Summary
Using sequential CNAMEs for email FROM domains involves specific technical considerations, primarily concerning DNS lookup performance and potential conflicts with essential email records like MX. While generally safe for depths of up to four and not impacting SPF query limits, placing CNAMEs at the root domain is problematic for email functionality. Separately, Cloudflare's extensive role in internet infrastructure raises significant ethical and privacy concerns. This stems from their stance on content neutrality, which has led to accusations of enabling bad actors, their practices of intermingling legitimate and illicit sites, and their processing of email metadata through services like Email Routing. Email marketers must weigh the technical implications of CNAMEs against these broader ethical and privacy considerations when designing their email infrastructure.
Key findings
- CNAME Chain Depth: A chain of 2-4 CNAMEs is generally considered safe and unlikely to cause significant issues for email, though excessively long chains can introduce performance overhead or resolution failures.
- CNAMEs and SPF Limits: CNAME records, including sequential chains, do not count towards SPF query limits. This clarifies a common misconception about SPF authentication.
- Root Domain CNAME Conflicts: Placing a CNAME record at the root of a domain (e.g., 'yourdomain.com CNAME anotherdomain.com') is problematic for email, as RFCs state no other resource records, such as MX records, can exist for that name. This directly impacts email delivery.
- Cloudflare's Content Neutrality Stance: Cloudflare's commitment to 'internet neutrality' means they typically do not terminate services based on content, leading to criticisms that they inadvertently protect or enable websites engaged in illicit activities, including child abuse material, hate speech, and spam.
- Email Routing Privacy: Cloudflare's Email Routing service processes email metadata and potentially content for routing purposes. While emails are not stored long-term, this processing raises privacy concerns due to a third-party's access to sensitive communications.
- Market Dominance Concerns: Cloudflare's significant and growing role as an internet gatekeeper raises broader ethical concerns about centralization of infrastructure, potential data collection across numerous websites, and the implications for competition and privacy due to so much traffic flowing through one company.
- DKIM and CNAME Chains: While CNAMEs are commonly used for DKIM record management, deep or sequential CNAME chains for resolving DKIM can lead to resolution failures if they exceed DNS resolver limits, impacting DMARC alignment and email deliverability.
Key considerations
- CNAME Usage Caution: Avoid 'in-zone' CNAMEs where possible due to potential brittleness in maintenance. While CNAMEs are common for DKIM records, using sequential CNAMEs directly for the email FROM domain is generally discouraged due to potential DNS lookup issues and conflicts with other essential records like MX.
- Cloudflare Ethical Vetting: Thoroughly evaluate Cloudflare's corporate policies, including their stance on controversial content and data handling, before integrating their services. Their policy of not terminating services based on content, even for problematic sites, raises significant ethical questions for some organizations.
- Third-Party Intermediary Risk: Be aware that Cloudflare's Email Routing service acts as an intermediary, processing email headers and content. This raises privacy concerns as sensitive communications flow through their network, even if not stored long-term, and should be weighed against the convenience.
- Potential PR and Support Impact: Understand that association with Cloudflare, given their broad and sometimes controversial client base, might lead to less inclination from email professionals to offer help and could pose future PR challenges if your hosting information becomes more transparent.
What email marketers say
9 marketer opinions
The use of sequential CNAMEs for email FROM domains carries specific technical implications, largely centered on DNS resolution and compatibility with other critical email records. While moderate CNAME chains typically do not affect SPF query limits and are generally safe for DKIM, using them at a domain's root can create direct conflicts with MX records, hindering email deliverability. On the ethical front, Cloudflare's pervasive influence as an internet infrastructure provider raises substantial concerns, including privacy implications from its Email Routing service, accusations of enabling problematic content due to its content-agnostic policies, and broader questions about centralization and its potential impact on online discourse and data privacy.
Key opinions
- CNAMEs for From Domain: While CNAMEs are useful for DKIM, their direct use for the email FROM domain itself is generally discouraged due to potential DNS lookup issues, increased latency, and conflicts with MX records crucial for deliverability.
- Cloudflare's Controversial History: Specific allegations against Cloudflare include supporting controversial groups, breaking TLS for traffic sniffing, and questionable funding origins, which contribute to a contentious public perception.
- Cloudflare's Intermingling Strategy: Cloudflare's practice of hosting legitimate companies alongside illicit sites, including those with child sexual abuse material or hate speech, is cited as a tactic to avoid service blocking by ISPs.
- Professional Support Impact: While Cloudflare usage may not cause 'mechanical' reputation issues, it could lead to less inclination from email professionals to provide help and could pose future PR challenges if hosting information becomes more transparent.
Key considerations
- Avoid In-Zone CNAMEs: For domain management, it is advisable to avoid 'in-zone CNAMEs' where possible due to their potential for brittleness and maintenance challenges.
- Centralization Risks with Cloudflare: Cloudflare's market dominance and the centralization of internet infrastructure under one provider present risks, including the potential for a single point of failure and extensive data collection, which can impact privacy and competition.
- Cloudflare's Impact on Content: Despite Cloudflare's stated neutrality, its services are criticized for providing a shield that enables controversial or harmful content to remain online, raising significant ethical questions about its impact on public discourse and safety.
- Sequential CNAME Perceptions: Be aware that using multiple sequential CNAMEs, particularly for email FROM domains, might be perceived by some as an attempt to obscure the actual domain, potentially leading to increased scrutiny.
Marketer view
Email marketer from Email Geeks explains that a chain of 2-3 CNAMEs is unlikely to cause issues. He clarifies that CNAMEs do not count towards SPF query limits, correcting his earlier statement. He also notes a minor concern that multiple CNAMEs could be perceived as hiding the actual domain.
26 Aug 2022 - Email Geeks
Marketer view
Email marketer from Email Geeks expresses wariness about using CNAMEs, particularly 'in-zone CNAMEs', advising to avoid them where possible due to potential brittleness in maintenance. He clarifies that CNAMEs do not affect SPF query limits and suggests that a depth of up to four CNAME chains is generally safe. Regarding Cloudflare, he details significant concerns: their corporate policy supporting white supremacists and doxing complainants, breaking TLS to sniff traffic, funding originating from schemes to extort money from ESPs, and a history linked to the 'Unspam' initiative. He further explains that Cloudflare intermingles legitimate companies with illicit sites (including child sexual abuse material and hate sites) to avoid being blocked by ISPs. While noting that using Cloudflare might not cause 'mechanical' reputation issues, he warns it could lead to less inclination from professionals to provide help and could pose future PR challenges if hosting information becomes more transparent.
1 Mar 2022 - Email Geeks
What the experts say
3 expert opinions
Concerns regarding Cloudflare's ethical stance and its operational practices are significant, particularly their role in protecting websites associated with illicit activities. Experts highlight that Cloudflare's commitment to content neutrality has led to criticisms that it effectively shields malicious actors, including those involved in child abuse, criminal enterprises, spam, and malware distribution. This policy, despite being framed as upholding free speech, is seen by some as actively facilitating online abuse. Furthermore, Cloudflare's past technical issues and the strategic intermingling of legitimate and illicit sites contribute to the debate surrounding their responsibility as a major internet infrastructure provider.
Key opinions
- Protecting Illicit Entities: Cloudflare has been criticized for protecting entities involved in child abuse materials and criminal enterprises like The Silk Road.
- Enabling Abuse: Critics argue that Cloudflare's services inadvertently enable spam, phishing, and malware distribution by providing protection to websites engaged in such activities.
- Content Neutrality Debate: Cloudflare's policy of not deplatforming abusive websites, citing free speech, is contentious, with critics arguing it shields malicious actors and facilitates online abuse.
- Operational Strategies: Cloudflare's operational strategies include past broken DNS configurations and the practice of intermingling legitimate sites with illicit ones to avoid boycotts.
- Call for Stricter Policies: There is a suggestion for Cloudflare to implement more stringent policies to restrict access for known spammers and other abusive actors.
Key considerations
- Ethical Implications for Users: Businesses and individuals utilizing Cloudflare's services should consider the ethical implications of supporting a provider accused of enabling harmful online content.
- Risk of Association: Association with Cloudflare may carry reputational risks due to its controversial client base and perceived role in shielding illicit activities.
- Industry Accountability: The broader email marketing and internet security communities are urging Cloudflare to adopt more robust policies to curb abuse on its platform.
- Evaluating Provider Ethics: Email marketers should evaluate their infrastructure providers not only on technical merit but also on their ethical policies regarding content moderation and user accountability.
Expert view
Expert from Email Geeks highlights that Cloudflare protects entities involved in child abuse materials and criminal enterprises like The Silk Road. She also notes their past broken DNS configurations that required ISPs to implement workarounds, and their strategy of intermingling legitimate websites with illicit ones to avoid boycotts.
12 Mar 2025 - Email Geeks
Expert view
Expert from Spam Resource explains that Cloudflare's services, by protecting websites that engage in spam and other abuse, raise concerns about whether they are inadvertently enabling such activities. It suggests Cloudflare could implement stricter policies to restrict access for known spammers.
15 Aug 2023 - Spam Resource
What the documentation says
5 technical articles
The use of sequential CNAMEs for email FROM domains introduces technical hurdles such as increased DNS lookup overhead, which can lead to resolution delays or failures for the FROM domain itself or associated authentication records like DKIM. Cloudflare's CNAME flattening technique, while optimizing root domain resolution, might inadvertently alter the expected lookup behavior for crucial email authentication records like SPF, DKIM, and DMARC, potentially compromising deliverability. Beyond technical aspects, Cloudflare's services present significant ethical and privacy dilemmas. Their Email Routing service, by processing email headers and content, inherently raises privacy questions about data handling. Furthermore, their stated commitment to 'internet neutrality' has drawn criticism for potentially enabling controversial or illicit content, while their extensive data collection practices across a vast internet footprint prompt overarching concerns about user data aggregation and utilization.
Key findings
- Sequential CNAME Overhead: RFC 1034 indicates that sequential CNAMEs introduce performance overhead due to multiple lookup iterations, which can lead to delays or failures in resolving email FROM domains or DKIM records, directly impacting mail server functionality.
- Cloudflare CNAME Flattening: Cloudflare's CNAME flattening technique, while useful for apex domains, can change the lookup behavior for sensitive email authentication records, such as DMARC, SPF, or DKIM, potentially impacting deliverability and authentication.
- Email Routing Privacy Risks: Cloudflare's Email Routing service processes email headers and content within its network, positioning Cloudflare as an active participant in the email flow and raising key privacy and data handling questions for users.
- Content Neutrality Ethics: Cloudflare's commitment to not terminating services based on content, citing 'free speech,' leads to ethical concerns from critics who argue it inadvertently enables or shields bad actors, hate speech, or illegal activities.
- Broad Data Collection: Cloudflare's general privacy policy outlines extensive data collection across its services, including network traffic and DNS resolution, which broadly impacts ethical considerations regarding the aggregation and potential use of user data due to its vast internet footprint.
Key considerations
- DNS Resolution Delays: When employing sequential CNAMEs, be mindful of potential DNS resolution delays or failures that could impact the reliable resolution of email FROM domains and associated authentication records.
- CNAME Flattening Impact: Understand that Cloudflare's CNAME flattening technique might alter how crucial email authentication records, such as SPF, DKIM, and DMARC, are resolved, potentially affecting deliverability and requiring thorough testing.
- Email Data Privacy: Acknowledge that Cloudflare's Email Routing service processes email headers and content, which necessitates assessing the privacy implications for your email traffic, even if emails are not stored long-term.
- Ethical Alignment: Evaluate Cloudflare's content neutrality stance and its comprehensive data handling policies to ensure they align with your organization's ethical standards regarding online content and user privacy.
- Centralization Concerns: Consider the broader implications of a single entity, like Cloudflare, collecting and processing vast amounts of internet traffic data, which raises overarching ethical concerns about data aggregation and its use.
Technical article
Documentation from RFC 1034 explains that CNAME records, when chained (sequential CNAMEs), can introduce performance overhead due to multiple lookup iterations required to resolve the final A or AAAA record. It notes that while resolvers should follow chains, excessively long chains can lead to delays or potential failures in resolution, which would directly impact the ability of mail servers to resolve the email FROM domain or associated records like DKIM.
15 Sep 2022 - RFC 1034 - Domain Names - Concepts and Facilities
Technical article
Documentation from Cloudflare explains that CNAME flattening, a technique used by some DNS providers like Cloudflare, resolves CNAMEs at the root domain (apex) into A or AAAA records. While this can make the root domain act like a CNAME, it might have implications for email, especially if sensitive email-related records (like DMARC, SPF, or DKIM) are expected to resolve via a CNAME chain and the flattening changes the lookup behavior, potentially impacting deliverability or authentication.
7 Jul 2023 - Cloudflare Blog
Does using different domains in From and Reply-To email addresses affect deliverability?
What are the best practices for SPF records and avoiding CNAMES for email authentication?
What are the considerations for using different domains for From, DKIM, and SPF?
What are the ethical concerns of using Cloudflare for online content protection?
What are the implications of using different root and subdomain email addresses in From and Reply-To fields?
What issues occur when adding DKIM record to DNS via CName with Cloudflare?
