Damn CNAME

Today on "Things I learned", I get reacquainted with CNAMEs and how they, when they want to, will 'eff up your DNS records.

A client engaged me for a "quick" domain warming for a rebranding. After review, this wasn't really a warming. The volume was too low. For me, the most important thing was making sure they were technically set up to be successful: authentication, working DNS, working mailboxes, etc. etc. etc.

Yes, they had to be mindful of alerting their customers of their new domain in their email program, properly routing their current site to the new site and educating customers there as well. But most of their customers were already aware of the rebranding through direct 1:1 communications.

The task was simple, get the domain setup, make sure it sits for an appropriate amount of time (minimum 30 days) without email activity, set up the website, get the right DNS records added, test, and make sure it all works. I started with their corporate mail and, naturally, the fun/easy/quick review turned into much more than an "in-and-out" engagement.

On to my checks (many more were done, but no need to bore you with everything)...

  • Domain set up ✅
  • Domain rested ✅
  • Domain authentication used branded SPF ✅
  • Domain authentication used branded DKIM
  • Domain published DMARC ✅
  • TLS enabled ✅

Ok DKIM is easy. I got this in the bag! Fastest consult EVER.

I sent over O365 instructions to generate DKIM for their 1:1 corporate mail and that DKIM key went off to the DNS team for DNS publication. 

Side note: O365 requests two CNAMES be set up for DKIM (likely for DKIM key rotation when the mood strikes O365 to initiate a swap-er-oo). However, during the checks only one CNAME has a value, the other is more of a placeholder. That internally gave me a twitch because it's just sitting there...blank.

Anywho, back to CNAMEs...I swear I'll get there.

DKIM was set up. I had asked the client to meet when all was done so we could test and finalize everything. I never received a reply to my inbox so when my calendar suddenly had an invite, it caught me off guard.

I join the meeting and we start talking about the outstanding items I had for them. There was almost a look of annoyance. Rude much? 

Perhaps though it wasn't undeserved. 

Turns out they had done the items I sent over. They did update DKIM and they did reach out asking for a meeting. Instead of waiting on my confirmation, they put one on the calendar (the invite that caught me off guard) because they were on a time crunch.

As we were talking I took a peek into my spam folder and there were their communications. staring at me, "unread" and brimming with information. I never "received" them because I never checked my spam folder. Why would I? Our emails have been unhindered so far, literally just earlier that day in the wee hours of the morning.

It didn't take long to see why they were there. Newish domain and no authentication. However, I checked and they had SPF. I made a note of it. I sent them feedback that only DKIM was needed.

Where did the SPF go?

Through the conversation, we discussed the changes made. DKIM wasn't the only one. It seemed unrelated, but their website went live just before they emailed me all those lovely emails with their updates.

I began querying the DNS to find the where the SPF records went. I kept getting a CNAME result and occasionally getting the SPF. It wasn't until I was connected with their DNS team and saw the overall DNS entries did I see a CNAME record in it's full glory pointing to the Word Press web hosting site. I then began comparing the DNS from the day before to see what else may have changed.

Email and web most often operate independently. Changes to the DNS for email can be done without impact to the site and vice-versa. However, in this case, by followed the instructions from their web host as is, they inadvertently interfered with the necessary DNS records for email. I would love to say "How could you not think of email?" But it's easy, it's not their job to think of email. They are thinking of their site.

The directions given told them to post a CNAME to their apex domain to make any future IP swaps by the provider seamless. Ages ago, I had a discussion with the DNS lead at my old job. He taught me lots of things about the DNS and one was that CNAMEs should NEVER go on the apex domain - issues would abound if you did.

Issues like messing with DNS queries. Essentially a CNAME tells the DNS resolver to go look somewhere else for the DNS records. The problem is a CNAME cannot bring the NS or SOA record with it. It's existence on the apex domain creates conflict within the resolvers. It's like coming to an intersection of Main St. and Main St. Which way to you go?

This is likely why (besides some caching) I kept getting sporadic results where SPF was showing and then it wasn't.

Ok, so problem identified. Solution time! We removed the CNAME on the apex domain and instead manually entering the IP into the A record.

By the time I got to the marketing stream for review, the rest was easy, peasy. However, those urgent few hours of "Where the H did the entries go?" still got me shaking my head with the haiku ending in "It's always DNS." seeping from my lips in disdain.

DAMN CNAMES

Comments

  1. Bryan PMay 18, 2024 at 9:46 AM

    Omg. I ran into this problem a couple months ago and didn’t realize until a seriously deep dive on the DNS showed a CNAME record pointing to our wordpress site. Had to change this to the A record to a physical IP and boom problem solved.

    Great article

    ReplyDelete
    Replies
    1. JenniferMay 20, 2024 at 11:23 AM

      DAMN YOU CNAME! :) Thank you so much for your comment. It's good to know I'm not alone in my quest to solve or resolve things that break.

      Delete

Post a Comment

Popular posts from this blog

WELCOME TO ISKTBN!

Welcome to ISKTBN! ISKTBN  = I Should Know This By Now! This is a blog about those little things that leave you slapping your forehead going, "I KNEW THAT!" If you've ever had those moments, you are at home here. For the last couple years, a good friend has been telling me I should start a blog...get my name out there. Writing is hard so I put it off. Plus, so many others put out amazing content. Rich, educational, succinct, and just what you need. What more could I give or have time for beyond what I provide in my current role under my company's blog? Probably nothing that will change how people think.  BUT, after I had a moment of "DAMN, I should know this by now (ISKTBN)!" I realized I might have something I could share. Perhaps it'll give readers a chuckle...although maybe only those that know me. If not, perhaps they'll leave with the notion that I love the word 'DAMN' (I don't, but it's fun to type) and a nugget of knowledge tha...
Read more

DNS: It's Damn Hard

Image
It's Damn AWESOME Deliverability Week (don't forget to follow #deliverabilityweek on LinkedIn)! I'm diving into the DNS yet again because it's been the thorn in the side of small senders who venture my way so it's naturally top of mind. Join me on this ride to discover why the DNS is so damn hard! Today on "Things the Industry Learned" a LONG time ago (but we, alas, only mere mortals, painfully learn daily), the DNS (Domain Name System) is a beast. It's the root of all issues  (Almost all? Ok, fine. Not all, but a lot.)  and, when it wants to, will 'eff up your deliverability. In my long tenured position as a deliverability blogger of a whopping 3 to 4 months, 50% of my posts have something related to the DNS as the culprit behind the issue at hand! FIFTY PERCENT! Ok, fine, 4 issue-focused articles aren't much to be exasperated about. BUT I have been in this beautiful field of deliverability since (checks her resume...
Read more

DAMN Redirects

Image
Today on "Things my client and I learned", we find out the internet (via redirects), when it wants to, will 'eff up your sanity. I've been on a bender with so many of my stories focusing on DNS, but it's the backbone of the internet so it can't help but get in the way. And although the issue here isn't a DNS issue (that I can identify,) I bring it up because the story starts with a change made to the DNS. First, if you don't know anything about DNS other than it means "Domain Name System," know that DNS is damn hard and easy to mess up. Making changes to the DNS can be flat out terrifying. So after you make changes, if you find out something isn’t working (related to changes or not,) you immediately ask for help (or in my case a casual, "I noticed when I got to my site, it's not my site.") But you're not always able to explain what happened or why, all you can say is that things aren't working as they should. I will sa...
Read more