SOBOO: Subdomain Delegation with CNAMEs
Part of the Sending On Behalf Of Others (SOBOO) Series
This article expands on the “CNAMEs” approach described in the larger How to send DMARC-compliant email on behalf of others article. An assumption is that the reader is sending email on behalf of others, and desires to send such email in a manner compliant with DMARC.
CNAME-based delegation is when a domain owner creates several CNAMEs that point back to your own domain. In contrast with full subdomain delegation, individual services are delegated by each CNAME. By doing so, any DNS-based questions regarding any CNAME will be referred to your own domain for resolution. Here are some additional explanations and examples of using CNAMEs to perform delegation:
- Amazon SES – Guide to using CNAMEs to enable DKIM signing
- Mandrill – Using CNAMEs for custom Return-Path addresses
- SendGrid – How to set up domain authentication
Utilizing CNAME-based delegations is as simple as sending email as you usually do, except you’ll be able to:
- Send email using the domain owner/customer’s top-level domain in email From: headers. The CNAMEs provide DMARC-compliant authentication using SPF and DKIM when DMARC’s default “alignment mode” of “relaxed” is used.
- Send and receive email using the CNAMEs by using CNAMEs in RFC5321.MailFrom addresses (also known as bounce/return-path/envelope addresses) and by accepting CNAME-addressed email through your existing email infrastructure (so that people on the internet can send email that is destined for the CNAME-addressed domain).
- By directly managing the CNAME’d subdomain, you can publish and maintain a concise and accurate SPF record for the subdomain that only authorizes servers that you control. You will avoid having to deal with other people’s SPF records and the resulting confusion.
- By directly managing CNAME’d DKIM public key records, you can manage DKIM signing however you wish. You can create as many DKIM signing keys as you have CNAME’d records for, rotate them as you see fit, and avoid having to figure out how to communicate/manage keys with your customer/domain owner.
This form of delegation benefits the domain owner/customer as relatively easy to set up, no further configuration is necessary, and maintenance of CNAMEs can be easily managed.
This form of delegation benefits you—the one sending email on behalf of others—by giving you control over how you send email and maintain your infrastructure. If you move servers, rotate DKIM keys, or swap out infrastructure, the domain-owner (your customer) doesn’t have to change anything.
If you have questions, feel free to drop us a line at [email protected].
We’re Here to Help
With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.