On Thu, 29 Feb 2024 at 12:09, Benny Pedersen via mailop <mailop@mailop.org> wrote: > > I think I wrote here too early: from further investigation seems like > > the issue has gone and now those emails are not refused anymore. > > https://totaluptime.com/kb/cname-and-mx-for-the-same-host-name/ > > dont use cname for email or even mx
Why? The page you reported is correct as you cannot have CNAME and MX for the same host, but I don't need CNAME and MX on the same host because the spec cleary say that the domain can be a CNAME and in that case you have to follow the CNAME before looking for the MX records. This is the main reason CNAMEs exists: isn't it? The opposite way, an MX pointing to a CNAME, is invalid according to the SPEC, but that's another thing. If you have RFC pointers about this "dont use cname for email or even mx" I'd be happy to double check this and be corrected. From https://datatracker.ietf.org/doc/html/rfc5321 2.3.5. Domain Names > For example, a domain may refer to an alias (label of a > CNAME RR) or the label of Mail eXchanger records to be used to > deliver mail instead of representing a host name. > [...] > In other words, names that can > be resolved to MX RRs or address (i.e., A or AAAA) RRs (as discussed > in Section 5) are permitted, as are CNAME RRs whose targets can be > resolved, in turn, to MX or address RRs. So, not only they are not prohibited by the spec, but they are explicitly permitted. Do you understand something different from RFC5321? (I'm not a native english speaker, but "as are CNAME RRs whose targets can be resolved, in turn, to MX or address RRs" seems pretty straightforward). Of course I could stop using the CNAMEd domain and use my shared domain for all of my customers but this way I'd loose SPF alignment so I refrain from doing that because of some uncompliant receivers and subdomain delegation is not something 99% of my users/customers would be able to do. > and lastly cname breaks dnssec, dont do this, is tlsa not something you > care about ? I only receive bounces to those addresses, TLS is good enough. The real replies are sent to domains not using CNAMEs. Stefano -- Stefano Bagnara Apache James/jDKIM/jSPF VOXmail/Mosaico.io/VoidLabs _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
