CNAME at zone apex not allowed
The use of a CNAME at a zone apex (e.g. department.wisc.edu) is not allowed.
What this means is that if you have a DNS zone that contains DNS resource records (RR) such as MX, TXT, SRV in order to support email, TXT-based authentication strings, etc. you can NOT use a CNAME for the the zone apex.
A "zone apex" is where the SOA and NS (and often MX) records for a DNS zone are placed -- examples might include "foo.wisc.edu", "bar.wisc.edu", or "wisc.edu".
CNAME NOT allowed:
foo.wisc.edu CNAME other.hosted.service.cloud <-- NOT ALLOWEDfoo.wisc.edu MX mta.wiscmail.wisc.edufoo.wisc.edu TXT foo=barwww.foo.wisc.edu CNAME other.hosted.service.cloud
* CNAME is not allowed as foo.wisc.edu is a zone apex, it contains MX and TXT DNS resource records.
RFC 1034 states:
The domain system provides such a feature using the canonical name (CNAME) RR. A CNAME RR identifies its owner name as an alias, and specifies the corresponding canonical name in the RDATA section of the RR. If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different. This rule also insures that a cached CNAME can be used without checking with an authoritative server for other RR types.
See also RFC 1912 "Common DNS Operational and Configuration Errors".
Use an A-record for the zone apex.
Use redirection from another non-3rd-party host via A record for the apex.