/jj9FTh5HLepbns6eutRXKZMAePZMhXw0F9+oVEAaepp0A8VLSRY1tNmvdg4Sny9u/TudXFgSxQIDAQAB"

Regarding the apex domain being appended, it will alway be appended for any DNS record for any
DNS service. Your DNS records are always relative to the apex domain (which is alma.vacations in this case).

Also, you are correct there is no edit button. The only way to change a DNS record currently is to delete it and recreate it.

Note, the only difference between the DNS record shown in your screenshot and the one returned when I test is that the value returned is split each 255 characters (which is part of how DNS works). There is more about this here:

Would you please test this locally with dig and/or nslookup and let us know what you find?

The output of the following would be helpful for example:

nslookup -type=TXT google._domainkey.alma.vacations

Would you please post the results of that command here?

@luke Right you are. I was hitting the apex domain, not the subdomain. I see it now, as do you, so Google should be able to find this for verification.

Here is what I got from nslookup:

RN:~ rchrdnsh$ nslookup -type=TXT google._domainkey.alma.vacations

Server: 192.168.1.1

Address: 192.168.1.1#53

Non-authoritative answer:

google._domainkey.alma.vacations text = "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho0dO5/TQdyzkSiQaL6oUMki9e1ZzfxS80dRJwyrm4ZTjaP3HL0IqNVxMYMPSZ7on2YCAIqVux9EStMMeY6sXx/UHOGlxppoHje+UEygREjcK60Bdh9O6TIX+HcGhmTvg0443ExHMSHDEHqSw0h9TsSA6A3pe+bNDiFSXi4409eZBPk1YAHfZAu4TL8dhjVTi" "f1Peh5LoX+Age4DXgJnVwYNUkd+TSxhV6hpWc6RuHSB8MC9TwrgshcaGELrzP6XV+IfOs6nsUf/jj9FTh5HLepbns6eutRXKZMAePZMhXw0F9+oVEAaepp0A8VLSRY1tNmvdg4Sny9u/TudXFgSxQIDAQAB"

Authoritative answers can be found from:

RN:~ rchrdnsh$

I don’t really know what I’m looking at here…so new toDNS in general and I have no knowledge about DKIM SPF and the like…

…does any of this mean that any of this is working now?

Here is a screenshot from a website that tests DKIM and SPF records…is this good now?

@arrowgtp The “nslookup” command is short for “name server lookup.” It’s roughly the equivalent of dig google._domainkey.alma.vacations -t TXT.

The “-type=txt” switch specifies what specific DNS records you want to query.

Because this record is set up as a subdomain by Google, you have to query the subdomain, thus google._domainkey.alma.vacations.

The next two lines – the Server and the Address – simply show the source of the information to be presented.

The “answer” is the key bit. This shows the contents of the TXT DNS entry for this subdomain. It’s similar to the results from the dig command, which are:

google._domainkey.alma.vacations. 3599 IN TXT	"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAho0dO5/TQdyzkSiQaL6oUMki9e1ZzfxS80dRJwyrm4ZTjaP3HL0IqNVxMYMPSZ7on2YCAIqVux9EStMMeY6sXx/UHOGlxppoHje+UEygREjcK60Bdh9O6TIX+HcGhmTvg0443ExHMSHDEHqSw0h9TsSA6A3pe+bNDiFSXi4409eZBPk1YAHfZAu4TL8dhjVTi" "f1Peh5LoX+Age4DXgJnVwYNUkd+TSxhV6hpWc6RuHSB8MC9TwrgshcaGELrzP6XV+IfOs6nsUf/jj9FTh5HLepbns6eutRXKZMAePZMhXw0F9+oVEAaepp0A8VLSRY1tNmvdg4Sny9u/TudXFgSxQIDAQAB"

If this string deviates in even the smallest way from what Google is expecting, they will not verify / validate your control of this domain name.

This should – actually, must – match the text string that Google gave you to complete the validation process.