Introduction

CNAME flattening can make a DNS setup look correct in your dashboard while still breaking third-party verification. Some services expect to see an actual CNAME at the queried name, but flattening returns an A or AAAA answer instead, which causes verification to stay pending or fail outright. The fix is to compare what your DNS provider publishes on the wire with what the verifying service insists on finding.

Symptoms

  • A domain verification process stays pending even though the expected target is configured
  • DNS dashboards show the right CNAME, but public checks return another record type
  • The issue affects apex or special hostnames more than ordinary subdomains
  • Verification worked in another DNS provider but fails after migration
  • The problem began after enabling flattening, alias records, or provider-specific routing features

Common Causes

  • The DNS provider flattens the CNAME into address records where the verifier expects a literal CNAME response
  • The record is placed at the apex where provider behavior differs from standard subdomain CNAME handling
  • Another record type at the same name conflicts with the intended verification response
  • The verifier queries authoritative DNS differently than the user tested manually
  • DNS changes were made in a UI abstraction that does not match the actual delegated zone behavior

Step-by-Step Fix

  1. Confirm exactly which hostname and record type the third-party verifier requires.
  2. Query the live authoritative DNS and inspect the response type returned on the wire, not just what the dashboard displays.
  3. Check whether your provider applies CNAME flattening, ALIAS behavior, or apex record synthesis at that hostname.
  4. Verify no conflicting TXT, A, AAAA, or other records occupy the same name in a way that changes the response.
  5. Compare the verifier's published requirements with your provider's DNS behavior to see whether the setup is fundamentally incompatible.
  6. Move the verification to a hostname that can return a literal CNAME if the service allows it.
  7. If the provider supports disabling flattening for that record, apply the narrowest change needed and retest.
  8. Re-run verification only after public authoritative responses match the exact required record type and value.
  9. Keep provider-specific DNS behavior in mind during future verification workflows, especially at apex hostnames.