3

SCENARIO:

  • mydomain.com is the main website, we do send/receive mail using address@mydomain.com. mydomain.com DNS has got an SPF record "v=spf1 a mx ~all"

  • mydomain.net is just an alias for mydomain.com, but we do NOT send mail using address@mydomain.net. Therefor mydomain.net DNS has got an SPF record "v=spf1 -all" to acknowledge everyone it does not send mail

Since mydomain.net is an alias for mydomain.com I wanted to use CNAME in DNS, thus:

mydomain.net -> CNAME -> mydomain.com
www.mydomain.net -> CNAME -> mydomain.com

But by doing this I noticed that when testing SPF for mydomain.net with a DNS tool like this the SPF returned is the one in mydomain.com "v=spf1 a mx ~all" and NOT as I would expect the "v=spf1 -all"

Is there a way to use different SPF for the two domains, by still using CNAME

Marco Demaio
  • 580
  • 1
  • 8
  • 22
  • 2
    You can't CNAME a whole domain like that.... Are you using some control panel software? – Chris S Feb 21 '13 at 19:58
  • @Chris S: I'm using cPanel/WHM, and both domains have been added to the server. They work perfectly. When someone enters mydomain.net/www.mydomain.net it goes to mydomain.com/www.mydomain.com. I thought to use CNAME in mydomain.net DNS because I wanted to avoid writing again the IP for each A record. But obviously there is something that I'm missing. about the CNAME, could you explain? Thanks – Marco Demaio Feb 21 '13 at 20:34
  • use a DNAME if you can, see my answer below. – isedev Feb 22 '13 at 01:29

3 Answers3

5

A CNAME means that the hostname is exactly the same as the target hostname with respect to all record types. If this is not what you want then you can't use a CNAME.

You also shouldn't CNAME the root of a domain (i.e. mydomain.net), because this means that the SOA for mydomain.net is actually that of mydomain.com.

mgorven
  • 30,036
  • 7
  • 76
  • 121
  • It's an invalid configuration to CNAME a domain at the delegated name server; it would have to be CNAME'd at the root server level, and they don't allow that. – Chris S Feb 22 '13 at 00:42
  • @ChrisS That's what I meant in the second paragraph. – mgorven Feb 22 '13 at 01:36
  • I know you know what you're talking about... just spelling it out for the less informed. – Chris S Feb 22 '13 at 04:06
  • @mgorven: I think I almost got the point. What altrenatives do we have then to avoid rewriting same server IP hundereds of times in the DNS of each domain? See http://serverfault.com/questions/481500/many-domains-sites-hosted-on-same-server-cname-alternatives-to-avoid-writing-sa – Marco Demaio Feb 22 '13 at 13:26
  • @MarcoDemaio There isn't if you want different SPF records. If you want both domains to be exactly the same you can use a DNAME record however. – mgorven Feb 22 '13 at 17:06
2

From a pure DNS point of view (i.e. don't know about cPanel), you can use a DNAME record to in mydomain.net to redirect to mydomain.com.

In that case, queries for SPF will return the entry both in the corresponding domain but other entries will be aliased:

# zone file mydomain.net
mydomain.net. DNAME mydomain.com.
mydomain.net. SPF   "mydomain.net's SPF"

# zone file mydomain.com
mydomain.com. SPF   "mydomain.com's SPF"
someip   A      10.0.0.1

# dig mydomain.net spf
mydomain.net. SPF "mydomain.net's SPF"

# dig mydomain.com spf
mydomain.com. SPF "mydomain.com's SPF"

# dig someip.mydomain.net
someip.mydomain.com A 10.0.0.1
isedev
  • 239
  • 2
  • 4
0

cPanel isn't actually using a CNAME; that would be an invalid configuration. I'm not sure how DNS servers would respond to it, but I suspect it just plain wouldn't work. BIND certainly has a tendency to refuse invalid data outright.

What has almost certainly happened is that the cPanel software setup a copy of all the records from the original domain in the second domain. Which would certainly "override" your SPF record.

Chris S
  • 77,337
  • 11
  • 120
  • 212