Suped

Summary

Aliasing DKIM records, particularly through a series of CNAMEs, presents both technical feasibility and practical challenges. While DNS CNAME records can chain, the actual DKIM verification process ultimately resolves to the authoritative record, potentially revealing the underlying email service provider (ESP) or sender. For greater control and sender portability, NS delegation of a subdomain emerges as a more robust solution, allowing an organization to manage all DNS records for that specific subdomain independently of the primary domain's DNS.

Suped DMARC monitor
Free forever, no credit card required
Get started for free
Trusted by teams securing millions of inboxes
Company logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logoCompany logo

What email marketers say

Email marketers often seek ways to streamline DNS management for clients, particularly when using third-party email service providers. The idea of aliasing DKIM records via CNAMEs to abstract away ESP-specific DNS entries is appealing for operational simplicity and brand consistency. However, they acknowledge the limitations that these aliases don't fully obscure the underlying sender and the challenges in implementing such configurations across diverse client setups.

Marketer view

Marketer from Email Geeks asks if they can alias a DKIM record when using SendGrid to send newsletters on behalf of a client using the client's domain. They want to know if it's a SendGrid limitation or a fundamental DKIM limitation.

02 May 2024 - Email Geeks

Marketer view

Marketer from Email Geeks explains their desired setup: a CNAME chain like ras._domainKey.domain.com -> ras.domainkey.domain.rasa.io -> ras.domainkey.identifier.sendgrid.net. The goal is to keep SendGrid hidden from the client.

02 May 2024 - Email Geeks

What the experts say

Industry experts provide critical insights into the feasibility and implications of aliasing DKIM records and the best practices for managing DNS for third-party email sending. They clarify that while CNAME chaining might technically validate in some systems, it doesn't fully hide the ultimate DKIM signing domain. NS delegation is consistently highlighted as the superior method for giving a third party control over specific subdomains for email authentication, enabling greater flexibility and simplified management.

Expert view

Expert from Email Geeks, responding to a question about aliasing DKIM records, confirms that what the user is attempting is what many ESPs (Email Service Providers) do when they are built on top of cloud ESPs.

02 May 2024 - Email Geeks

Expert view

Expert from Email Geeks advises generating a sending domain per client with the specific selector. They note that the ESP's backend (like SendGrid) typically checks for the TXT and corresponding downstream records, but not necessarily the CNAME itself.

02 May 2024 - Email Geeks

What the documentation says

Official documentation and research often clarify the core functionalities of DKIM and DNS, providing the foundational understanding for aliasing and delegation strategies. While DKIM itself expects a direct lookup to a TXT record, DNS CNAME functionality allows for redirection. NS delegation, on the other hand, is a standard DNS mechanism for distributing control over portions of the DNS namespace, offering a robust method for third-party management of email authentication records.

Technical article

Documentation from IETF Datatracker, specifically RFC 6376 on DomainKeys Identified Mail (DKIM) Signatures, clarifies that DKIM enables an organization owning the signing domain to claim responsibility for a message. This underlines the importance of the ultimate domain of authority.

10 Sep 2011 - IETF Datatracker

Technical article

Documentation from Palo Alto Networks explains that a CNAME record is a DNS database record acting as an alias for another domain, pointing to a domain name instead of an IP address. This defines the core function of CNAMEs relevant to aliasing DKIM.

25 Jan 2023 - Palo Alto Networks

6 resources

Start improving your email deliverability today

Get started