Is it valid to have SPF records for a domain that is a CNAME?

domain-name-system spf cname-record

I read that it's not valid to have a CNAME for a domain that also has its own SPF, because all records are taken from the domain that the CNAME points to.

However, this doesn't seem to be what happens for me. I have pi.dantup.com CNAMEd to dantuppi.dynv6.net, however my SPF record seems to work fine (there is no SPF on the dynv6.net domain:

https://toolbox.googleapps.com/apps/dig/#CNAME/pi.dantup.com https://toolbox.googleapps.com/apps/dig/#TXT/pi.dantup.com

This seems to work fine testing with this tool. However, a friend has his set up very similarly and it appears to not be working. Before digging into this, I'm trying to understand if what mine is doing is correct?


The discussion you refer to describes CNAME-ing a TLD (top-level domain) to another domain. That is not a good idea.

But CNAME-ing a subdomain over to a third party is actually preferred setup to arrange, for example, bounce-handling by a third party (marketing tools and such). For example for sending newsletters via the subdomain of newsletters.example.com by a marketing tool hosted at newsmailers.org, you can use a CNAME record that points newsletters.example.com to example_com.newsmailers.org, actively delegating the responsibility for SPF and MX records for the newsletters.example.com subdomain to the external party. You cannot, however, add additional RRs (TXT / MX / A) with the same name to DNS, according to RFC 1912.

RFC 1034 section 3.6 states that the RDATA for a CNAME contains a domain name (typically where an SPF TXT record lives), while the RDATA for an MX or NS record should contain a Host Name.

Also, be carefull with CNAMEs that point to other CNAMEs. This will (most often) fail. See RFC 1912 section 2.4

If you take a look at the following article by DMARCIAN, I hope you'll find more details and information you were looking for:

https://dmarcian.com/how-to-send-dmarc-compliant-email-on-behalf-of-others/

If you want to see what's happening on DNS, just check: https://dns.google.com/query?name=pi.dantup.com&type=TXT&dnssec=true

If you set up a CNAME, you'll first see an answer of type 5 (CNAME) and a second answer of type 16 (TXT).


If you have no concern on recursive searches (take into account SPF manages 10 MAX) you can have a redirect SPF, which in my opinion is better than CNAME as SPF is essentially a TXT record on the root of the domain, a CNAME might break you and cause issues when creating other TXT records on the root like verification records which everyone seems to be using now

You can implement this SPF on the root "v=spf1 redirect=_spf.mailhostbox.com".

Where _spf.mailhostbox.com is your redirected location

Related

Secure Graphite installation
How to configure Windows to trust a network share using a GPO?
start systemd service on start of requirement
How do I tell ESXi 5.5 to autostart virtual machines from ssh/CLI only?
What is the good practice for adding known keys/fingerprints to known_hosts
Can I make Nginx automatically OCSP staple certificates at reload/restart?
Is it possible to downgrade Windows Server 2016 Datacenter to Standard?
Register-ClusteredScheduledTask : The parameter is incorrect
IIS 8.5 change bindings on bulk (due to SSL certificate renewal)
High availability Bastion host - Best practices, ELB, EIP?
Using extra CPU time in ESXI for scientific computing
Kill inactive user sessions on a Windows Server 2012 R2 Terminal server