I had to set up DNS for a micro-site that my org just launched this week. I was surprised that there wasn't good documentation out there on how to do this.
First, I set up the MX records to get the email working with G Suite/Gmail. It was working fine until I set up CNAME records for @, www, and a development sub-domain. Mail stopped working, and the G Suite Toolbox told me: Naked domain must be an A record (not CNAME).
But with CloudFront, the whole point is that there is no one IP address that can fail and take down the site. So what IP address to use?
The key turned out to be setting up a URL redirect for the naked domain. I use NameCheap, so they have a built-in feature for this that is super easy to use. Under the covers, this creates an A record pointing to their redirect server. And this is all the Google needed to ensure mail delivery.
So I deleted the CNAME for @, but left www and dev.
Another key learning: wildcard redirect does not include naked redirect. I had to set these both up separately for the naked redirect to work.