Issue Description
task “Perform DNS management for a domain” fails because:
Failed to set DNS RRSet for mail.example.org./TXT: Failed to set DNS RRSet: API error: BadRequest [{"non_field_errors":["RRset with conflicting type present at same subname: database (CNAME). (No other RRsets are allowed alongside CNAME.)"]}]
Stalwart Version
v0.16.x
Installation Method
Binary (Linux)
Database Backend
RocksDB
Blob Storage
RocksDB
Search Engine
Internal
Directory Backend
Internal
I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.
on
I have searched this support forum (open and closed topics) and confirm this is not a duplicate.
on
This is a DNS protocol constraint, not a Stalwart bug. The error comes from deSEC (and it would come from any standards-compliant DNS provider): RFC 2181 prohibits any other record type from coexisting at the same name as a CNAME. Your zone already has a CNAME record at mail.example.org., and Stalwart’s automatic DNS management is trying to add a TXT record at that same name – deSEC correctly rejects it.
The fix is on the DNS side, not in Stalwart. You need to:
- Log in to your deSEC dashboard and delete (or rename) the existing
CNAME record at mail.example.org.
- Once that conflicting CNAME is gone, re-trigger the
DnsManagement task in Stalwart (WebUI: Management > Tasks > New Task) so it retries writing the TXT record.
If the CNAME at mail.example.org is serving a purpose (e.g. pointing your mail hostname to a hosting provider), be aware that a proper mail setup typically uses an A/AAAA record (not a CNAME) for the hostname referenced in your MX record anyway – many MTAs reject MX targets that resolve to a CNAME.
You can also use the publishRecords field on your Domain object to exclude specific record types from automatic management if you need to keep manual control over certain names.
Relevant docs: DNS records – Automatic DNS management
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.
since my Stalwart instance is behind an HTTP reverse proxy, without CNAME I won’t be able to access it’s admin panel, WebDAV, etc
This one is DNS itself rejecting the change rather than Stalwart or deSEC: RFC 1034
says nothing can coexist with a CNAME at the same name, so deSEC refuses to add a
TXT where you already have a CNAME. You have a CNAME at the exact name where
Stalwart needs to publish a TXT record.
The fix is on the zone side. If that hostname points at your reverse proxy, replace
the CNAME with A/AAAA records (those can coexist with a TXT), or move the proxy
hostname to a separate subdomain that Stalwart doesn’t manage. The names Stalwart
publishes TXT on are fixed (the _mta-sts, _smtp._tls, _dmarc and _domainkey labels,
plus your configured host), so keeping custom CNAMEs off those names avoids the
collision.
thank you, I replaced CNAME with A and AAAA records, that TXT record was added.
now I have another error:
Failed to set DNS RRSet for _imaps._tcp.example.org./SRV: Failed to set DNS RRSet: API error: HTTP 502:
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx</center>
</body>
</html>
but deSEC’s domain management panel shows me that this domain exists