CNAME RRset cannot have multiple records

Rich · February 21, 2025, 2:14am

Hi there, I have been using deSEC for some time now as a handy way to access services on my home server behind a reverse proxy but I ran into an issue today when I decided to start using iCloud as a custom email domain.

They need me to add:

sig1.dkim.peasinapodfilms.com.at.icloudmailadmin.com. as a CNAME however I already use
peasinapodfilms.com as a CNAME so I end up getting the error “CNAME RRset cannot have multiple records”

I removed the CNAME entry for peasinapodfilms.com and my email immediately started working, but I then lost access to my self hosted services

Any suggestions on how I could start troubleshooting this?

Bruce5051 · February 21, 2025, 2:43am

Hi @Rich,

Make a subdomain then use that for the CNAME.
However maybe that would make the iCloud custom email domain be the subdomain, not sure how iCloud works.

Also see CNAME Restrictions

Rich · February 21, 2025, 11:44am

Thanks Bruce, unfortunately I’m still struggling to make this work

I have been using the * symbol as a subname for my peasinapodfilms.com address which allows me to add multiple suffixes ie share.peasinapodfilms.com or work.peasinapodfilms.com, so if I replace that with the apple provided address sig1.dkim.peasinapodfilms.com.at.icloudmailadmin.com. then I lose all the other subdomains

Sorry, I’m sure there is a simple fix for this but my knowledge in this area is fairly limited?

Could anyone suggest a possible solution, if there is one?

Rich · February 21, 2025, 12:24pm

For clarity here are two screen grabs of my Desec setup

This is with working subdomains

This is with working email via iCloud custom domain

I’m struggling to understand how I can do both things

GenericUser · February 21, 2025, 1:13pm

The CNAME for DKIM must be set on the sig1._domainkey subdomain. For reference, see

Setting a CNAME for that host/subdomain does not change the values for any other subdomain covered by the wildcard. The wildcard covers all subdomains that do not exist explicitly or implicitly through other records. You can have a CNAME for * and a different CNAME for a specific subdomain. The CNAME for sig1._domainkey overrides the wildcard CNAME only for that subdomain.

Rich · February 21, 2025, 1:22pm

I’m sorry I’m not sure I completely understand

Ok, so are you saying my setup is screen grab 2 is correct then? Or at least the only way I can get email working via iCloud?

Apologies, this is the bit where I think I’m losing you. Could you elaborate a little?

GenericUser · February 21, 2025, 1:23pm

You can’t set multiple CNAMEs on the same hostname, but you can set one on the wildcard * hostname and a different one on a different hostname (sig1._domainkey in this case). The second configuration is correct, just add a * CNAME back for your self-hosted services.

Rich · February 21, 2025, 1:32pm

Oh good grief! Now I feel like an idiot!

Thanks so much it’s working fine now. I think that was a case of not being able to see the wood for the trees