I've been using CNAMEs this way commercially for about a year without issue across different dns providers, client/server combos, etc.
I think you can proceed with confidence. sent from phone, pls frgv trs msgs nad typos. > On Dec 10, 2013, at 10:01 PM, Franck Martin <[email protected]> wrote: > > >> On Dec 10, 2013, at 2:59 PM, Rolf E. Sonneveld <[email protected]> >> wrote: >> >> Hi, Franck, >> >>> On 12/10/2013 10:40 PM, Franck Martin wrote: >>> On Dec 10, 2013, at 11:39 AM, John Levine <[email protected]> wrote: >>> >>>>> Suggest following this thread from 2007. >>>>> http://mipassoc.org/pipermail/ietf-dkim/2007q2/007663.html >>>> That's the null MX proposal. I resuscitated Mark Delany's draft in >>>> July, and I suppose I might nudge Murray to see if appsawg would >>>> accept it, but it's a separate issue. >>>> >>>> For DMARC, what advice can we offer beyond publishing SPF -al and DKIM >>>> p=reject? (Normally I'm not a big fan of p=reject, but this is a >>>> place where it's clearly appropriate.) >>> I propose to add something along these lines in the DMARC FAQ. >>> >>> I have parked domains that do not send emails, how can I protect them? >>> >>> First create a DMARC record on your main domain (example.com) for all your >>> parked domains: >>> _dmarc.parked.example.com TXT "v=DMARC1; p=reject; rua= >>> mailto:[email protected];"; >>> >>> If example.net is a parked domain you can then protect it this way: >>> _dmarc.example.net CNAME _dmarc.parked.example.com >>> example.net TXT "v=spf1 -all" >>> *.example.net TXT "v=spf1 -all" >>> >>> The CNAME allows you to control in one place all your parked domains. If >>> you want, for instance, to start receiving failure reports for all your >>> parked domains, you just need to update one DNS record. In the example >>> above the record becomes: >>> _dmarc.parked.example.com TXT "v=DMARC1; p=reject; >>> rua=mailto:[email protected]; ruf=mailto:[email protected];"; >>> >>> This will update all the domains using this CNAME. >> >> are you sure that all DNS implementations (both client and server) support >> this construct (client requests TXT record, server returns CNAME, client >> interprets CNAME, client requests TXT record for aliased domain)? AFAICS >> it's not violating any (DNS) standards... > If I recall, a few months ago, we tested this on the few DMARC > implementations we had on hand, and it worked as expected (or at least no one > complained yet). You may notice it is already the construct in another FAQ > entry. > > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
