Using sequential CNAMEs for your email FROM domain introduces specific technical complexities, primarily related to DNS resolution pathways. At the same time, the broader adoption of services like Cloudflare brings to light significant ethical and operational considerations beyond mere technical configuration. This page summarizes insights from various perspectives regarding both the practicality of CNAME chaining and the controversial aspects of Cloudflare's operations.
Key findings
CNAME chains: Sequential CNAMEs (e.g., custom.domain.com CNAME install.domain.com CNAME domain.cloudflare.net) for 5321 FROM domains are generally functional.
SPF lookup limits: CNAMEs themselves do not count against the SPF 10-lookup limit, only SPF terms that trigger DNS queries.
Cloudflare's practices: Concerns exist regarding Cloudflare's stance on content moderation, including accusations of supporting hate groups and facilitating criminal activities, as highlighted in reporting from ProPublica. Read more about Cloudflare's ethical concerns.
DNS brittleness: While CNAME chains may work, they can increase DNS maintenance complexity.
Key considerations
Reputation impact: Using a service associated with controversial content, even indirectly, could lead to reputational concerns for your brand.
Visibility: Excessive CNAME chaining might be perceived by some as an attempt to hide the actual sending infrastructure, although there's no technical penalty.
Operational stability: Consider the long-term maintainability of complex DNS configurations.
Third-party reliance: If relying on a third-party for CNAME resolution, ensure they handle DNS records appropriately, especially if clients have their own setups.
What email marketers say
Email marketers often face practical challenges when setting up email infrastructure, particularly concerning DNS configurations like CNAMEs. Their primary concern is usually ensuring deliverability and avoiding technical issues that could impede campaign performance. The ethical implications of underlying service providers might not always be top of mind or within their control, especially when decisions are made at an infrastructure level.
Key opinions
Technical focus: The main concern for marketers regarding CNAMEs is ensuring they work for email sending, particularly for the 5321 FROM domain.
Workarounds: Marketers seek flexible CNAME setups that accommodate diverse client DNS configurations, including those already using Cloudflare.
Deliverability primary: The overriding objective is to maintain good email deliverability, with technical configurations serving this goal.
Ethical awareness: Some marketers may not be fully aware of the ethical debates surrounding their chosen infrastructure providers, or find it difficult to influence organizational decisions once made.
Key considerations
Client compatibility: A robust CNAME setup should work seamlessly across various client DNS environments, even when other Cloudflare settings are present.
Organizational inertia: Changing core infrastructure providers can be challenging due to existing contracts or internal policies.
Reputation implications: Even if the technical setup works, association with controversial services could subtly impact domain reputation among some recipient systems or users, though not mechanically.
Alternatives: Marketers may look for alternative solutions that offer similar functionality without the associated ethical concerns, ideally at a comparable cost.
Marketer view
Marketers often inherit DNS configurations from their infrastructure teams. The primary goal is usually to ensure email sending functions without immediate deliverability issues. They might not always have full control or deep insight into the ethical stances of underlying service providers, focusing instead on practical solutions for customer onboarding.
03 Sep 2019 - Email Geeks
Marketer view
The user from Email Geeks notes that if a company uses Cloudflare, they probably aren't aware of the deeper ethical controversies. Often, these decisions are made at an infrastructure level and email marketers are then tasked with making the DNS configurations work for email.
03 Sep 2019 - Email Geeks
What the experts say
Email deliverability experts delve into the intricate technicalities of DNS and email authentication, often holding strong views on best practices and potential pitfalls. Beyond technical performance, many experts also consider the broader implications of internet infrastructure choices, including ethical stance and potential for abuse, which can influence their professional recommendations and interactions.
Key opinions
CNAMEs are generally acceptable: Experts agree that a few sequential CNAMEs (e.g., 2-4 deep) for a FROM domain should not inherently cause deliverability issues.
DNS complexity: While functional, complex CNAME setups are often viewed as brittle to maintain and are generally discouraged in favor of simpler configurations.
Cloudflare criticism: Several experts express strong ethical opposition to Cloudflare, citing concerns over their policies regarding hosting content from hate groups and criminal enterprises, and their data handling practices (e.g., TLS interception).
No mechanical deliverability impact (yet): Despite ethical concerns, using Cloudflare generally does not lead to direct, mechanical deliverability issues (e.g., blocking by ISPs) based on current systems.
Assumed complicity: Some experts may form negative opinions about companies that choose to use Cloudflare, especially if it appears to hide hosting.
Key considerations
DNS best practices: Adhere to best practices for DNS records, remembering that a CNAME record cannot coexist with other records for the same hostname.
Hidden problems: While CNAMEs don't affect SPF lookup limits, misconfigured SPF records (which can be independent of CNAME chains) remain a common issue leading to rejections.
Reputational risk: Companies using Cloudflare might face scrutiny from individuals and organizations aware of the ethical controversies, potentially impacting willingness to assist with deliverability issues.
Awareness for decision-makers: It is important for companies to inform their leadership about the ethical implications of using certain service providers like Cloudflare, beyond just technical benefits.
Expert view
An expert from Email Geeks explains that CNAMEs do not contribute to SPF query limits. The RFC specifies limits on SPF terms that cause DNS traffic, not on the raw number of DNS queries involved in resolving a CNAME chain.
03 Sep 2019 - Email Geeks
Expert view
A deliverability expert from Email Geeks clarifies that while he once counted queries for SPF, the RFC agrees that CNAMEs themselves do not count towards the 10-lookup limit. This is a common point of confusion that needs clarification.
03 Sep 2019 - Email Geeks
What the documentation says
Official documentation and RFCs provide the foundational rules for DNS and email protocols. While they define the technical limits and behaviors, they typically do not address ethical implications or reputational considerations. Their focus is on interoperability, functionality, and performance.
Key findings
CNAME definition: RFCs define CNAME records as aliases, meaning all queries for a given name will resolve to the canonical name. This is fundamental to their operation in sequential chains.
CNAME coexistence: DNS standards strictly prohibit a CNAME record from coexisting with any other record type (e.g., A, MX, TXT/SPF) for the same hostname.
SPF DNS lookups: RFC 7208 (SPF) specifies a limit of 10 DNS lookups for mechanisms that query the DNS during SPF evaluation, but CNAME resolution itself generally doesn't count towards this limit unless an SPF mechanism explicitly triggers a new lookup.
DNS resolution depth: While not explicitly limited by RFCs, practical DNS resolvers may have implicit limits or timeouts that could affect very deep CNAME chains.
Key considerations
RFC compliance: Ensure your DNS configurations, including CNAME chains, comply with relevant RFCs (e.g., RFC 1034 for DNS, RFC 7208 for SPF) to ensure interoperability and avoid unexpected issues. Understand SPF, DKIM, and DMARC requirements.
Impact on other records: Be aware that using a CNAME for a domain means you cannot have MX records, SPF TXT records, or other specific record types directly on that domain without breaking RFC rules.
Delegation benefits: CNAME delegation can simplify email authentication for clients by pointing their domain to your service's managed DNS. Learn more about how CNAME delegation enables SPF and DKIM.
Error handling: DNS resolvers are designed to handle CNAME chains, but excessive length or misconfigurations can lead to SERVFAIL or timeouts, impacting mail flow.
Technical article
RFC 1034 defines CNAME records as a way to specify a canonical name for an alias. All other resource records for that alias must exist at the canonical name.
01 Nov 1987 - RFC 1034
Technical article
The DNS specification mandates that if a CNAME record exists for a name, no other resource records can exist for that name. This is a crucial rule for avoiding conflicts in DNS resolution.