8

I read that it's not valid to have a CNAME for a domain that also has its own SPF, because all records are taken from the domain that the CNAME points to.

However, this doesn't seem to be what happens for me. I have pi.dantup.com CNAMEd to dantuppi.dynv6.net, however my SPF record seems to work fine (there is no SPF on the dynv6.net domain:

https://toolbox.googleapps.com/apps/dig/#CNAME/pi.dantup.com https://toolbox.googleapps.com/apps/dig/#TXT/pi.dantup.com

This seems to work fine testing with this tool. However, a friend has his set up very similarly and it appears to not be working. Before digging into this, I'm trying to understand if what mine is doing is correct?

Community
  • 1
Danny Tuppeny
  • 269
  • 1
  • 3
  • 10

3 Answers3

3

The discussion you refer to describes CNAME-ing a TLD (top-level domain) to another domain. That is not a good idea.

But CNAME-ing a subdomain over to a third party is actually preferred setup to arrange, for example, bounce-handling by a third party (marketing tools and such). For example for sending newsletters via the subdomain of newsletters.example.com by a marketing tool hosted at newsmailers.org, you can use a CNAME record that points newsletters.example.com to example_com.newsmailers.org, actively delegating the responsibility for SPF and MX records for the newsletters.example.com subdomain to the external party. You cannot, however, add additional RRs (TXT / MX / A) with the same name to DNS, according to RFC 1912.

RFC 1034 section 3.6 states that the RDATA for a CNAME contains a domain name (typically where an SPF TXT record lives), while the RDATA for an MX or NS record should contain a Host Name.

Also, be carefull with CNAMEs that point to other CNAMEs. This will (most often) fail. See RFC 1912 section 2.4

If you take a look at the following article by DMARCIAN, I hope you'll find more details and information you were looking for:

https://dmarcian.com/how-to-send-dmarc-compliant-email-on-behalf-of-others/

If you want to see what's happening on DNS, just check: https://dns.google.com/query?name=pi.dantup.com&type=TXT&dnssec=true

If you set up a CNAME, you'll first see an answer of type 5 (CNAME) and a second answer of type 16 (TXT).

MadHatter
  • 81,580
Reinto
  • 1,063
1

If you have no concern on recursive searches (take into account SPF manages 10 MAX) you can have a redirect SPF, which in my opinion is better than CNAME as SPF is essentially a TXT record on the root of the domain, a CNAME might break you and cause issues when creating other TXT records on the root like verification records which everyone seems to be using now

You can implement this SPF on the root "v=spf1 redirect=_spf.mailhostbox.com".

Where _spf.mailhostbox.com is your redirected location

Egitan Robles
  • 11
0

I think what you want is called SPF Chaining - see here: https://www.mailgun.com/blog/white-labeling-dns-records-your-customers-tips-tricks/#:~:text=White%20labeling%20SPF%20records%20SPF%20stands%20for%20Sender,sender%20address%20spoofing%20by%20verifying%20sender%20IP%20addresses.

William
  • 393