Configuring Same Custom Domain for Email + Azure Container Apps (CNAME Conflict)

Question

Configuring Same Custom Domain for Email + Azure Container Apps (CNAME Conflict)

Sharma, Ritika 320

Hello Microsoft Support Team,

I need assistance with configuring the same custom domain for two different services:

Domain: a.b.domain.com Use cases:

Email configuration (SPF, DKIM, TXT records already added)
Azure Container Apps custom domain + Managed Certificate

I want to use the same subdomain (a.b.domain.com) both for email and for Container Apps.

Could you please clarify:

Is it supported to use the same hostname simultaneously for email DNS (SPF/DKIM) and Azure Container Apps?

Is there an alternative verification method for issuing a Managed Certificate without requiring a CNAME?

If only CNAME is supported, what is the recommended Microsoft practice when the domain is already being used for email services?

Is TXT verification alone sufficient for Managed Certificate issuance? (Currently it seems not)

Golla Venkata Pavani 270 Reputation points Microsoft External Staff Moderator

2025-11-28T13:11:53.4133333+00:00
Hii Sharma, Ritika,

Thank you for reaching us regarding the issue.

It looks like you're trying to configure the same subdomain (a.b.domain.com) for both email services and Azure Container Apps, and you're facing some potential CNAME conflicts.
Here I provided answers for your questions

1.Is it supported to use the same hostname simultaneously for email (SPF/DKIM + MX) and Azure Container Apps:
Using the exact same subdomain (a.b.domain.com) for email and as a CNAME for Azure Container Apps is not supported. But Instead of using a CNAME, point the subdomain to Azure Container Apps with an A record that goes straight to your Container Apps environment’s static public IP. An A record lives happily next to Mail Exchange, TXT (SPF/DKIM/DMARC), and everything else.

2.Alternative verification methods for Managed Certificates without requiring a CNAME:
Azure Container Apps Managed Certificates only support CNAME-based domain validation. There is no supported alternative verification method (TXT, HTTP-01, email validation, etc.) for ACA Managed Certificates as of now.

However if you cannot use a CNAME because the domain is already in use (email, MX, TXT, DKIM conflicts), you do have alternative certificate options, just not Managed Certificates.

You can avoid the CNAME requirement entirely by uploading your own TLS certificate to Azure Container Apps:

How to get the certificate:

Any public CA can issue the certificate using validation methods other than CNAME, such as:

TXT- based domain validation(DNS-01): Supported by many CAs (Let’s Encrypt via DNS, DigiCert, Sectigo, etc.)

After obtaining the certificate, Upload it to Azure Container Apps: In the Azure Portal → Container App → Custom Domains → Bring Your Own Certificate

3. What does Microsoft actually recommend when the subdomain is already used for email?

If the subdomain is already in use for email records or other services, use an A record that points to the static IP address of the Container Apps environment instead of a CNAME record.
Use a different subdomain for web services to avoid DNS conflicts:

Keep email on : a.b.domain.com

Use a separate subdomain for Azure Container Apps : app.a.b.domain.com.
Then you can create a CNAME : app.a.b.domain.com → yourapp.azurecontainerapps.io

Is TXT Verification Alone Sufficient for Managed Certificate Issuance?

No, TXT verification alone is not sufficient for managed certificate issuance in Azure Container Apps. The TXT record (e.g., asuid.) only confirms domain ownership to prevent takeovers; full issuance requires additional validation via HTTP-01 (for A records) or CNAME chaining (for CNAME records) to prove control over traffic.

Reference:
https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-managed-certificates?pivots=azure-portal
https://learn.microsoft.com/en-us/azure/container-apps/custom-domains-certificates?source=recommendations&tabs=general&pivots=azure-portal

Kindly let us know if the above comment helps or you need further assistance on this issue.

Please "Upvote" if the information helped you. This will help us and others in the community as well.

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Using the same subdomain (a.b.domain.com) for both email services and Azure Container Apps can lead to conflicts, particularly because Azure Container Apps typically requires a CNAME record for custom domain verification. Here are some clarifications regarding your questions:

Using the Same Hostname for Email and Azure Container Apps: It is generally not supported to use the same hostname simultaneously for email DNS (like SPF/DKIM) and Azure Container Apps because both services require specific DNS records that can conflict with each other. For example, if you set a CNAME record for Azure Container Apps, it would override any existing A or TXT records necessary for email services.
Alternative Verification Method for Managed Certificate: Unfortunately, Azure Container Apps primarily supports CNAME records for domain verification. There is no alternative verification method that would allow you to issue a Managed Certificate without requiring a CNAME record.
Recommended Practice: If your domain is already being used for email services, the recommended practice would be to use a different subdomain for Azure Container Apps. For instance, you could consider using app.b.domain.com for your Container App to avoid any conflicts with your email configuration.
TXT Verification for Managed Certificate: TXT verification alone is not sufficient for Managed Certificate issuance in Azure Container Apps. The service specifically requires a CNAME record to validate the domain ownership and issue the certificate.

Given these constraints, it's advisable to separate the services onto different subdomains to ensure both email and Azure Container Apps function correctly without conflicts.

Share via

Configuring Same Custom Domain for Email + Azure Container Apps (CNAME Conflict)

0 additional answers

Your answer