How do CNAME records affect DNS records like SPF, DKIM, DMARC, and MX?

Summary

CNAME records, which map an alias to a canonical domain, significantly affect DNS records, especially for email deliverability. TXT records like SPF, DKIM, and DMARC are generally preserved, but MX records MUST point to A records, not CNAMEs, to avoid delivery failures. If a domain uses a CNAME, the original domain's SPF record is disregarded, and the destination's SPF takes precedence. A CNAME subsumes all records at its level, redirecting DNS resolution. CNAMEs disrupt email configurations, associating services with the new domain. Improper CNAME usage conflicts with MX records and email routing, and it's not recommended on the root domain. Ensure DMARC policies resolve correctly, and DKIM keys are different from the domain. A CNAME record causes the original domain's SPF record to be ignored, with the destination's SPF taking precedence.

Key findings

  • MX Record Restriction: MX records MUST point to A records, not CNAMEs; using CNAMEs causes mail delivery failures.
  • SPF Override: A CNAME causes the original domain's SPF record to be ignored, with the destination's SPF taking precedence.
  • CNAME Subsumption: A CNAME supersedes all records at its level, except for NS and SOA, redirecting DNS queries.
  • Email Configuration Disruption: CNAMEs disrupt email configurations, linking services to the new domain.
  • Root Domain Issues: CNAMEs are not recommended on the root domain due to potential interference with essential records.

Key considerations

  • MX Record Configuration: Ensure MX records point directly to A records for proper mail routing.
  • SPF Record Alignment: Align SPF records at the CNAME destination with sending practices.
  • DKIM Key Security: Use DKIM keys different from the domain for better security.
  • Domain-Level Application: Understand that a CNAME will supersede all other record types at its level, except for NS records and SOA.
  • Consider DMARC implications: Ensure DMARC policies resolve correctly without CNAME-related issues, especially when using subdomain delegation.

What email marketers say
13Marketer opinions

CNAME records, while useful for aliasing one domain to another, can significantly impact DNS records crucial for email deliverability. While TXT records like SPF, DKIM, and DMARC, are generally preserved when an A or CNAME record is modified, issues arise when MX records are involved. MX records should point directly to A or AAAA records, not CNAMEs, to avoid mail delivery problems. Pointing a domain with an SPF record to a CNAME will cause the original domain's SPF record to be ignored, and the destination's SPF record will apply. A CNAME will subsume all records at the level at which it is applied, so when a DNS resolver encounters a CNAME, it replaces the name with the canonical name and restarts the resolution process, affecting all record types at that particular name. CNAME disrupts configurations related to email, which means that all the services previously linked to the origin domain will now be associated with the new domain. Therefore, using CNAMEs improperly leads to conflicts, particularly with MX records and email routing. It is generally not recommended to put a CNAME record on the root of a domain.

Key opinions

  • MX Record Conflicts: MX records must point to A or AAAA records, not CNAMEs. Using a CNAME for MX records can cause mail delivery failures.
  • SPF Record Overriding: Pointing a domain with an SPF record to a CNAME causes the original SPF record to be ignored; the destination's SPF record takes precedence.
  • CNAME Subsumption: A CNAME record replaces all other records at the same level, which can disrupt existing DNS configurations.
  • Email Configuration Disruption: CNAME usage can disrupt existing email configurations, impacting all services linked to the origin domain.
  • Root Domain Issues: Using a CNAME record on the root domain is generally not recommended because it can interfere with other essential DNS records, such as those for email (MX records).

Key considerations

  • Email Impact: Carefully consider the impact on email delivery when implementing CNAME records, particularly regarding MX and SPF records.
  • DNS Standard Compliance: Ensure that DNS configurations adhere to standards, avoiding CNAMEs where other record types, like MX, are required.
  • Domain-Level Application: Understand that a CNAME will supersede all other record types at its level, except for NS records and SOA.
  • Alternative Solutions: Evaluate alternative domain masking solutions instead of CNAMEs if email delivery is critical.
  • Subdomain Delegation: When using subdomain delegation, ensure the domain used in DMARC policies resolves correctly without CNAME-related issues.
Marketer view

Email marketer from EasyDMARC explains that While DMARC records themselves are TXT records and don't directly conflict with CNAMEs on other subdomains, the domain used in your DMARC policy (e.g., for reporting) should resolve correctly without CNAME-related issues, especially if you're using subdomain delegation.

March 2021 - EasyDMARC
Marketer view

Email marketer from DNSimple states that a CNAME record essentially redirects one domain or subdomain to another. While convenient, using CNAME records improperly can lead to conflicts with other records, particularly MX records needed for email routing. They advise against using a CNAME record for the root domain.

January 2023 - DNSimple
Marketer view

Email marketer from GoDaddy explains that using a CNAME on a domain or subdomain will forward that DNS query to the specified target, overriding any other settings assigned to that record type. So anything that was configured for that CNAME will be redirected to the other CNAME location. If the MX was at a different level then it would be fine

January 2022 - GoDaddy
Marketer view

Email marketer from WhatIs explains CNAME records should not be used as the target of other resource records, such as an MX record. The main reason is because it violates DNS standards and causes confusion and resolution problems.

December 2022 - WhatIs.com
Marketer view

Marketer from Email Geeks explains that TXT resource records (RRs) like SPF, DKIM and DMARC are preserved when an A or CNAME record is modified.

August 2022 - Email Geeks
Marketer view

Marketer from Email Geeks clarifies that if you CNAME mail.example.com, all queries (MX/TXT/A) will follow where that CNAME points. Any record at a different level (e.g., selector._domainkey.mail.example.com) would be unaffected.

May 2021 - Email Geeks
Marketer view

Email marketer from Stack Overflow explains that while it's technically possible to put a CNAME record on the root of a domain, it’s generally not recommended because it can interfere with other essential DNS records, such as those for email (MX records).

March 2023 - Stack Overflow
Marketer view

Email marketer from Klenty explains that if the subdomain uses CNAME, users cannot create SPF, DKIM, and DMARC records for their domain. They should use either CNAME or SPF, DKIM, and DMARC, not both.

April 2023 - Klenty
Marketer view

Email marketer from Super User explains that when a DNS resolver encounters a CNAME, it replaces the name with the canonical name and restarts the resolution process. This impacts all record types at that particular name, as they are effectively redirected.

January 2022 - Super User
Marketer view

Email marketer from StackExchange says that when you use a CNAME, it can disrupt your configurations, particularly those related to email. It also means that all the services previously linked to the origin domain will now be associated with your new domain.

November 2024 - StackExchange
Marketer view

Email marketer from Reddit user /sysadminX explains that if you point a domain with an SPF record to a CNAME, the SPF record for the original domain is ignored. The SPF record that matters is the one on the destination of the CNAME.

November 2021 - Reddit
Marketer view

Email marketer from Email Geeks summarises that a CNAME will subsume all records at the level at which it is applied, except for NS records and SOA. It is therefore not suitable as a domain masking solution for ESPs.

January 2025 - Email Geeks
Marketer view

Marketer from Email Geeks refers to RFC5321, indicating that while a domain name associated with an MX record must contain a domain name that resolves to at least one A or AAAA record, it should not resolve to a CNAME record. He says that `dig -t MX example.com` can be a CNAME, however, `dig -t A mx.example.com` cannot be a CNAME

October 2022 - Email Geeks

What the experts say
3Expert opinions

CNAME records significantly impact SPF records. If a domain sending email uses a CNAME, the original domain's SPF record is ignored, and the SPF record at the CNAME's destination must be correctly configured; otherwise, SPF authentication will fail. When generating DKIM keys, ensure they differ from the domain to prevent spam when using CNAME records.

Key opinions

  • SPF Override: A CNAME record causes the original domain's SPF record to be ignored, with the destination's SPF taking precedence.
  • SPF Configuration: The destination of a CNAME must have a properly configured SPF record to ensure email authentication.
  • DKIM Key Security: For enhanced security, DKIM keys should differ from the domain, especially when using CNAME records, to prevent spam.

Key considerations

  • SPF Record Alignment: Ensure the SPF record at the CNAME destination is correctly aligned with sending practices.
  • Proper DNS Setup: Verify that DNS records, especially SPF, are appropriately configured at the CNAME's destination.
  • DKIM Best Practices: Implement DKIM keys that are different from the domain for better security and spam prevention, especially in CNAME configurations.
Expert view

Expert from Spam Resource explains that if a domain uses a CNAME record, the SPF record associated with the original domain will be disregarded and the SPF record for the CNAME destination will apply instead.

June 2023 - Spam Resource
Expert view

Expert from Word to the Wise explains when creating DKIM keys, the best practice is to set them to be different than the domain. And with a CNAME this also prevents sending spam in the customers name.

January 2022 - Word to the Wise
Expert view

Expert from Spam Resource details if a CNAME record is set up for a domain that also sends email, the SPF record for that domain needs to be present on the destination of the CNAME, otherwise SPF will fail.

July 2023 - Spam Resource

What the documentation says
4Technical articles

CNAME records map alias names to canonical domain names, redirecting DNS lookups. While useful, standards like RFC 1034 and best practices from Google Workspace and Digital Ocean emphasize that MX records must point directly to A records, not CNAMEs. Using CNAMEs for MX records can cause mail delivery failures due to resolution issues.

Key findings

  • CNAME Redirection: CNAME records redirect DNS lookups to a canonical domain name.
  • MX Record Restriction: MX records must point to A records, not CNAME records.
  • Mail Delivery Issues: Using CNAMEs for MX records can cause mail delivery failures.
  • DNS Resolution Problems: CNAMEs cause issues resolving email to the correct location

Key considerations

  • MX Record Configuration: Ensure MX records point directly to A records for proper mail routing.
  • DNS Standards Adherence: Adhere to DNS standards and best practices to avoid mail delivery problems.
  • Record Compatibility: Understand the restrictions on using CNAMEs with MX records to prevent resolution issues.
Technical article

Documentation from Digital Ocean explains that MX records must point to an A record, not a CNAME. CNAME records are usually employed to map one domain to another, and will cause issues for mail to resolve to the CNAME and then the location, so email can fail

May 2024 - Digital Ocean
Technical article

Documentation from RFC 1034 specifies that when a CNAME record is present, the DNS resolver should replace the CNAME record with the canonical name and restart the query. The standard also implies CNAME records should not co-exist with other record types for the same name.

December 2023 - RFC Editor
Technical article

Documentation from Google Workspace Admin Help warns that MX records must point directly to a domain name (A record) and not to a CNAME. Pointing an MX record to a CNAME can lead to mail delivery issues.

July 2022 - Google
Technical article

Documentation from Cloudflare explains that a CNAME record maps an alias name to a canonical domain name. DNS lookup will continue by retrying the lookup with the canonical name. However, certain records, like MX, should not point to a CNAME.

January 2022 - Cloudflare