[DNS] More info on CNAME records (#26743)

* Add new h3 under cname-flattening and link with dns-record-types

* Small text touch-ups: missing comma and word

* Make example in #proxied-cname-records consistent with description

* Bring #proxy-eligibility info into dns-record-types.mdx

* Add list of non-proxiable targets to limitations.mdx

* Remove parenthesis for simplicity and to avoid ambiguity

* Remove line breaks within multi-level list

* More cross-links and add #cname-records to proxy-status page

* Add CNAME chain scenario to #mix-proxied-and-unproxied

* Adjust scope to exclude #cname-targets (PCX-14391) for now

* PM feedback: data and clarify what flattened means for proxied

Author: RebeccaTamachiro

src/content/docs/dns/cname-flattening/index.mdx

@@ -8,15 +8,15 @@ sidebar:
 
 import { Render, GlossaryTooltip } from "~/components";
 
-CNAME flattening speeds up CNAME resolution and allows you to use a CNAME record at your <GlossaryTooltip term="zone apex" link="/dns/concepts/#zone-apex">zone apex</GlossaryTooltip> (`example.com`).
+CNAME flattening speeds up CNAME resolution and allows you to use a [CNAME record](/dns/manage-dns-records/reference/dns-record-types/#cname) at your <GlossaryTooltip term="zone apex" link="/dns/concepts/#zone-apex">zone apex</GlossaryTooltip> (`example.com`).
 
 :::note
 This functionality is also what allows you to use a [root custom domain](/pages/configuration/custom-domains/) with a Cloudflare Pages site.
 :::
 
 ## How it works
 
-With CNAME flattening, Cloudflare finds the IP address that a CNAME points to. This process could involve a single lookup or multiple (if your CNAME points to another CNAME). Cloudflare then returns the final IP address instead of a CNAME record, helping DNS queries resolve up to 30% faster.
+With CNAME flattening, Cloudflare finds the IP address that a CNAME points to. This process could involve a single lookup or multiple (if your CNAME points to another CNAME). Cloudflare then returns the final IP address instead of a CNAME record, helping DNS queries resolve faster.
 
 For more details on the steps involved in CNAME flattening, review the [CNAME flattening diagram](/dns/cname-flattening/cname-flattening-diagram/) and refer to the [Cloudflare blog post](https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/).
 

src/content/docs/dns/index.mdx

@@ -15,7 +15,7 @@ Leverage Cloudflare's global network to deliver excellent performance and reliab
 
 <Plan type="all" />
 
-Cloudflare DNS is a fast, resilient and easy-to-manage authoritative DNS service. It delivers excellent performance and reliability to your domain while also protecting your business from [DDoS attacks](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/) and [route leaks and hijacking](https://www.cloudflare.com/learning/security/glossary/bgp-hijacking/). To know where to begin, refer to [Get started](/dns/get-started/).
+Cloudflare DNS is a fast, resilient, and easy-to-manage authoritative DNS service. It delivers excellent performance and reliability to your domain while also protecting your business from [DDoS attacks](https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/) and [route leaks and hijacking](https://www.cloudflare.com/learning/security/glossary/bgp-hijacking/). To know where to begin, refer to [Get started](/dns/get-started/).
 
 Enterprise customers can also use Cloudflare DNS for their private network with [Internal DNS (Beta)](/dns/internal-dns/).
 

src/content/docs/dns/manage-dns-records/reference/dns-record-types.mdx

@@ -125,7 +125,7 @@ DNS management for **example.com**:
 
 | Type  | Name | Content                | Proxy status |
 | ----- | ---- | ---------------------- | ------------ |
-| CNAME | abc  | `target.external.test` | DNS Only     |
+| CNAME | abc  | `target.external.test` | Proxied     |
 
 </Example>
 
@@ -145,6 +145,8 @@ In this example, a query for TXT in `abc.example.com` will **not** return the TX
 
 - Cloudflare uses a process called CNAME flattening to deliver better performance. This process supports a few features and can interact with [different setups that depend on CNAME records](/dns/cname-flattening/#aspects-to-keep-in-mind). Refer to the [CNAME flattening section](/dns/cname-flattening/) to learn more about this.
 
+- If you encounter a CNAME record that you cannot proxy — usually associated with another CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is purposely preventing that record from being proxied to protect you from a misconfiguration. Refer to [proxying limitations](/dns/proxy-status/limitations/#proxy-eligibility) for details.
+
 :::note
 Specific CNAME record values with traffic proxied through Cloudflare will enable Orange-to-Orange (O2O) routing for the Shopify SaaS provider. Refer to the [Shopify provider guide](/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/shopify/) for more information.
 :::

src/content/docs/dns/proxy-status/index.mdx

@@ -66,19 +66,64 @@ If you have multiple A or AAAA records on the same name and at least one of them
 <Details header="Example">
 
 <Example>
+
 DNS management for **example.com**:
 
 | Type | Name   | Content     | Proxy status | TTL  |
 | ---- | ------ | ----------- | ------------ | ---- |
 | A    | `blog` | `192.0.2.1` | Proxied      | Auto |
 | A    | `blog` | `192.0.2.5` | DNS only     | Auto |
 
+</Example>
+
 In this example, all traffic intended for `blog.example.com` will be treated as if both records were **Proxied**.
 
+</Details>
+
+Cloudflare will also proxy a request if a hostname on a CNAME chain is proxied.
+
+<Details header="Example">
+
+Consider that the same Cloudflare account has two different zones, `example.com` and `example.net`.
+
+<Example>
+
+DNS management for **example.com**:
+
+| Type | Name   | Content     | Proxy status | TTL  |
+| ---- | ------ | ----------- | ------------ | ---- |
+| CNAME   | `example.com` | `origin.example.net` | DNS only     | Auto |
+
+</Example>
+
+<Example>
+
+DNS management for **example.net**:
+
+| Type | Name   | Content     | Proxy status | TTL  |
+| ---- | ------ | ----------- | ------------ | ---- |
+| CNAME   | `origin.example.net` | `<origin>` | Proxied     | Auto |
+
 </Example>
 
+In this example, all traffic intended for `example.com` will be treated as **Proxied**.
+
+:::note
+CNAME to a different Cloudflare account is prohibited and will result in a [Error 1014 (CNAME Cross-User Banned)](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/error-1014/)
+:::
+
 </Details>
 
+### CNAME records
+
+Proxied [CNAME records](/dns/manage-dns-records/reference/dns-record-types/#cname) are flattened by default, as they return Cloudflare anycast IPs. With CNAME flattening, Cloudflare finds the IP address that a CNAME points to, helping DNS queries resolve faster. Refer to [CNAME flattening](/dns/cname-flattening/) for details.
+
+In some cases, Cloudflare will show a warning message or [prevent](/dns/proxy-status/limitations/#proxy-eligibility) you from proxying a CNAME record. This happens to avoid misconfigurations and is generally related to other CDN providers or to specific records used for DKIM validation.
+
+:::note
+Specific CNAME record values with traffic proxied through Cloudflare will enable Orange-to-Orange (O2O) routing for the Shopify SaaS provider. Refer to the [Shopify provider guide](/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/shopify/) for more information.
+:::
+
 ### Protocol optimization
 
 For proxied records, if your domain has [HTTP/2 or HTTP/3 enabled](/speed/optimization/protocol/) and is also using [Universal SSL](/ssl/edge-certificates/universal-ssl/), Cloudflare automatically generates corresponding [HTTPS Service (HTTPS) records](/dns/manage-dns-records/reference/dns-record-types/#svcb-and-https) on the fly. HTTPS records allow you to provide a client with information about how it should connect to a server upfront, without the need of an initial plaintext HTTP connection.

src/content/docs/dns/proxy-status/limitations.mdx

@@ -6,15 +6,31 @@ sidebar:
   label: Limitations
 ---
 
-import { Render, GlossaryTooltip } from "~/components";
+import { Render, GlossaryTooltip, Details } from "~/components";
 
 This page describes expected limitations when <GlossaryTooltip term="proxy status">proxying DNS records</GlossaryTooltip>. For further information about proxying, refer to [How Cloudflare works](/fundamentals/concepts/how-cloudflare-works/).
 
 ## Proxy eligibility
 
 Only A, AAAA, and CNAME DNS records that serve HTTP or HTTPS traffic can be proxied. Other record types cannot be proxied.
 
-If you encounter a CNAME record that you cannot proxy — usually associated with another CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is purposely preventing that record from being proxied to protect you from a misconfiguration.
+If you encounter a [CNAME record](/dns/manage-dns-records/reference/dns-record-types/#cname) that you cannot proxy — usually associated with another CDN provider — a proxied version of that record will cause connectivity errors. Cloudflare is purposely preventing that record from being proxied to protect you from a misconfiguration.
+
+<Details header="Non-proxiable targets">
+
+- Exact match:
+	- `dkim2.mcsv.net` ([Mailchimp documentation](https://mailchimp.com/help/set-up-email-domain-authentication/))
+  - `dkim3.mcsv.net` ([Mailchimp documentation](https://mailchimp.com/help/set-up-email-domain-authentication/))
+  - `zmverify.zoho.com` ([Zoho documentation](https://www.zoho.com/mail/help/adminconsole/domain-verification.html))
+  - `dkim.infusionmail.com` ([Keap documentation](https://help.keap.com/help/dmarc))
+- Exact match or subdomain of:
+	- `dkim.amazonses.com` ([Amazon SES documentation](https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html#just-verify-domain-proc))
+- Subdomain of:
+	- `onmicrosoft.com` ([Microsoft documentation](https://learn.microsoft.com/defender-office-365/email-authentication-dkim-configure))
+  - `dkim.intercom.io` ([Intercom documentation](https://www.intercom.com/help/articles/9744849-connect-your-email-support-channel))
+  - `acm-validations.aws` ([AWS certificate manager documentation](https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html))
+
+</Details>
 
 ### Pre-signed DNSSEC
 

src/content/docs/fundamentals/manage-domains/add-site.mdx

@@ -34,7 +34,7 @@ To use Cloudflare as a reverse proxy but maintain your DNS provider, refer to [p
    :::
 
 4. Select a [plan](https://www.cloudflare.com/plans/#compare-features).
-5. [Review your DNS records](/dns/zone-setups/full-setup/setup/#review-dns-records) to ensure none are missing. Your DNS records must accurate for your domain to work properly.
+5. [Review your DNS records](/dns/zone-setups/full-setup/setup/#review-dns-records) to ensure none are missing. Your DNS records must be accurate for your domain to work properly.
 
    <Render file="dns-scan-intro" product="dns" /> <br />