CNAME for Azure application causes email problems with MX and A records ignored

L

4

7

We have an application running on Microsoft Azure and have set up a CNAME record to cover the domain so we can have the nice URL of http://example.com (note I am replacing our real domain with example.com throughout this).

CNAME
mydomain.com -> mydomainapp.cloudapp.net

We have MX and A records setup correctly so MX contains mailserver.example.com and an A record that points mailserver to the correct IP address.

MX
mailserver.example.com

A
mailserver -> 198.168.111.111 (note this IP is fictitious)

All fine, for most email BUT for some mailservers (not sure what technology yet) they are now using the CNAME instead of the MX and A records.

So an email addressed to [email protected] is actually sent to [email protected] where example.cloudapp.net is the domain on Azure that we have mapped with the CNAME.

EMAIL TO: [email protected]
BECOMES: [email protected]

The only suggestions I can find simply say DO NOT have domain level CNAME or do not use CNAME at all, but of course Azure IP addresses can change so we have to use CNAME. We could prefix everything www.example.com but surely there must be a better solution.

Any ideas much appreciated.

Loving answered 8/4, 2013 at 18:28 Comment(1)

Have done a variety of research on this and not making much headway. One suggested workaround I have seen is to set up an email listener in the Azure app on port 25, and then to resend email out ( see blog.smarx.com/posts/… ) which is an example. Sledgehammer and nut spring to mind. – Loving 10/4, 2013 at 17:39

L

1

OK, after much research it seems the best (at least to my mind) solution is to use an A record rather than CNAME for the domain level record.

You may be screaming "what! but the IP address is dynamically assigned!". Yes, but only if you tear down your deployment and replace it. Windows Azure will keep you VIP address so long as you publish to staging and use the "swap production and staging" option. Doing so preserves your VIP address so you can use an A record in your DNS instead of a CNAME.

See http://www.windowsazure.com/en-us/develop/net/common-tasks/custom-dns/ for some background.

Note MS official line is to recommend CNAME rather than A record due to the possible swapping of an IP address, but I guess they are not thinking about people wanting to run http://mydomain.com on the Azure platform.

I did also find other possible solutions including building an SMTP listener into you app that reads mail on port 25 and forwards it back out. Technically good, but sledgehammer and nut spring to mind, plus it's one more thing to go wrong, and of course one more bunch of resources to pay for.

Loving answered 11/4, 2013 at 19:22 Comment(0)

O

4

It is not possible to use a CNAME record on the domain-level, as CNAMEs is an alias for all RR types so it will always cause redirection for MX, SOA, NS, etc. lookups as well.

The following excerpt from RFC1912 section 2.4 says it very clearly:

A CNAME record is not allowed to coexist with any other data. In
other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you
can't also have an MX record for suzy.podunk.edu, or an A record, or
even a TXT record. Especially do not try to combine CNAMEs and NS
records like this!:
       podunk.xx.      IN      NS      ns1
                       IN      NS      ns2
                       IN      CNAME   mary
       mary            IN      A       1.2.3.4
This is often attempted by inexperienced administrators as an obvious way to allow your domain name to also be a host. However, DNS servers like BIND will see the CNAME and refuse to add any other resources for that name. Since no other records are allowed to coexist with a CNAME, the NS entries are ignored. Therefore all the hosts in the podunk.xx domain are ignored as well!

So you must not use a CNAME-record for mydomain.com!

So you must set an A-record for mydomain.com (among MX:s and other records as needed), because that is the only working solution DNS-wise.

Otiliaotina answered 16/4, 2013 at 8:34 Comment(3)

Yes, I understand the RFC, however it is interesting to note that the vast majority of mailservers will read an MX record first even if there is a domain level CNAME. It is only a minority that follow the proper RFC recommendations. This makes it more confusing as it appears to work in most circumstances and then fails for a minority. However, you are right, as per the posted solution, the only answer is an A record. It would be helpful if Microsoft would include this and the drawbacks of a CNAME in their explanations of setting up DNS for Azure hosted apps. – Loving 17/4, 2013 at 9:29

That probably depends on the software of the DNS-server. Compliant DNS servers will probably refuse to load the zone into memory, or ignore the extra entries if a CNAME record is present. – Otiliaotina 18/4, 2013 at 11:30

Emails do not necessarily require an MX record, as mail servers will use an A record if they cannot find an MX record. Or when looking for an MX record and a caching recursive nameserver finds the CNAME, the recursive nameserver will resolve the CNAME and retry the MX lookup with the aliased name. Confusing, yes, because you can try to configure your DNS in a broken way, and what actually is seen by the world could be something entirely different. Always good to check with e.g. dig to see that returned DNS records match what you have intended. – Otiliaotina 18/4, 2013 at 11:36

A

2

Yes, there is a better solution - use a second level domain for your app. Let it be portal.mydomain.com and use a CNAME to map portal.mydomain.com to the mydomainapp.cloudapp.net and setup the MX record for mydomain.com and have all addresses in the form [email protected]. This way it's still clear that you own mydomain.com and all your emails still look serious - [email protected], not [email protected].

Btw technically the setup described above indeed means you don't have a domain level CNAME.

Athanasius answered 9/4, 2013 at 6:18 Comment(3)

Thanks but really want the main application to be at mydomain.com. I understand we could drop the domain level CNAME and just allow www.mydomain.com or any other subdomain for that matter, but the business wants to run without the prefix, which is a reasonable request. – Loving 9/4, 2013 at 9:52

@Jezbers: Yes, it's a clear goal, but I haven't found any solution to achieve it. – Athanasius 9/4, 2013 at 9:58

Thanks for pointing this out. Since all other solutions are way to complicated and would keep me busy for hours at least, I will do it this way. – Guerin 22/10, 2014 at 18:38

L

1

OK, after much research it seems the best (at least to my mind) solution is to use an A record rather than CNAME for the domain level record.

You may be screaming "what! but the IP address is dynamically assigned!". Yes, but only if you tear down your deployment and replace it. Windows Azure will keep you VIP address so long as you publish to staging and use the "swap production and staging" option. Doing so preserves your VIP address so you can use an A record in your DNS instead of a CNAME.

See http://www.windowsazure.com/en-us/develop/net/common-tasks/custom-dns/ for some background.

Note MS official line is to recommend CNAME rather than A record due to the possible swapping of an IP address, but I guess they are not thinking about people wanting to run http://mydomain.com on the Azure platform.

I did also find other possible solutions including building an SMTP listener into you app that reads mail on port 25 and forwards it back out. Technically good, but sledgehammer and nut spring to mind, plus it's one more thing to go wrong, and of course one more bunch of resources to pay for.

Loving answered 11/4, 2013 at 19:22 Comment(0)

R

0

We use an A record for our root domain and this works fine, as @Jezbers mentioned in his answer. The A record won't break email. However, the CNAME record affects the other records (it allows you to have "redirect domain" functionality so [email protected] also works for [email protected]).

If you were looking for a better "work-around" solution than the SMTP Listener work-around, then you can consider the following:

Host your site at a www subdomain and put the CNAME there. Have something else host a 301 redirect to www and use an A record to point your root domain to this redirect site.

Not perfect but an option that's better than the SMTP option, most likely.

Rhetorician answered 15/4, 2013 at 1:10 Comment(0)

Recommended topics

Hot tags