Can differing A, CNAME, TXT, and NS records in multiple domains TLD’s cause email deliverability issues?

I’m troubleshooting an issue where, after switching TLD’s internal and ESP-based emails are getting blocked when going to external customers. Could different A, CNAME, TXT, and NS records cause email deliverability issues? Short of posting actual differences, is there anything obvious before I look for other issues?

CNAME works for nslookup but not curl

I have created two CNAMEs for my (CloudFront) domains, like this:

enter image description here

nslookup works, giving me the correct values for both www and d-test — but when I actually get the data, using curl or a browser, all data is retrieved from the origin pointed to by www, regardless of which URL I actually use. If I use the origin URLs, it works fine.

How is this even possible?


As far as I understand, there should be no problems with using CNAME or DNAME records in connection with DKIM. That is, while the DKIM record for verifiying a mail from someone@foo.example wants to be retrieved as a TXTRR under, it might well be that some redirection occurs, such as

  • CNAME or
  • DNAME or

that is, the DNS resolving might go via a CNAME or DNAME into a completely unrelated domain and even, as the third example clarifies, lead to records that do not involve the well-known DKIM-specific _domainkey part.

Tome, this seems to be totally legit as far as DNS is concerned. And as DKIM is theoretically not restricted to retrieving keys by DNS, any Verifier should not care.

Of course, this does somewhat increase the DNS load and may slow down mail delivery by a few milliseconds. But this technique may come in handy when it is easier to change and update records under than under the main domain foo.example.

So my questions are:

  • Is this really "legal"?
  • Is it fully supported, i.e., do (widespread, non-obscure) implementation behave accordingly or are perhaps some known ti "deduct trust points" for such redirections? Or perhaps do some even then reject signatures altogether because they believe they are for the wrong domain?
  • Are there other security considerations that speak against this?

Can you accidentally cause significant downtime by making a typo in a CNAME or A rec?

Let’s say I need to change the CNAME for my subdomain test.mysite.example. I want it to go to a load balancer endpoint aws-my-endpoint.example.

But in creating the CNAME, I type it wrong. e.g. aw-my-endpoint.example.

Since it’s possible that a client can cache DNS for up to 48hrs (despite what the TTL setting is), could this cause test.mysite.example to be down for 48hours? Even though I immediately fix the CNAME after noticing the typo?

How to find out where CNAME resolved to?

Resolved as in, in the past… Are there any tools for this?

I am doing some research into pentesting and subdomain takeovers with cloud providers like AWS and Azure. I have a list of subdomains (A records) that could be used for this, but they are indecipherable in terms of seeing where they once resolved to. Without this information, the entire thing is redundant.

For example: would have originally resolved to but doesn’t now.

Anyone know how to find this out please?

Conexion CNAME personalizada

Necesito crear un panel, donde las personas colocaran un dominio personal, el cual habran configurado previamente con CNAME y Record A apuntados a mi sitio web. De los cuales luego generare paginas ya predefinidas pero que se veran con el dominio del usuario.

Algo asi como lo que hace adfly, en la seccion donde puedes apuntar tu dominio personal, y al terminar de configurarlo, te queda algo como:

Pero no se por donde empezar, ya que no e manejado este tipo de conexion anteriormente

How do I ask “dig” to only return the IP from a CNAME record?

The dig +short command (such as described in “dig show only answer”) is great for batch processing names into IP addresses. It does a simple job and does it well.

Unfortunately when there’s a CNAME even +short isn’t short enough. For example:

$   dig +short 

I’ve tried +noall but it doesn’t seem like it changes the behavior of +short. I’ve also tried specifying -t a just to ensure it didn’t think I meant an A record or CNAME, but that (unsurprisingly) changes nothing.

$   dig +noall +short 

I’m using RedHat 7’s dig:

# dig -v DiG 9.9.4-RedHat-9.9.4-73.el7_6 

I can filter out the CNAMEs with trusty grep, but it seems like dig should have some way to give “Just the IP, ma’am.”

What is that way?

setting up ssl for cname only subdomain

thanks for reading my question.

I’ve tried google for this question and other forums but couldn’t get solution or a hint for the scenario i have.

I’ve a domain say which is live with ssl on wpengine , Now we need to show a third party login form on our own subdomain , you can read the 3rd party requirement for this setup here .

now say i need to show that 3rd party login according to there steps on , and the main requirement of that third party is the subdomain must have ssl(for which we need to provide them files also) and the subdomain must then cname there domain.

the thing i can’t figure out yet is how the ssl will be applied to the cname only subdomain?

Any hint or suggestions are highly appreciated, TIA.

Simulate a CNAME removal from DNS on local computer

My company is going to deleting a CNAME record from DNS and replacing it with a new record “\OLDCNAME\Apps” to “\NEWCNAME\Apps”. Currently both are existing values on the network and they both point to the same set of files and folders. We are currently trying to update configuration files (.properties, .ini, .xml) that has any references to OLDCNAME to utilize the new CNAME and test the applications to see if they are working correctly.

Is there a way to simulate the delete of OLDCNAME on a local computer to enable us to test the applications before the company deletes the old CNAME record from DNS?