Skip navigation

Email Authentication via CNAME records in DNS

score 130
You have not voted. Active

To improve maintenance of email authentication DNS records in our domain, we'd like to see the use of CNAME records implemented to allow ORACLE to maintain SPF, MX and (DKIM) TXT records.

Currently, every few years new DKIM records are created (by Eloqua / Oracle) to replace the already existing key pair. I'm not sure how the replacement is communicated for existing instances, but in reality we still find those (undesirable) keys from 2010 up to 2015 still active in production environments.

When we would use (multiple) CNAME records for DKIM to point to Oracle maintained DNS TXT records, Oracle would be able to update the records to the newest key pairs without requiring it's customer to update TXT records, which is quite error-prone.

 

The same goes for SPF and Bounce handling. Quite often the bounce address (Envelope-From) is in a subdomain of the Header From address, which would be the brand domain / Top-Level Domain (TLD). Using a CNAME record which would delgate that subdomain to Oracle, Oracle can maintain all MX and SPF records directly, since the SPF record is checked on the Envelope-From address.

 

This way multiple domains could make use of a single set of DKIM records and, if desirable, a single bounce namespace and spf record.

Comments

Vote history