Hi
I might be wrong but according to RFC 2821 it is ok to use a CNAME if
the target is resolvable to A or MX.
3.6 Domains
Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs. Local nicknames or unqualified names MUST NOT be
used.
However, the target domain in this case is not working correctly.
Short:
The nameserver konfiguration at the .com level is wrong.
OR
The configuration of the nameservers at the domain level is wrong
See https://zonemaster.net/test/60c7bac42eb6e304
Long:
The Domain resolves to a CNAME:
;; QUESTION SECTION:
;accountprotection.microsoft.com. IN A
;; ANSWER SECTION:
accountprotection.microsoft.com. 2877 IN CNAME mail.msa.msidentity.com.
;; AUTHORITY SECTION:
msa.msidentity.com. 7200 IN SOA usw1.akam.net.
hostmaster.akamai.com. 1518736843 43200 7200 604800 7200
The domain msa.msidentity.com has the follwoing NS records at the TLD
servers:
;; QUESTION SECTION:
;msa.msidentity.com. IN NS
;; AUTHORITY SECTION:
msidentity.com. 172800 IN NS usw1.akam.net.
msidentity.com. 172800 IN NS eur2.akam.net.
msidentity.com. 172800 IN NS use2.akam.net.
msidentity.com. 172800 IN NS ns1-169.akam.net.
msidentity.com. 172800 IN NS ns1.p09.dynect.net.
msidentity.com. 172800 IN NS ns3.p09.dynect.net.
msidentity.com. 172800 IN NS ns2.p09.dynect.net.
msidentity.com. 172800 IN NS ns4.p09.dynect.net.
On the *.akam.net servers it has only the *.akam.net servers as NS:
; <<>> DiG 9.11.2 <<>> @usw1.akam.net. msa.msidentity.com. ns +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44395
;; flags: qr aa; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 12
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;msa.msidentity.com. IN NS
;; ANSWER SECTION:
msa.msidentity.com. 172800 IN NS use2.akam.net.
msa.msidentity.com. 172800 IN NS eur2.akam.net.
msa.msidentity.com. 172800 IN NS usc3.akam.net.
msa.msidentity.com. 172800 IN NS ns1-169.akam.net.
msa.msidentity.com. 172800 IN NS use5.akam.net.
msa.msidentity.com. 172800 IN NS usw1.akam.net.
msa.msidentity.com. 172800 IN NS ns1-68.akam.net.
msa.msidentity.com. 172800 IN NS eur4.akam.net.
On the *.dynect.net servers the zone is different:
; <<>> DiG 9.11.2 <<>> @ns1.p09.dynect.net. msa.msidentity.com. ns +norec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44314
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;msa.msidentity.com. IN NS
;; AUTHORITY SECTION:
msidentity.com. 1800 IN SOA ns1.p09.dynect.net.
aadnetsre.microsoft.com. 23844 3600 600 604800 1800
It seems that not all of those NS have the same zone data.
The *.akam.net servers answer to MX queries:
; <<>> DiG 9.11.2 <<>> @usw1.akam.net. mail.msa.msidentity.com. MX +norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4484
;; flags: qr aa; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.msa.msidentity.com. IN MX
;; ANSWER SECTION:
mail.msa.msidentity.com. 7200 IN MX 5 mx1.hotmail.com.
mail.msa.msidentity.com. 7200 IN MX 10
accountprotection-microsoft-com.mail.protection.outlook.com.
mail.msa.msidentity.com. 7200 IN MX 5 mx3.hotmail.com.
mail.msa.msidentity.com. 7200 IN MX 5 mx4.hotmail.com.
mail.msa.msidentity.com. 7200 IN MX 5 mx2.hotmail.com.
;; Query time: 9 msec
;; SERVER: 23.61.199.66#53(23.61.199.66)
;; WHEN: Mon Feb 19 15:46:49 CET 2018
;; MSG SIZE rcvd: 212
But the *.dynect.net. servers dont:
; <<>> DiG 9.11.2 <<>> @ns2.p09.dynect.net. mail.msa.msidentity.com. MX
+norec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45448
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mail.msa.msidentity.com. IN MX
;; AUTHORITY SECTION:
msidentity.com. 1800 IN SOA ns1.p09.dynect.net.
aadnetsre.microsoft.com. 23844 3600 600 604800 1800
;; Query time: 17 msec
;; SERVER: 204.13.250.9#53(204.13.250.9)
;; WHEN: Mon Feb 19 15:48:00 CET 2018
;; MSG SIZE rcvd: 126
So depending on which server the query goes to, it