Wildcard CNAME won't resolve when TXT is present at specific subdomain

Hi, I’ve been struggling to get my domain verified at Brevo. These are the TXT records I am supposed to create.

I tried to add more screenshots with more relevant info, but new users are only allowed one upload per post :confused: I’ll try to more in the replies.

I created them here:

The first TXT record is verified within minutes, the 2nd never resolves.

This is the reason there’s an extra TXT record, I contacted Brevo to see if there was something else I could try they gave me another entry to replace the other, so I replaced it & that entry never resolved either. For now, both are added and are not working.

Am I missing something or formatting something wrong? I copied & pasted the entries multiple times to check to see if there was a problem there, but they are correct.

Thank you.

Hi Tad,

welcome to deSEC!

The final query name for your TXT record is composed of the subname and domain name. So for the records that are shown in your screenshot, you would get

  • for subname mail._domainkey and domain scamdemic.party, the complete query name is mail._domainkey.scamdemic.party;
  • for subname mail._domainkey.vaultwarden.scamdemic.party, the complete query name is mail._domainkey.vaultwarden.scamdemic.party.scamdemic.party.

From the screenshot of the email that you posted, I think you would like to have mail._domainkey.vaultwarden.scamdemic.party. Using subname mail._domainkey.vaultwarden in your domain scamdemic.party would achieve that.


1 Like

Hi nils,

I tried subname mail._domainkey.vaultwarden for the DKIM TXT record and it worked! After that, the first record (brevo-code:d1fd62554f2db4a5adc29505780a586e) became unverified. I deleted the old record & re-added it with the vaultwarden subname and now everything is verified!

Thank you for your help.

Oh no, I spoke too soon. I added the TXT records and now the domain is verified for sending system emails via brevo, but I can’t access the site?

I am serving Vaultwarden via OPNsense w/ the HAProxy plugin and I followed a tutorial to get wildcard certificates working. Now after adding these records I can’t connect to my instance and the browser reports a dns issue.

I just checked my other services like jitsi & a few others and everything else is working. I’d rather not have vaultwarden specific records, other than the TXT records for verification, unless you think I might need one to make this setup work.

This is what the records look like currently.

I appreciate your help!

I had to delete the TXT records, at least for now. Why would TXT records cause a certain domain to not resolve?

You’re relying on a wildcard record, but any other record which makes a domain implicitly exist causes a wild card record to not apply to that domain. In your case, the vaultwarden domain exists because of the TXT record, so the CNAME wildcard does not apply to the vaultwarden domain. A CNAME record and a TXT record can not coexist for the same label, so adding a CNAME explicitly for that subdomain won’t work either.