This is the reason there’s an extra TXT record, I contacted Brevo to see if there was something else I could try they gave me another entry to replace the other, so I replaced it & that entry never resolved either. For now, both are added and are not working.
The final query name for your TXT record is composed of the subname and domain name. So for the records that are shown in your screenshot, you would get
for subname mail._domainkey and domain scamdemic.party, the complete query name is mail._domainkey.scamdemic.party;
for subname mail._domainkey.vaultwarden.scamdemic.party, the complete query name is mail._domainkey.vaultwarden.scamdemic.party.scamdemic.party.
From the screenshot of the email that you posted, I think you would like to have mail._domainkey.vaultwarden.scamdemic.party. Using subname mail._domainkey.vaultwarden in your domain scamdemic.party would achieve that.
I tried subname mail._domainkey.vaultwarden for the DKIM TXT record and it worked! After that, the first record (brevo-code:d1fd62554f2db4a5adc29505780a586e) became unverified. I deleted the old record & re-added it with the vaultwarden subname and now everything is verified!
Oh no, I spoke too soon. I added the TXT records and now the domain is verified for sending system emails via brevo, but I can’t access the site?
I am serving Vaultwarden via OPNsense w/ the HAProxy plugin and I followed a tutorial to get wildcard certificates working. Now after adding these records I can’t connect to my instance and the browser reports a dns issue.
I just checked my other services like jitsi & a few others and everything else is working. I’d rather not have vaultwarden specific records, other than the TXT records for verification, unless you think I might need one to make this setup work.
You’re relying on a wildcard record, but any other record which makes a domain implicitly exist causes a wild card record to not apply to that domain. In your case, the vaultwarden domain exists because of the TXT record, so the CNAME wildcard does not apply to the vaultwarden domain. A CNAME record and a TXT record can not coexist for the same label, so adding a CNAME explicitly for that subdomain won’t work either.