[gorgoiler]

Can SPF, DKIM, and DMARC be CNAMEs? It’s a little bit easier when one can move all this stuff onto one host, away from the rest of ones infra, especially when it comes to distributing DKIM keys.

I wouldn’t be surprised if there’s also a mail daemon that also did DNS for you. Everything in one simple MTA. Begone, Exim4 mega config and update-exim4.conf.conf.conf!

[teddyh]

DKIM and DMARC can be CNAMEs, but not SPF, since SPF lives at the apex domain name, which can not be a CNAME. (Of course, if your email address is on a subdomain, then that can be a CNAME. But then the MX records will also have to be moved to the CNAME target.)

[marcbradshaw]

Not even then, RFCs state that a CNAME may not exist with any other RR type, and your apex domain needs at least SOA and NS records. A CNAME on the apex domain may kind of work, but it will present as broken in subtle and unexpected ways.

[teddyh]

Um, what? I think you misunderstood me. Or you are unaware that DMARC and DKIM records live on subdomains.

[marcbradshaw]

DKIM and DMARC can be CNAMES, many services already use this, at Fastmail for example for DKIM you setup CNAMES, and we manage DKIM keys for you. SPF needs to be on your (root/organizational) domain, and you don't want (can't have) a CNAME there.