0

Both Hubspot and AWS SES require that we add CNAME records to make emails sent through them work.

To this end, I've been asked to add various CNAMES to our domain apex e.g. example.com, so we can send emails from e.g. info@example.com (as opposed to a subdomain e.g. info@mail.example.com)

See for e.g. https://knowledge.hubspot.com/articles/kcs_article/cos-general/how-can-i-resolve-the-missing-records-associated-with-my-email-sending-domain?utm_source=hs_email&utm_medium=email&utm_content=63942509

However, technically, the specs for DNS specify that you can't add a CNAME record to the domain apex.

So, how does this work? Let's say Hubspot want me to add a CNAME with the Hostname: hs2._domainkey.example.com

Should I create a subdomain hs2._domainkey? Or add the CNAME record in the domain apex in Amazon Route 53 and risk causing problems with subdomains?

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
A Smith
  • 1
  • 3
    `hs2._domainkey.mysite.com` is not at the domain apex. That's two levels of subdomains. Just add the record. – ceejayoz Jun 21 '18 at 16:52
  • so you need to create those specifically as subdomains, or can you create them on the fly when you add the CNAME, as it were? Route 53 makes this quite easy, but the DNS that I have set directly with the domain name provider makes it rather more difficult. – A Smith Jun 22 '18 at 14:16
  • Creating a CNAME record *is* creating a subdomain. It's just pointing that subdomain at someone else's server in this case. You don't need to create these subdomains at your webserver level at all. – ceejayoz Jun 22 '18 at 14:34

1 Answers1

2

The premise of this question is a bit strange, as it seems centered around doing something else than what the referenced documentation says that you should do.

In the Hubspot example they mention adding a CNAME record at eg hs2._domainkey.example.com, which is clearly not the zone apex if your zone is example.com (which seems like the reasonable assumption).

The AWS SES instructions are (as you indicated) similar in this regard.
This is unsurprising, as these are both cases of DKIM records, which always reside at names that have a selectorusedinyourmailserverconfig._domainkey prefix.


As for your questions regarding the zone apex, you are correct that you cannot have a CNAME record there. Luckily, neither service provider is asking you to add such a record.

The general rule for CNAME records is not specifically about the zone apex, rather that CNAME records cannot coexist with other records. The zone apex just so happens to be a case that always has other records (it must have at least SOA and NS records).

Håkan Lindqvist
  • 33,741
  • 5
  • 65
  • 90