Mail bouncing when using a CNAME for domain root and load balancing

Question

We recently moved to EC2 and started using amazon's elb for load balancing. We're using CloudFlare for DNS which allows us to use a cname the domain root. However, we occasionally have people tell us that our emails are bouncing with some variation of the following error:

first.last@ourdomain.com... Deferred: Connection refused by our-production-loadbalancer.elb.amazonaws.com.

We are using google apps for mail and our MX records are configured properly, so I'm not sure at what point the mail clients or servers are attempting to resolve our domain and receiving the cname record instead.

Does anyone understand why the MX records would be ignored? Is this a result of using a CNAME? I would imagine that the same thing could/would happen if we pointed an A record at an IP address that was also not accepting mail.

Where are your `MX` records configured - same FQDN as the `CNAME`, or where the `CNAME` points to? This would definitely break things. — Shane Madden, Oct 06 '11 at 16:18
Then, as stated in the answers, it shouldn't work. CloudFlare is breaking RFC compliance by even allowing you to have an `MX` and `CNAME` on the same name. — Shane Madden, Oct 06 '11 at 18:04

score 3 · Accepted Answer · edited Oct 07 '21 at 06:47

If you have a domain example.invalid:

; example.invalid
$TTL    604800
@       IN      SOA     ns1.example.invalid. root.example.invalid. (
                     2006020201 ; Serial
                         604800 ; Refresh
                          86400 ; Retry
                        2419200 ; Expire
                         604800); Negative Cache TTL
;
@       IN      NS      ns1
        IN      MX      10 mail
        IN      CNAME   anotherdomain.invalid

You are saying:

Hey, you can find example.invalid under whatever address anotherdomain.invalid can be found. And btw, any MX records SRV records or other stuff for example.invalid is also whatever anotherdomain.invalid tells you. That means Mail sent to example.invalid will use the MX record of anotherdomain.invalid

References:

Chris S · Answer 2 · 2011-10-06T16:53:15.933

Per RFC1034§3.6.2

If a CNAME RR is present at a node, no other data should be present; this 
ensures that the data for a canonical name and its aliases cannot be different.

Thus, if you have a CNAME configured at example.com then it is the only record you may have configured there. All records which pertain to that domain must be under the alias.

For example. If you have example.com IN CNAME acme.hosting-co.com then your NS, SOA, MX, etc records must all be under acme.hosting-so.com. They may not be under example.com.

Additionally if no MX record is found for a domain, then the A record for that domain may be tried as a last resort. So a properly functioning MTA should lookup your domain, find the CNAME, try the alias, fail to find an MX record there, try the A record instead (your load balancer in this case). Your load balancer apparently isn't capable of receiving e-mail.

The failing MTA are actually behaving correctly. Any MTAs finding your mail server are not.

score 1 · Answer 3 · answered Oct 31 '11 at 20:47

1

I'm assuming that you have the CNAME for the balancer marked with an orange cloud in DNS settings at CloudFlare? If so, you should login & change the cloud from orange to gray for that CNAME record.

answered Oct 31 '11 at 20:47

damoncloudflare

471
2
5

Mail bouncing when using a CNAME for domain root and load balancing

3 Answers3