Aliasing DKIM records, particularly through a series of CNAMEs, presents both technical feasibility and practical challenges. While DNS CNAME records can chain, the actual DKIM verification process ultimately resolves to the authoritative record, potentially revealing the underlying email service provider (ESP) or sender. For greater control and sender portability, NS delegation of a subdomain emerges as a more robust solution, allowing an organization to manage all DNS records for that specific subdomain independently of the primary domain's DNS.
Key findings
CNAME chaining: It is technically possible to chain CNAME records for DKIM, meaning your DKIM selector can point to an alias which then points to the ESP's domain. This can validate in the ESP's user interface.
Visibility: Even with CNAME aliasing, the ultimate DKIM record and often the ESP's domain will still be visible if one looks up the record or inspects email headers. This means the sender isn't completely hidden.
Sender portability: The primary motivation for aliasing, or seeking alternatives like NS delegation, is to achieve easier portability between different email sending services without requiring client intervention for DNS changes.
RFC compliance: The fundamental principles of DKIM, as outlined in RFC 6376, focus on verifying the signing domain, which CNAMEs ultimately resolve to.
Key considerations
Exact matching: For CNAME aliasing to work with ESPs like SendGrid, the alias CNAME record needs to precisely match the structure expected by the ESP, including specific subdomains and selectors.
NS delegation for control: NS delegation (Name Server delegation) is a superior approach for managing email sending infrastructure for clients, as it grants you full control over a designated subdomain's DNS records.
Client DNS burden: Direct DNS record changes by clients can be burdensome. NS delegation shifts this burden, requiring a one-time setup from the client to point their subdomain's NS records to your managed DNS.
Subdomain setup: When using NS delegation, you would set up DKIM (and SPF and DMARC) records on the delegated subdomain, effectively managing them on behalf of the client.
Email marketers often seek ways to streamline DNS management for clients, particularly when using third-party email service providers. The idea of aliasing DKIM records via CNAMEs to abstract away ESP-specific DNS entries is appealing for operational simplicity and brand consistency. However, they acknowledge the limitations that these aliases don't fully obscure the underlying sender and the challenges in implementing such configurations across diverse client setups.
Key opinions
Abstraction desire: Marketers frequently wish to hide the specific ESP (like SendGrid) from their clients during the DNS setup process for branding and simplicity.
Portability goal: A key driver for aliasing attempts is to enable easier switching between different email senders in the future without involving clients in recurring DNS changes.
Initial skepticism: Some ESPs might initially state that such aliasing isn't possible, leading to confusion among marketers about fundamental DKIM limitations versus ESP-specific restrictions.
Partial concealment: Even when CNAME aliasing works, marketers understand that the underlying ESP will still be discoverable through DNS lookups or email headers, making the concealment partial.
Key considerations
Exact CNAME matching: It's crucial that any intermediate CNAME record exactly matches the format expected by the ESP for the DKIM record to validate correctly.
Leveraging NS delegation: NS delegation is often suggested as a more effective long-term strategy for managing client-specific email sending DNS, as it provides full control over the subdomain.
Client ease of use: Minimizing the DNS workload for clients is a priority. NS delegation, despite potential initial setup hurdles, simplifies ongoing management for the client.
DNS complexity: Understanding how CNAMEs affect DNS resolution is essential for marketers trying to implement complex DNS setups for email authentication.
Marketer view
Marketer from Email Geeks asks if they can alias a DKIM record when using SendGrid to send newsletters on behalf of a client using the client's domain. They want to know if it's a SendGrid limitation or a fundamental DKIM limitation.
02 May 2024 - Email Geeks
Marketer view
Marketer from Email Geeks explains their desired setup: a CNAME chain like ras._domainKey.domain.com -> ras.domainkey.domain.rasa.io -> ras.domainkey.identifier.sendgrid.net. The goal is to keep SendGrid hidden from the client.
02 May 2024 - Email Geeks
What the experts say
Industry experts provide critical insights into the feasibility and implications of aliasing DKIM records and the best practices for managing DNS for third-party email sending. They clarify that while CNAME chaining might technically validate in some systems, it doesn't fully hide the ultimate DKIM signing domain. NS delegation is consistently highlighted as the superior method for giving a third party control over specific subdomains for email authentication, enabling greater flexibility and simplified management.
Key opinions
ESPs and CNAMEs: Many ESPs are built to handle CNAME records pointing to their infrastructure for DKIM validation, making CNAME chaining a common practice.
Backend validation: An ESP's backend typically checks for the presence of the TXT record and corresponding downstream records, not necessarily the CNAME itself, as long as the resolution is correct.
Matching required: Subdomains and selectors in the CNAME chain must match exactly for the configuration to work correctly.
NS delegation benefits: NS delegation for a subdomain allows for the management of all DNS records (including SPF, DKIM, DMARC) for that subdomain by a third party, offering more control and flexibility, especially for spinning up new providers.
Key considerations
Header visibility: Regardless of CNAME aliasing, the ultimate ESP or sender information will likely still be visible in email headers upon delivery.
Client onboarding friction: While NS delegation is technically superior for ongoing management, getting clients to implement the initial NS record change can be challenging, as it requires specific DNS knowledge or access.
DNS complexity for clients: Explaining the concept of NS delegation and its benefits to clients who are not DNS savvy can be an obstacle. Consult our guide on where SPF, DKIM, and DMARC records should be placed.
Warming up infrastructure: NS delegation facilitates the ability to warm up new sending infrastructure by allowing multiple providers to be spun up under the delegated subdomain, a key deliverability practice.
Expert view
Expert from Email Geeks, responding to a question about aliasing DKIM records, confirms that what the user is attempting is what many ESPs (Email Service Providers) do when they are built on top of cloud ESPs.
02 May 2024 - Email Geeks
Expert view
Expert from Email Geeks advises generating a sending domain per client with the specific selector. They note that the ESP's backend (like SendGrid) typically checks for the TXT and corresponding downstream records, but not necessarily the CNAME itself.
02 May 2024 - Email Geeks
What the documentation says
Official documentation and research often clarify the core functionalities of DKIM and DNS, providing the foundational understanding for aliasing and delegation strategies. While DKIM itself expects a direct lookup to a TXT record, DNS CNAME functionality allows for redirection. NS delegation, on the other hand, is a standard DNS mechanism for distributing control over portions of the DNS namespace, offering a robust method for third-party management of email authentication records.
Key findings
DKIM verification: DKIM verification relies on fetching a public key from a TXT record in the DNS, as defined by RFC 6376, associated with the signing domain.
CNAME function: A CNAME record (Canonical Name record) functions as an alias, pointing one domain name to another, rather than directly to an IP address.
NS delegation purpose: NS (Name Server) delegation allows a domain owner to delegate authority for a subdomain to a different set of name servers, enabling a third party to manage that subdomain's DNS records.
Proposed DELEG record: There have been discussions, such as the proposed DELEG record, to formally define a DNS record type for delegation, highlighting the need for structured delegation in DNS.
Key considerations
DNS resolution path: When CNAMEs are used, the DNS resolver will follow the chain of aliases until it reaches the authoritative record (in this case, the DKIM TXT record) for the signing domain.
Control transfer: NS delegation effectively transfers administrative control of a subdomain to the delegated name servers, allowing comprehensive management of all records within that subdomain.
No attributes for DELEG alias: The proposed DELEG record in alias mode does not contain other attributes, meaning direct aliasing into an 'in-domain' name might be limited for complex setups.
Subdomain management: Delegating a subdomain to a different NS allows for independent management of its DNS records, including the specific selector records and public keys required for DKIM validation. See our guidance on setting up SPF and DKIM for new subdomains.
Technical article
Documentation from IETF Datatracker, specifically RFC 6376 on DomainKeys Identified Mail (DKIM) Signatures, clarifies that DKIM enables an organization owning the signing domain to claim responsibility for a message. This underlines the importance of the ultimate domain of authority.
10 Sep 2011 - IETF Datatracker
Technical article
Documentation from Palo Alto Networks explains that a CNAME record is a DNS database record acting as an alias for another domain, pointing to a domain name instead of an IP address. This defines the core function of CNAMEs relevant to aliasing DKIM.