Using CNAME for _domainkey (DKIM)
Danilo Godec
danilo.godec at agenda.si
Mon Feb 24 10:58:48 UTC 2025
Hello,
apparently one shouldn't use CNAMEs for 'delegating' _domainkey records
to another DNS server, but I see that some email service vendors use
that - they have their customers add a CNAME pointing to their TXT
record (one recent example that I was dealing with is atlassian.net
(https://accessplanit.atlassian.net/wiki/spaces/HG/pages/417005970/SPF+DKIM+SMTP+Prevent+your+system+emails+being+caught+by+spam+filters)
- probably so that they can rollover their DKIM keys without their
customers needing to do anything.
I know that CNAME records can clash with other essential (MX, A, ...)
records, but since a _domainkey subzone is quite specific and unlikely
to be used for anything else, this should still work, right?
Or should I consider this an absolute 'no-no' and have my 'customers'
add the complete TXT record?
Regards,
Danilo
More information about the bind-users
mailing list