azuredomain-name-systemSecurity
See i.e.: How to set up CNAME to point to Azure
or the text within the azure portal:
Why is this necessary in the first place? Why does pointing the domain name through an A record not prove that I am the owner of the domain?
I mean.. how can you otherwise change a DNS record in the first place?
What abuse does this rule prevent?
In short, you can't make the @ record a CNAME without deleting all other resource records for @, and you can't do that since some (like the NS records) are required for proper DNS functionality. This is one reason why providers such as Heroku tell you not to use naked domain names.
You will need a host to perform the HTTP redirection from example.com to www.example.com for you, to which you will point A (and AAAA) record for @.
If your DNS is hosted with GoDaddy, then they have a free service that will do this for you. In your GoDaddy domain manager, look on the left hand side for "Forwarding" and click "Manage". Then set it to forward example.com to www.example.com and update your DNS to support the change. You should leave the Advanced Options at their defaults.
Yes, name server should return both CNAME and A in your specific scenario. RFC1034 says "Both of these RRs would be returned in the response to the type A query".
Best Answer
If you have control of a DNS lookup for a computer, or are able to inject a host record, then you could spoof an A record for that machine and point it to an Azure website (there's actually nothing to stop you doing that for a VM though)
By making you create a cname record, and independently verifying it (via their internal / public DNS system), it means that you do have control over the domain, and you're not spoofing somebody else's domain.