diff --git a/pkg/normalize/validate.go b/pkg/normalize/validate.go
index 7033c5dcd..1deef2641 100644
--- a/pkg/normalize/validate.go
+++ b/pkg/normalize/validate.go
@@ -85,20 +85,6 @@ func validateRecordTypes(rec *models.RecordConfig, domain string, pTypes []strin
 	return nil
 }
 
-// underscores in names are often used erroneously. They are valid for dns records, but invalid for urls.
-// here we list common records expected to have underscores. Anything else containing an underscore will print a warning.
-var labelUnderscores = []string{
-	"_acme-challenge",
-	"_amazonses",
-	"_dmarc",
-	"_domainconnect",
-	"_domainkey",
-	"_jabber",
-	"_mta-sts",
-	"_sip",
-	"_xmpp",
-}
-
 // these record types may contain underscores
 var rTypeUnderscores = []string{"SRV", "TLSA", "TXT"}
 
@@ -127,17 +113,12 @@ func checkLabel(label string, rType string, target, domain string, meta map[stri
 			return nil
 		}
 	}
-	// Don't warn for CNAMEs if the target ends with acm-validations.aws
-	// See https://github.com/StackExchange/dnscontrol/issues/519
-	if strings.HasPrefix(label, "_") && rType == "CNAME" && strings.HasSuffix(target, ".acm-validations.aws.") {
+	// Don't warn for records that start with _
+	// See https://github.com/StackExchange/dnscontrol/issues/829
+	if strings.HasPrefix(label, "_") || strings.Contains(label, "._") {
 		return nil
 	}
-	// Don't warn for certain label substrings
-	for _, ex := range labelUnderscores {
-		if strings.Contains(label, ex) {
-			return nil
-		}
-	}
+
 	// Otherwise, warn.
 	if strings.ContainsRune(label, '_') {
 		return Warning{fmt.Errorf("label %s.%s contains an underscore", label, domain)}
diff --git a/pkg/normalize/validate_test.go b/pkg/normalize/validate_test.go
index db6b59e5b..5091cd7a4 100644
--- a/pkg/normalize/validate_test.go
+++ b/pkg/normalize/validate_test.go
@@ -19,17 +19,18 @@ func TestCheckLabel(t *testing.T) {
 	}{
 		{"@", "A", "zap", false, false},
 		{"foo.bar", "A", "zap", false, false},
-		{"_foo", "A", "zap", true, false},
+		{"_foo", "A", "zap", false, false},
 		{"_foo", "SRV", "zap", false, false},
 		{"_foo", "TLSA", "zap", false, false},
 		{"_foo", "TXT", "zap", false, false},
-		{"_y2", "CNAME", "foo", true, false},
+		{"_y2", "CNAME", "foo", false, false},
+		{"s1._domainkey", "CNAME", "foo", false, false},
 		{"_y3", "CNAME", "asfljds.acm-validations.aws.", false, false},
 		{"test.foo.tld", "A", "zap", true, false},
 		{"test.foo.tld", "A", "zap", false, true},
 	}
 
-	for _, test := range tests {
+	for i, test := range tests {
 		t.Run(fmt.Sprintf("%s %s", test.label, test.rType), func(t *testing.T) {
 			meta := map[string]string{}
 			if test.hasSkipMeta {
@@ -37,10 +38,10 @@ func TestCheckLabel(t *testing.T) {
 			}
 			err := checkLabel(test.label, test.rType, test.target, "foo.tld", meta)
 			if err != nil && !test.isError {
-				t.Errorf(" Expected no error but got %s", err)
+				t.Errorf("%02d: Expected no error but got %s", i, err)
 			}
 			if err == nil && test.isError {
-				t.Errorf(" Expected error but got none")
+				t.Errorf("%02d: Expected error but got none", i)
 			}
 		})