Support Hetzner DNS for automatic DNS management

API Documentation: Hetzner DNS Public API

Authentication is done through the Auth-API-Token HTTP header.

Requests need a zone_id, which could either be configured by the user, or you could try to fetch it using the GET /zones endpoint.

Get all existing records in a zone:

# Get all zones
curl "https://dns.hetzner.com/api/v1/records?zone_id={ZoneID}" \
     -H 'Auth-API-Token: {AuthToken}'

# Create Record
curl -X "POST" "https://dns.hetzner.com/api/v1/records" \
     -H 'Content-Type: application/json' \
     -H 'Auth-API-Token: {AuthToken}' \
     -d $'{
  "value": "mail.example.com",
  "ttl": 300,
  "type": "MX",
  "name": "",
  "zone_id": "{ZoneID}"
}'

# Update record
curl -X "PUT" "https://dns.hetzner.com/api/v1/records/{RecordID}" \
     -H 'Content-Type: application/json' \
     -H 'Auth-API-Token: {AuthToken}' \
     -d $'{
  "value": "mail.example.com",
  "ttl": 300,
  "type": "MX",
  "name": "",
  "zone_id": "{ZoneID}"
}'

Note that you can create a project and add a DNS zone to test the API, without owning or purchasing a domain.

This has been implemented.

Thank you! This is awesome.

It works for me. I do see Stalwart changing the DNS entries in Hetzner Console.

However, there’s an error, see:

@helpbot I tried to create Hetzner DNS Records one-by-one by running the Perform DNS management for a domain task seperately for each record type. Here is what I found out:

DKIM Public Keys work when using Ed25519 keys only. It fails once an RSA key is added:

Failed to create DNS record for v1-rsa-20260521._domainkey.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 422: Err(reqwest::Error { kind: Status(422, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” })

CAA creation fails:

Failed to create DNS record for example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” })

All other resource types work fine when run seperately. However, when I try to perform dns management for all records at once (except DKIM and CAA) it fails with the following error:

Failed to create DNS record for _443._tcp.ua-auto-config.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” }); Failed to create DNS record for _443._tcp.autodiscover.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” }); Failed to create DNS record for _443._tcp.mail.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” }); Failed to create DNS record for _995._tcp.mail.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” }); Failed to create DNS record for _993._tcp.mail.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” }); Failed to create DNS record for _25._tcp.mail.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” }); Failed to create DNS record for _465._tcp.mail.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” }); Failed to create DNS record for _443._tcp.autoconfig.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” }); Failed to create DNS record for _443._tcp.mta-sts.example.com.: Failed to create DNS record: API error: Invalid HTTP response code 409: Err(reqwest::Error { kind: Status(409, None), url: “https://api.hetzner.cloud/v1/zones/example.com/rrsets” })

Let me look into the Hetzner DNS provider implementation to understand these errors.

@helpbot I tried creating the record manually from the zonefile that stalwart creates:

v1-rsa-20260521._domainkey.example.com. IN TXT (
    "v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVu3mLGynhz1ENEb0JVhJPfH1+2i+RVSjOO42q0VraZKMUn7pl3SCnrjvqGU8U9tlXg1sAobPO5ZJ2JMDKSMB2jt3+jauH4lTgJne858ZkDdM1/IGaz+LB3zP2f97lMP7CZ5Uky8cgvzh1OUoZaLITN6ODuf9SejYMgoxHNVMn1sQZvy1Gk3zWF"
    "VWTpPhUgTfA+ma+JD6LbwCel3X4I0S+jeKI5GqBalJ//XPbYIJPtB7qPgLcwnHHsMAsl/Yfs7Tg6thNT0aTgj7Nzp7KvDrGfqnf1JX/hjbYz1FcrRotoqzeoLmzZYSOVCJF9M2oTKU5pulPw7akzX/0enpjqbjwIDAQAB"
)

This fails Hetzner validation. Groups of 255 characters surrounded by quotes are used correctly. However, Hetzner enforces that they are separated by exactly one space. The following value works:

"v=DKIM1; k=rsa; h=sha256; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtVu3mLGynhz1ENEb0JVhJPfH1+2i+RVSjOO42q0VraZKMUn7pl3SCnrjvqGU8U9tlXg1sAobPO5ZJ2JMDKSMB2jt3+jauH4lTgJne858ZkDdM1/IGaz+LB3zP2f97lMP7CZ5Uky8cgvzh1OUoZaLITN6ODuf9SejYMgoxHNVMn1sQZvy1Gk3zWF" "VWTpPhUgTfA+ma+JD6LbwCel3X4I0S+jeKI5GqBalJ//XPbYIJPtB7qPgLcwnHHsMAsl/Yfs7Tg6thNT0aTgj7Nzp7KvDrGfqnf1JX/hjbYz1FcrRotoqzeoLmzZYSOVCJF9M2oTKU5pulPw7akzX/0enpjqbjwIDAQAB"

Let me look at how Stalwart formats TXT record values when sending to DNS providers.

Based on my research, the root cause of the RSA DKIM issue is clear from P4sca1’s own analysis: this is a bug in how Stalwart formats the TXT record value when calling the Hetzner DNS API. The value sent contains a newline + whitespace separator between the 255-character quoted chunks (the zone-file multi-line style), but Hetzner’s API requires exactly a single space between the quoted strings on one line.

This is a bug in the Stalwart dns_update integration for Hetzner, not a configuration issue you can work around on your end. The fix needs to happen in the code that serializes the RSA DKIM public key into a TXT record value before sending it to the Hetzner API – specifically, the multi-chunk quoted string separator must be a single space (" ") rather than a newline/indentation sequence.

For the 409 Conflict errors on TLSA/SRV records when running all at once: HTTP 409 from Hetzner typically means a record with that name/type already exists. This is likely a race condition or Stalwart attempting to create a record that was already created in the same batch run (e.g. if you ran it partially before).

Practical workarounds until a fix is released:

• For RSA DKIM: use Ed25519 keys only for now (as you discovered, those work fine).
• For 409 errors on repeated runs: those records may already exist in Hetzner – check the Hetzner DNS console and delete any partially-created duplicates, then re-run.

The RSA TXT formatting bug is worth reporting so the dns_update crate or Stalwart’s wrapper around it can be patched to emit "chunk1" "chunk2" (space-separated, single line) rather than the zone-file multi-line format.

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.

For CAA records:

The issue record was created successfully. However, the iodef record keeps failing. Maybe stalwart tries to create both at once which fails.

Manually creating the iodef record in Hetzner works fine. Afterwards, Automatic TLS certificate management works fine.

@helpbot