Clarifications on MTA-STS Policy with CNAME Records

Hi databender,

I will try to be technical, but also a bit casual for the better understanding:

1. CNAME Reference:
- When they mention "a domain using a CNAME," they mean it's not just about email servers. It's mostly about using CNAME records for a specific kind of email security thing called MTA-STS. Think of CNAMEs like shortcuts.

2. CNAME Usage: 

- They say, "Hey, don't use CNAMEs for MTA-STS," because they want email to be super safe. MTA-STS is like a bodyguard for emails, making sure they're secure. But when we use CNAMEs, it can make the bodyguard's job harder.

- Microsoft wants email deliveries to be as safe as possible. So, they say, "Let's not use CNAMEs for MTA-STS." Safety is their top priority!

3. Record Type Implications:
- Now, when it comes to using A/AAAA records (these are like direct addresses) instead of CNAME records (which are like detours) for MTA-STS, here's the deal: A/AAAA records give us more control. It's like knowing exactly where you're going.

- But with CNAMEs, it's like taking a longer route, and sometimes, that can lead to security issues. Bad guys might try to mess with the directions, and that's a no-no.

- So, Microsoft says, "Let's stick to A/AAAA records for MTA-STS to keep email super secure."

MTA-STS (Strict Transport Security) (msxfaq.de)

MTA-STS (Strict Transport Security) - Frankys Web