Cloudflare DNS API incorrect DKIM

Issue Description

RSA DKIM TXT is being cut into two sections when using Cloudflare automatic DNS.

Expected Behavior

DKIM record created in one blob instead of two.

Actual Behavior

A line break occurs, causing Cloudflare to close quote the blob and re-open a second section when publishing the RSA DKIM TXT record.

Reproduction Steps

1. Run bootstrap and configure automatic DNS for Cloudflare
2. systemctl restart stalwart
3. tail -f /var/log/stalwart/stalwart.2026-05-25 and wait

Relevant Log Output

2026-05-25T01:23:58Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-rsa-20260525._domainkey.example.ca.", details = "example.ca", type = "TXT", value = "v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyDvXVu/vClrEkhQhMM6xTnlfrOXi6iZuj+j6aicMv26uEl/wG3qYTu8iyPu6bYMk7D+0YspFIvKuwP3D2zc2YrlV7MKXY7TPgs0otZTT1mHde3/tP/s0WGgChlkBMVYhtlKRbOAtdY/6ZoEC9UBhp6xOLT65TrNsYHKDZ2NZPRho37fz4LAST2aDV+xq+mr/71hwHkAdi8ChGzoOyEVKT5mq6S9v04biUgIlwMkGQ4V6iGVyFqW+mQ6ZqSAVZWxbUYxIEbwmbk+/zDUzyB1XCL/RQGYpTbdgCNVL2T93AwDka/x/xkX/FDOk6ym11HF7VvfNdvhAXQyVgp+wOD7lQIDAQAB"
2026-05-25T01:24:59Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-ed25519-20260525._domainkey.example.ca.", details = "example.ca", type = "TXT", value = "v=DKIM1; k=ed25519; h=sha256; p=47bj6n7ZSYYRW5G/j/bfnGDA0cFq+8/ZYRwIj0IS9og="
2026-05-25T01:26:00Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-rsa-20260525._domainkey.example.ca.", details = "example.ca", type = "TXT", value = "v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyDvXVu/vClrEkhQhMM6xTnlfrOXi6iZuj+j6aicMv26uEl/wG3qYTu8iyPu6bYMk7D+0YspFIvKuwP3D2zc2YrlV7MKXY7TPgs0otZTT1mHde3/tP/s0WGgChlkBMVYhtlKRbOAtdY/6ZoEC9UBhp6xOLT65TrNsYHKDZ2NZPRho37fz4LAST2aDV+xq+mr/71hwHkAdi8ChGzoOyEVKT5mq6S9v04biUgIlwMkGQ4V6iGVyFqW+mQ6ZqSAVZWxbUYxIEbwmbk+/zDUzyB1XCL/RQGYpTbdgCNVL2T93AwDka/x/xkX/FDOk6ym11HF7VvfNdvhAXQyVgp+wOD7lQIDAQAB"
2026-05-25T01:28:29Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-ed25519-20260525._domainkey.example.ca.", details = "example.ca", type = "TXT", value = "v=DKIM1; k=ed25519; h=sha256; p=47bj6n7ZSYYRW5G/j/bfnGDA0cFq+8/ZYRwIj0IS9og="
2026-05-25T01:29:30Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-rsa-20260525._domainkey.example.ca.", details = "example.ca", type = "TXT", value = "v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyDvXVu/vClrEkhQhMM6xTnlfrOXi6iZuj+j6aicMv26uEl/wG3qYTu8iyPu6bYMk7D+0YspFIvKuwP3D2zc2YrlV7MKXY7TPgs0otZTT1mHde3/tP/s0WGgChlkBMVYhtlKRbOAtdY/6ZoEC9UBhp6xOLT65TrNsYHKDZ2NZPRho37fz4LAST2aDV+xq+mr/71hwHkAdi8ChGzoOyEVKT5mq6S9v04biUgIlwMkGQ4V6iGVyFqW+mQ6ZqSAVZWxbUYxIEbwmbk+/zDUzyB1XCL/RQGYpTbdgCNVL2T93AwDka/x/xkX/FDOk6ym11HF7VvfNdvhAXQyVgp+wOD7lQIDAQAB"
2026-05-25T01:33:23Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-ed25519-20260525._domainkey.example.ca.", details = "example.ca", type = "TXT", value = "v=DKIM1; k=ed25519; h=sha256; p=47bj6n7ZSYYRW5G/j/bfnGDA0cFq+8/ZYRwIj0IS9og="
2026-05-25T01:34:25Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-rsa-20260525._domainkey.example.ca.", details = "example.ca", type = "TXT", value = "v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyDvXVu/vClrEkhQhMM6xTnlfrOXi6iZuj+j6aicMv26uEl/wG3qYTu8iyPu6bYMk7D+0YspFIvKuwP3D2zc2YrlV7MKXY7TPgs0otZTT1mHde3/tP/s0WGgChlkBMVYhtlKRbOAtdY/6ZoEC9UBhp6xOLT65TrNsYHKDZ2NZPRho37fz4LAST2aDV+xq+mr/71hwHkAdi8ChGzoOyEVKT5mq6S9v04biUgIlwMkGQ4V6iGVyFqW+mQ6ZqSAVZWxbUYxIEbwmbk+/zDUzyB1XCL/RQGYpTbdgCNVL2T93AwDka/x/xkX/FDOk6ym11HF7VvfNdvhAXQyVgp+wOD7lQIDAQAB"
2026-05-25T01:40:19Z WARN Task failed during processing (task-manager.task-failed) id = 309103926817325568, details = "DkimManagement", reason = "DKIM record v1-ed25519-20260525._domainkey.example.ca. did not propagate, will retry.; DKIM record v1-rsa-20260525._domainkey.example.ca. did not propagate, will retry."```

### Stalwart Version
v0.16.x

### Installation Method
Binary (Linux)

### Database Backend
PostgreSQL

### Blob Storage
S3-compatible

### Search Engine
Internal

### Directory Backend
Internal

### Additional Context
The ed25519 TXT record appears to be created correctly, but the RSA key is created as:

```"v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyDvXVu/vClrEkhQhMM6xTnlfrOXi6iZuj+j6aicMv26uEl/wG3qYTu8iyPu6bYMk7D+0YspFIvKuwP3D2zc2YrlV7MKXY7TPgs0otZTT1mHde3/tP/s0WGgChlkBMVYhtlKRbOAtdY/6ZoEC9UBhp6xOLT65TrNsYHKDZ2NZPRho37fz4LAST2" "aDV+xq+mr/71hwHkAdi8ChGzoOyEVKT5mq6S9v04biUgIlwMkGQ4V6iGVyFqW+mQ6ZqSAVZWxbUYxIEbwmbk+/zDUzyB1XCL/RQGYpTbdgCNVL2T93AwDka/x/xkX/FDOk6ym11HF7VvfNdvhAXQyVgp+wOD7lQIDAQAB"```

It looks like a line break was introduced, causing Cloudflare to quote encapsulate two separate blobs, as Cloudflare recently started enforcing quote-enclosed TXT records.

### I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.
on

### I have searched this support forum (open and closed topics) and confirm this is not a duplicate.
on

### I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I'd prefer a human-only reply, I'll add the no-ai tag to my topic.
on

The issue is clear from the source code. Stalwart constructs the DKIM DNS record value as a single plain string (e.g., format!("v=DKIM1; k=rsa; h=sha256; p={public_key}")), and then passes it as a DnsRecord::TXT(record) to the dns_update library. The splitting into two quoted strings is happening inside the dns_update library’s Cloudflare provider, not in Stalwart itself. Let me check that dependency.

The dns-update crate version 0.5.0 is used. The issue is in how that library creates the Cloudflare TXT record for RSA keys – RSA public keys are long enough that they exceed the 255-byte limit for a single DNS character-string, so the library splits the value into multiple quoted strings. This is actually correct DNS behavior (RFC 4871 / RFC 7489 allow multi-string TXT records), but Cloudflare’s API may be returning or displaying the record in a way that confuses the propagation check.

This has been fixed.

Does this require waiting for the next binary update, or is it fixed by just downloading the latest WebUI? I ask because I did download the UI, and the log reports success now, but the RSA key is still broken in two.

It will be included in the v0.16.7 release.

Unfortunately the issue persists, plus an ED key issue.

For full flow, tried in order:

1. Attempted a DKIM rotation. Nothing happened, but most likely due to the keys not being due for rotation - fine.
2. Deleted the CF DNS entries for ED and RSA, performed rotation, it put the same keys back - fine.
3. Deleted both DKIM keys from Stalwart domain, but I only removed the RSA key, not the ED key, from CF DNS. Performed rotation. New keys created for both, but did not recognize the old ED key was present in the CF zone and remove it, most likely due to me deleting the old keys from Stalwart. Task failed with ```DKIM record v1-ed25519-20260529._domainkey.example.ca. did not propagate, will retry.; DKIM record v1-rsa-20260529._domainkey.example.ca. did not propagate, will retry.```

Should Stalwart realize there are keys it doesn’t manage that can interfere?

In terms of RSA, it placed the new key, but still has the two broken text parts.

Old Key created under 0.16.6 gave CF record

v1-rsa-20260527._domainkey
"v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+N/J9P3Ww7eBiqj2uhArzi1RuAsylnuA+XK3wLdFnXBmDIz0HC2QSI+BeYTZ5phIga6GTTttc3OykqOYcoJYx4fXdd1hD+gxTD03eudUQm38yLhweZoKT4ulQvSKL1PpXIPf0XS2D7oodrRW5F8L/ePKxfxqfarCHMipmnDpC4SR3MFtEtqLm+O" "p4vKvaxpnsx+zWLWsamEtG+kYu3YEoBpfQ6FFnz9ChddigHzJtege4a5B7lWWA2uexW7AgTRJ4d/3quApSnCXQ+8QQT5pvFlCThPcTuLuoLMoEMmiItJ7ZMCu5UQSojzGuq8SKv7eTVdLo30oDSque1ioB+M0DQIDAQAB"

New Key created under 0.16.7 gave CF record

v1-rsa-20260529._domainkey
“v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu2QjsGzb0YJKKnW3gRkybD+Ea0VY4fPfV9dtYuXUN7n2lNc1xlunQB8KhD8AkPW+gq8bGIl5MQOcT6SdhHTCIfLBzRgMIH0SjFZrJJL2iLgKLJ99sIWvaQapPxHZInlQVD2wrxzNrk8WxZBnZ8RH0uIccpBrbIX4MpTNhpXHxw6w/AZUbapfl2R” “CGIv4wksEaiJJZyRCXv4+s/+TY7U6q8D4zO2rGrDngWsiH00tcgRPFrWZ3mMdxE/kML3MIod9KLlPB3so8E9jMrPAA90L3gsNNFiKYw0nqlRVBO7wJZugemO077gcy3r/0cwX2CjX4nLKvFwwoBDPi0jMtdf/PwIDAQAB”

If my implementation steps are out of line please advise and I will test as recommended.

Edit: To clarify, it did push the new ED key, and ended up with two ED DKIMs in CF, failure to propagate log statement is most likely the parser reading the first key and it not equaling the 2nd key as expected.

I’m guessing this wasn’t actually included in today’s 0.16.7 release as there is no mention in the changelog nor could I find a commit referencing it.

Can you confirm this was in 0.16.7, or will it be caught in 0.16.8? Not sure if overlooked or I genuinely have a new problem to trace. Thanks.

Let me go through each point you raised, because there are actually several separate things going on here.

On the RSA key splitting into two strings. This one is expected and correct, not a bug. A single DNS TXT character-string is capped at 255 bytes (RFC 1035), and an RSA DKIM public key is well over that, so it physically has to be published as more than one quoted string:

"v=DKIM1; k=rsa; ...p=MIIB..." "...AQAB"

DKIM verifiers concatenate those strings back together with no separator before reading the key (RFC 6376), so a key published this way validates exactly the same as a single-string record. Your ed25519 key looks like one blob only because it is short enough to fit under 255 bytes. The split is also what Cloudflare itself produces if you paste a long key into the dashboard by hand. So the two-part RSA record is working as intended, and you can verify it with dig TXT selector._domainkey.yourdomain and checking that the concatenated value matches your key.

On whether the fix made it into v0.16.7 and the changelog not mentioning it. The DKIM chunking change lives in the underlying dns-update library, and it shipped in dns-update 0.5.0 and Stalwart 0.16.7.

On the old ed25519 record not being removed after rotation. This is expected behavior rather than a malfunction. DNS updates are scoped to a single record name. Each DKIM selector is its own distinct name (your new key and the leftover old key live under different selectors), so publishing a new selector will never touch or remove a record sitting under a different selector. Leftover selectors are harmless to verification, and are deleted in the next rotation cycle.

On the new ed25519 key reporting “did not propagate, will retry.” This is the one I would like more detail on, because it is unrelated to the splitting topic. That key is short and single-string, so chunking is not a factor. The most common cause is normal DNS propagation and TTL lag at the moment Stalwart re-queries to confirm the record, but I do not want to assume.

On whether Stalwart should detect unmanaged or conflicting keys. Today Stalwart only manages the records it creates and does not scan for pre-existing or orphaned DKIM records that it did not put there.

Thank you for the detailed information. I have further testing to perform and I will come back with more usable details when I have them.

I’ve verified functionality by sending email to a handful of major email vendors and DKIM is working correctly.

I can confirm that this is actually a problem with both DKIM keys. I started a test with a domain that has zero DNS records in the Cloudflare zone.

The ed25519 key publishes, but the log claims it can’t verify it. Then it publishes the RSA key, again, I can see it in the zone, but the log claims it can’t verify it. Then after three failures, they both validate.

2026-06-12T09:39:37Z INFO DNS record created (dns.record-created) hostname = "v1-ed25519-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = ["v=DKIM1; k=ed25519; h=sha256; p=UNjYB1vGbx5VQE30YDwKmOnsMbbpENzPls6deti4jOA="]
2026-06-12T09:40:37Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-ed25519-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = "v=DKIM1; k=ed25519; h=sha256; p=UNjYB1vGbx5VQE30YDwKmOnsMbbpENzPls6deti4jOA="

2026-06-12T09:40:37Z INFO DNS record created (dns.record-created) hostname = "v1-rsa-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = ["v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw75yqoZoHixevOmkZn0kERIteHe2Lu7q3UzcgMWw8sjz5XI7Rt+4/9Fj33ceSQhzFPTWtsreJRiYWBRQ7e/Pl1/JvpN0X//0cCXrHwuiI4zQkHmbO+g4GEHrIjKOA7sm2ML1Vz/2irQPNDnZeTlpxrR+EokHWw1Rg9aipb7mVgSUfyQnNbso2Pr+s/qsTLj9QbbzofWQ6Fwl6TadM/pfhlb70PxiCsvNAZyst7KDYfkkcJzg7EzWOSOSnmrRjuY3xbWxMgyZm/SNqZqXK0nJkTMbO/Q2P8AqohjwQUF7tV8HR3oZ0U2vBHAoDejQuS+mgTfUe2qS0cNiFgF50CfjawIDAQAB"]
2026-06-12T09:41:37Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-rsa-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = "v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw75yqoZoHixevOmkZn0kERIteHe2Lu7q3UzcgMWw8sjz5XI7Rt+4/9Fj33ceSQhzFPTWtsreJRiYWBRQ7e/Pl1/JvpN0X//0cCXrHwuiI4zQkHmbO+g4GEHrIjKOA7sm2ML1Vz/2irQPNDnZeTlpxrR+EokHWw1Rg9aipb7mVgSUfyQnNbso2Pr+s/qsTLj9QbbzofWQ6Fwl6TadM/pfhlb70PxiCsvNAZyst7KDYfkkcJzg7EzWOSOSnmrRjuY3xbWxMgyZm/SNqZqXK0nJkTMbO/Q2P8AqohjwQUF7tV8HR3oZ0U2vBHAoDejQuS+mgTfUe2qS0cNiFgF50CfjawIDAQAB"

2026-06-12T09:41:38Z INFO DNS record created (dns.record-created) hostname = "v1-ed25519-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = ["v=DKIM1; k=ed25519; h=sha256; p=UNjYB1vGbx5VQE30YDwKmOnsMbbpENzPls6deti4jOA="]
2026-06-12T09:42:38Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-ed25519-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = "v=DKIM1; k=ed25519; h=sha256; p=UNjYB1vGbx5VQE30YDwKmOnsMbbpENzPls6deti4jOA="

2026-06-12T09:42:38Z INFO DNS record created (dns.record-created) hostname = "v1-rsa-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = ["v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw75yqoZoHixevOmkZn0kERIteHe2Lu7q3UzcgMWw8sjz5XI7Rt+4/9Fj33ceSQhzFPTWtsreJRiYWBRQ7e/Pl1/JvpN0X//0cCXrHwuiI4zQkHmbO+g4GEHrIjKOA7sm2ML1Vz/2irQPNDnZeTlpxrR+EokHWw1Rg9aipb7mVgSUfyQnNbso2Pr+s/qsTLj9QbbzofWQ6Fwl6TadM/pfhlb70PxiCsvNAZyst7KDYfkkcJzg7EzWOSOSnmrRjuY3xbWxMgyZm/SNqZqXK0nJkTMbO/Q2P8AqohjwQUF7tV8HR3oZ0U2vBHAoDejQuS+mgTfUe2qS0cNiFgF50CfjawIDAQAB"]
2026-06-12T09:43:38Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-rsa-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = "v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw75yqoZoHixevOmkZn0kERIteHe2Lu7q3UzcgMWw8sjz5XI7Rt+4/9Fj33ceSQhzFPTWtsreJRiYWBRQ7e/Pl1/JvpN0X//0cCXrHwuiI4zQkHmbO+g4GEHrIjKOA7sm2ML1Vz/2irQPNDnZeTlpxrR+EokHWw1Rg9aipb7mVgSUfyQnNbso2Pr+s/qsTLj9QbbzofWQ6Fwl6TadM/pfhlb70PxiCsvNAZyst7KDYfkkcJzg7EzWOSOSnmrRjuY3xbWxMgyZm/SNqZqXK0nJkTMbO/Q2P8AqohjwQUF7tV8HR3oZ0U2vBHAoDejQuS+mgTfUe2qS0cNiFgF50CfjawIDAQAB"

2026-06-12T09:45:00Z INFO DNS record created (dns.record-created) hostname = "v1-ed25519-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = ["v=DKIM1; k=ed25519; h=sha256; p=UNjYB1vGbx5VQE30YDwKmOnsMbbpENzPls6deti4jOA="]
2026-06-12T09:46:00Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-ed25519-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = "v=DKIM1; k=ed25519; h=sha256; p=UNjYB1vGbx5VQE30YDwKmOnsMbbpENzPls6deti4jOA="

2026-06-12T09:46:00Z INFO DNS record created (dns.record-created) hostname = "v1-rsa-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = ["v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw75yqoZoHixevOmkZn0kERIteHe2Lu7q3UzcgMWw8sjz5XI7Rt+4/9Fj33ceSQhzFPTWtsreJRiYWBRQ7e/Pl1/JvpN0X//0cCXrHwuiI4zQkHmbO+g4GEHrIjKOA7sm2ML1Vz/2irQPNDnZeTlpxrR+EokHWw1Rg9aipb7mVgSUfyQnNbso2Pr+s/qsTLj9QbbzofWQ6Fwl6TadM/pfhlb70PxiCsvNAZyst7KDYfkkcJzg7EzWOSOSnmrRjuY3xbWxMgyZm/SNqZqXK0nJkTMbO/Q2P8AqohjwQUF7tV8HR3oZ0U2vBHAoDejQuS+mgTfUe2qS0cNiFgF50CfjawIDAQAB"]
2026-06-12T09:47:00Z WARN DNS record propagation timeout (dns.record-propagation-timeout) hostname = "v1-rsa-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = "v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw75yqoZoHixevOmkZn0kERIteHe2Lu7q3UzcgMWw8sjz5XI7Rt+4/9Fj33ceSQhzFPTWtsreJRiYWBRQ7e/Pl1/JvpN0X//0cCXrHwuiI4zQkHmbO+g4GEHrIjKOA7sm2ML1Vz/2irQPNDnZeTlpxrR+EokHWw1Rg9aipb7mVgSUfyQnNbso2Pr+s/qsTLj9QbbzofWQ6Fwl6TadM/pfhlb70PxiCsvNAZyst7KDYfkkcJzg7EzWOSOSnmrRjuY3xbWxMgyZm/SNqZqXK0nJkTMbO/Q2P8AqohjwQUF7tV8HR3oZ0U2vBHAoDejQuS+mgTfUe2qS0cNiFgF50CfjawIDAQAB"

2026-06-12T09:49:39Z INFO DNS record created (dns.record-created) hostname = "v1-ed25519-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = ["v=DKIM1; k=ed25519; h=sha256; p=UNjYB1vGbx5VQE30YDwKmOnsMbbpENzPls6deti4jOA="]
2026-06-12T09:49:39Z INFO DNS record propagated (dns.record-propagated) hostname = "v1-ed25519-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = "v=DKIM1; k=ed25519; h=sha256; p=UNjYB1vGbx5VQE30YDwKmOnsMbbpENzPls6deti4jOA="

2026-06-12T09:49:40Z INFO DNS record created (dns.record-created) hostname = "v1-rsa-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = ["v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw75yqoZoHixevOmkZn0kERIteHe2Lu7q3UzcgMWw8sjz5XI7Rt+4/9Fj33ceSQhzFPTWtsreJRiYWBRQ7e/Pl1/JvpN0X//0cCXrHwuiI4zQkHmbO+g4GEHrIjKOA7sm2ML1Vz/2irQPNDnZeTlpxrR+EokHWw1Rg9aipb7mVgSUfyQnNbso2Pr+s/qsTLj9QbbzofWQ6Fwl6TadM/pfhlb70PxiCsvNAZyst7KDYfkkcJzg7EzWOSOSnmrRjuY3xbWxMgyZm/SNqZqXK0nJkTMbO/Q2P8AqohjwQUF7tV8HR3oZ0U2vBHAoDejQuS+mgTfUe2qS0cNiFgF50CfjawIDAQAB"]
2026-06-12T09:49:40Z INFO DNS record propagated (dns.record-propagated) hostname = "v1-rsa-20260612._domainkey.example.com.", details = "example.com", type = "TXT", value = "v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw75yqoZoHixevOmkZn0kERIteHe2Lu7q3UzcgMWw8sjz5XI7Rt+4/9Fj33ceSQhzFPTWtsreJRiYWBRQ7e/Pl1/JvpN0X//0cCXrHwuiI4zQkHmbO+g4GEHrIjKOA7sm2ML1Vz/2irQPNDnZeTlpxrR+EokHWw1Rg9aipb7mVgSUfyQnNbso2Pr+s/qsTLj9QbbzofWQ6Fwl6TadM/pfhlb70PxiCsvNAZyst7KDYfkkcJzg7EzWOSOSnmrRjuY3xbWxMgyZm/SNqZqXK0nJkTMbO/Q2P8AqohjwQUF7tV8HR3oZ0U2vBHAoDejQuS+mgTfUe2qS0cNiFgF50CfjawIDAQAB"

Stalwart uses your configured DNS resolver to verify propagation, not Cloudflare. Make sure your resolver is working properly, adjust any cache settings or increase the propagation timeout.

Ah, that was a big assumption on my part that it would re-query Cloudflare to check for the record. I’ve now adjusted the resolver to be Cloudflare (thanks for building that right in!), I expect there will be no further issue.