The caching behaviour of third party DNS resolvers can be unpredictable. The default negative TTL with Cloudflare is 30 minutes, but I would not rely on that. DNS always needs patience.
Yes, I can dig the record all day but it does not completely propagate. I tried to upload this image before but it wouldn’t take. Your link also shows at least two US DNS services did not update this days-old record. https://dnschecker.org shows more gaps.
Thank you for the reference. I was assured by some “knowledgeable sources” that we could split the config with SPF for email and CNAME for the web. Grrr.
What’s stopping you from creating records with the label mailer.inside.nss.org? You won’t be able to set an MX record at inside.nss.org or delegate a child zone to external nameservers, but nothing should prevent you from creating the label mailer.inside.nss.org inside the current zone.
I don’t really understand what’s happening, since our TXTSPF record does seem to coexist (although not reliably) with the CNAME record for inside.nss.org. So can a subdomain also coexist the CNAME for the parent subdomain?
For context: inside.nss.org redirects to an membership management platform, which also sends mail for the organization through AmazonSES. I configured inside.nss.org as as the custom mail-from (envelope from) domain. All this works fine but about 25% of mail fails SPF because of either TempError or ‘no SPF record found.’ This seems to be a result of the SPF record not propagating to some DNS resolvers. Based on the above replies I surmise this is caused by the CNAME record? But why it propagates at all, let alone unreliably, I don’t understand.
You are doing something that you are not meant to do, so getting unpredictable results is expected.
DNS propagation is probably a poor phrase (which is of course universally used). The global DNS is not an eventually consistent multi-node database with updates being sent out towards every DNS recursive server on the Internet. The propagation is pull based, and some servers will cache for varying amounts of time, so updates can take some time to become visible as cached records expire.
(Wild guess that makes some sense here.) Recursive servers do not know what records might exist on an authoritative server until they ask for them. If a recursive server has no cached values, and asks for a TXT record, it might get a TXT response. But if it asked for a CNAME first, then it knows that subsequent requests for TXT records at that label should follow the CNAME, and will not go back to the authority for records.
You have several options that I can think of.
Enable Cloudflare Proxy on inside.nss.org, which will hide the CNAME from public view.
Flatten All CNAMES. Can have unintended consequences, especially if you rely on CNAME records being used for external service verification.
You should go with [email.inside].nss.org as the RFC5351 From, this way you can use relaxed SPF and DKIM alignment for your DMARC record and your email 5322.from can be @ inside.nss.org or @nss.org. If you go with mailer.nss.org then you can only mail from @nss.org and @mailer.nss.org with relaxed identifiers. Really depends on your intentions.
Either way after you configure test them both with a eMail Tester
Thank you for the detailed response. I’m now testing relying on CF’s proxy of inside.nss.org but will eventually move to a different mail-from/RFC5351 as soon as I coordinate that with others on our team.
Thanks to you and eveyone else here for nudging me in the right direction. Thanks @Topcoder for the campaigncleaner tip to!