I read that it's not valid to have a CNAME for a domain that also has its own SPF, because all records are taken from the domain that the CNAME points to.
However, this doesn't seem to be what happens for me. I have pi.dantup.com
CNAMEd to dantuppi.dynv6.net
, however my SPF record seems to work fine (there is no SPF on the dynv6.net
domain:
https://toolbox.googleapps.com/apps/dig/#CNAME/pi.dantup.com
https://toolbox.googleapps.com/apps/dig/#TXT/pi.dantup.com
This seems to work fine testing with this tool. However, a friend has his set up very similarly and it appears to not be working. Before digging into this, I'm trying to understand if what mine is doing is correct?
Best Answer
The discussion you refer to describes CNAME-ing a TLD (top-level domain) to another domain. That is not a good idea.
But CNAME-ing a subdomain over to a third party is actually preferred setup to arrange, for example, bounce-handling by a third party (marketing tools and such). For example for sending newsletters via the subdomain of
newsletters.example.com
by a marketing tool hosted atnewsmailers.org
, you can use a CNAME record that pointsnewsletters.example.com
toexample_com.newsmailers.org
, actively delegating the responsibility for SPF and MX records for thenewsletters.example.com
subdomain to the external party. You cannot, however, add additional RRs (TXT / MX / A) with the same name to DNS, according to RFC 1912.RFC 1034 section 3.6 states that the RDATA for a CNAME contains a domain name (typically where an SPF TXT record lives), while the RDATA for an MX or NS record should contain a Host Name.
Also, be carefull with CNAMEs that point to other CNAMEs. This will (most often) fail. See RFC 1912 section 2.4
If you take a look at the following article by DMARCIAN, I hope you'll find more details and information you were looking for:
https://dmarcian.com/how-to-send-dmarc-compliant-email-on-behalf-of-others/
If you want to see what's happening on DNS, just check: https://dns.google.com/query?name=pi.dantup.com&type=TXT&dnssec=true
If you set up a CNAME, you'll first see an answer of type 5 (CNAME) and a second answer of type 16 (TXT).