Alphabet Soup - CNAME, SPF, and DKIM on your DNS - pt. 1. CNAME

Community Manager
Community Manager

There seems to be a lot of confusion about what these are and what they do, so I thought I would do a little post on it to try and clear it up.  Let's look at CNAMEs first.

 

CNAME is short for "canonical name" and if you look it up on Wikipedia, they define it like this:

 

A Canonical Name record (abbreviated as CNAME record) is a type of resource record in the Domain Name System (DNS) used to specify that a domain name is an alias for another domain, the "canonical" domain.

 

OK, great, but what does that mean?  Here's how I picture it in my imagination.

 

Imagine that the internet is some sort of vast, mind-boggling library, and the DNS is a kind of reference desk for a given section defined by a domain, such as your company's domain.  So a browser walks up to the reference desk/DNS at YourDomain.com and says, "Could you help me?  I'm looking for this resource - it says it's located in 'pages.yourdomain.com' but I don't see a 'pages' shelf in this section." 

 

The DNS/reference librarian looks up 'pages.yourdomain.com' in their directory, sees the CNAME record, and points across the way to a reference desk over in the Marketo section.  "Ah, yes," says the librarian, "go ask over in the Marketo section and they should be able to help you find the resource you are looking for."

 

This is true of both the landing page CNAME and the email tracking link CNAME.  The main difference between the two is that when you go over to the Marketo desk for the email tracking link, it makes a note in its log that you clicked a link in an email before it takes you to the page.

 

So how does setting up CNAMEs contribute to deliverability?  It has to do with unifying the information you are presenting to your customer.  If your email says "yourname@yourdomain.com" in the From line, but all the links inside the email point to "mkto-0123456.com", and those links take them to webpages on "http://na-sjst.marketo.com", that doesn't look quite right.  An email security program that is on guard against spoofing might decide that email looks too sketchy to send to the inbox.  Also, the person receiving the email might have a similar reaction - "Why does the From line have a different domain than the links in the email?  Is this legit?" - and they could junk it or even report it just to be sure.  But with CNAMEs, your email has "yourname@yourdomain.com" in the From line, the email links all say "go.yourdomain.com" and the landing pages are all on "pages.yourdomain.com", so your company's identity is retained throughout the communication.

 

A common mistake I see is that people try to set up SPF and DKIM for their CNAMEs - don't do this.  SPF and DKIM should not be set up for your CNAME domains, they should be set up for any domain you intend to use after the '@' in your From and Reply-To addresses.  I'll go over SPF and DKIM and what they do in my next post.


Is this article helpful ?

YesNo


1121
4
4 Comments

Hi Roxann,

Thanks for this.

Could you also please add the role of whitelisting in this series ? More specifically, we had some customer questions about the potential risks of identity theft with so many white listed addresses. in other terms, once I have whitelisted all these addresses, what would happen if tomorrow, one of them did no longer belong to Marketo ?

-Greg

Community Manager

Hello Gregoire,

I can do a post addressing whitelisting options - I do think that would be useful.  My short answer to people who are concerned about whitelisting a broad range of IP would be to whitelist the return-path instead.  I address this briefly in this post, and I'm happy to answer questions about it if you have any.

--Roxann

Level 10 - Community Moderator

An email security program that is on guard against spoofing might decide that email looks too sketchy to send to the inbox.

In reality, this is a rare-to-never occurrence. And it should be noted that a (single) tracking domain will only match one of your header domains and no others, so non-matching header and link domains are unavoidable.

and those links take them to webpages on "http://na-sjst.marketo.com"

The chance that a mail scanner is chasing JS redirects is vanishingly small, for reasons noted elsewhere.

But the human factor, as you mention, can make someone more likely to click http://click.brand.com (and even http://click.wellknownparentbrand.com) than they would be to click http://mkto-0123456.com. I am not aware of real-world research on this, but at least it does not contrast with technical reality!

Community Manager

I agree that the human factor is much more significant than the possibility that an email security program might take exception to the mismatch.