Hi Markus,
it looks like Microsoft has configured their DNS zones in a creative way and I would expect them to come up with an RFC that justifies their creative way to "rape" DNS at a later time.
For now, the way they have set it up looks unsupported to me and I doubt that they get any mails beside from servers using their own s*it that might be compatible to that approach.
To get this solved, I would recommend to open a ticket with Microsoft and file a bug.
Sorry, I've given up on debugging the outcome of DNS rapists ;-)
cheers
Ralph
----- Am 19. Feb 2018 um 13:46 schrieb Markus Wild swinog-list@dudes.ch:
Hello Ralph
[TL;DR] ;-)
sorry about that, but it's not about an MX to a CNAME, it's about the domain part being resolved directly via a CNAME (kind of like having a domain-level CNAME to another domain, except _THAT_ isn't allowed due to shadowing NS and SOA records). With something like "accountprotection.microsoft.com" they're probably not breaking that rule though.
When you have time, I'd welcome an answer to my question ;)
Cheers, Markus