As far as I understand, there should be no problems with using CNAME or DNAME records in connection with DKIM. That is, while the DKIM record for verifiying a mail from someone@foo.example wants to be retrieved as a TXTRR under, it might well be that some redirection occurs, such as

  • CNAME or
  • DNAME or

that is, the DNS resolving might go via a CNAME or DNAME into a completely unrelated domain and even, as the third example clarifies, lead to records that do not involve the well-known DKIM-specific _domainkey part.

Tome, this seems to be totally legit as far as DNS is concerned. And as DKIM is theoretically not restricted to retrieving keys by DNS, any Verifier should not care.

Of course, this does somewhat increase the DNS load and may slow down mail delivery by a few milliseconds. But this technique may come in handy when it is easier to change and update records under than under the main domain foo.example.

So my questions are:

  • Is this really "legal"?
  • Is it fully supported, i.e., do (widespread, non-obscure) implementation behave accordingly or are perhaps some known ti "deduct trust points" for such redirections? Or perhaps do some even then reject signatures altogether because they believe they are for the wrong domain?
  • Are there other security considerations that speak against this?