[teddyh]

DKIM and DMARC can be CNAMEs, but not SPF, since SPF lives at the apex domain name, which can not be a CNAME. (Of course, if your email address is on a subdomain, then that can be a CNAME. But then the MX records will also have to be moved to the CNAME target.)

[marcbradshaw]

Not even then, RFCs state that a CNAME may not exist with any other RR type, and your apex domain needs at least SOA and NS records. A CNAME on the apex domain may kind of work, but it will present as broken in subtle and unexpected ways.

[teddyh]

Um, what? I think you misunderstood me. Or you are unaware that DMARC and DKIM records live on subdomains.