How do CNAME records affect DNS records like SPF, DKIM, DMARC, and MX?
Summary
What email marketers say13Marketer opinions
Email marketer from EasyDMARC explains that While DMARC records themselves are TXT records and don't directly conflict with CNAMEs on other subdomains, the domain used in your DMARC policy (e.g., for reporting) should resolve correctly without CNAME-related issues, especially if you're using subdomain delegation.
Email marketer from DNSimple states that a CNAME record essentially redirects one domain or subdomain to another. While convenient, using CNAME records improperly can lead to conflicts with other records, particularly MX records needed for email routing. They advise against using a CNAME record for the root domain.
Email marketer from GoDaddy explains that using a CNAME on a domain or subdomain will forward that DNS query to the specified target, overriding any other settings assigned to that record type. So anything that was configured for that CNAME will be redirected to the other CNAME location. If the MX was at a different level then it would be fine
Email marketer from WhatIs explains CNAME records should not be used as the target of other resource records, such as an MX record. The main reason is because it violates DNS standards and causes confusion and resolution problems.
Marketer from Email Geeks explains that TXT resource records (RRs) like SPF, DKIM and DMARC are preserved when an A or CNAME record is modified.
Marketer from Email Geeks clarifies that if you CNAME mail.example.com, all queries (MX/TXT/A) will follow where that CNAME points. Any record at a different level (e.g., selector._domainkey.mail.example.com) would be unaffected.
Email marketer from Stack Overflow explains that while it's technically possible to put a CNAME record on the root of a domain, it’s generally not recommended because it can interfere with other essential DNS records, such as those for email (MX records).
Email marketer from Klenty explains that if the subdomain uses CNAME, users cannot create SPF, DKIM, and DMARC records for their domain. They should use either CNAME or SPF, DKIM, and DMARC, not both.
Email marketer from Super User explains that when a DNS resolver encounters a CNAME, it replaces the name with the canonical name and restarts the resolution process. This impacts all record types at that particular name, as they are effectively redirected.
Email marketer from StackExchange says that when you use a CNAME, it can disrupt your configurations, particularly those related to email. It also means that all the services previously linked to the origin domain will now be associated with your new domain.
Email marketer from Reddit user /sysadminX explains that if you point a domain with an SPF record to a CNAME, the SPF record for the original domain is ignored. The SPF record that matters is the one on the destination of the CNAME.
Email marketer from Email Geeks summarises that a CNAME will subsume all records at the level at which it is applied, except for NS records and SOA. It is therefore not suitable as a domain masking solution for ESPs.
Marketer from Email Geeks refers to RFC5321, indicating that while a domain name associated with an MX record must contain a domain name that resolves to at least one A or AAAA record, it should not resolve to a CNAME record. He says that `dig -t MX example.com` can be a CNAME, however, `dig -t A mx.example.com` cannot be a CNAME
What the experts say3Expert opinions
Expert from Spam Resource explains that if a domain uses a CNAME record, the SPF record associated with the original domain will be disregarded and the SPF record for the CNAME destination will apply instead.
Expert from Word to the Wise explains when creating DKIM keys, the best practice is to set them to be different than the domain. And with a CNAME this also prevents sending spam in the customers name.
Expert from Spam Resource details if a CNAME record is set up for a domain that also sends email, the SPF record for that domain needs to be present on the destination of the CNAME, otherwise SPF will fail.
What the documentation says4Technical articles
Documentation from Digital Ocean explains that MX records must point to an A record, not a CNAME. CNAME records are usually employed to map one domain to another, and will cause issues for mail to resolve to the CNAME and then the location, so email can fail
Documentation from RFC 1034 specifies that when a CNAME record is present, the DNS resolver should replace the CNAME record with the canonical name and restart the query. The standard also implies CNAME records should not co-exist with other record types for the same name.
Documentation from Google Workspace Admin Help warns that MX records must point directly to a domain name (A record) and not to a CNAME. Pointing an MX record to a CNAME can lead to mail delivery issues.
Documentation from Cloudflare explains that a CNAME record maps an alias name to a canonical domain name. DNS lookup will continue by retrying the lookup with the canonical name. However, certain records, like MX, should not point to a CNAME.