DKIM and CNAME or DNAME


As far as I understand, there should be no problems with using CNAME or DNAME records in connection with DKIM. That is, while the DKIM record for verifiying a mail from someone@foo.example wants to be retrieved as a TXTRR under some.selector._domainkey.foo.example, it might well be that some redirection occurs, such as

  • some.selector._domainkey.foo.example. CNAME another-selector._domainkey.elsewhere.com. or
  • _domainkey.foo.example. DNAME _domainkey.elsewhere.com. or
  • _domainkey.foo.example. DNAME bar.elsewhere.com.

that is, the DNS resolving might go via a CNAME or DNAME into a completely unrelated domain and even, as the third example clarifies, lead to records that do not involve the well-known DKIM-specific _domainkey part.

Tome, this seems to be totally legit as far as DNS is concerned. And as DKIM is theoretically not restricted to retrieving keys by DNS, any Verifier should not care.

Of course, this does somewhat increase the DNS load and may slow down mail delivery by a few milliseconds. But this technique may come in handy when it is easier to change and update records under elsewhere.com than under the main domain foo.example.

So my questions are:

  • Is this really "legal"?
  • Is it fully supported, i.e., do (widespread, non-obscure) implementation behave accordingly or are perhaps some known ti "deduct trust points" for such redirections? Or perhaps do some even then reject signatures altogether because they believe they are for the wrong domain?
  • Are there other security considerations that speak against this?