Is IP address A and AAA records a must for verification?

If I don’t want to use the apex domain, do I still need to use A and AAA records? I, unfortunately, cannot do this as this affects my email service which is on CPanel. So I redirect everything to the www subdomain and then usually just have the www domain point to CNAME (how it worked with Heroku)

Can samething be done with by just adding a CNAME and proxy it to my ?

Yes, I’m pretty sure that this is possible and that it works similarly to how it works with Heroku.

See this section in the docs:

Thank you for the quick response, I have tried exactly that from the doc link you sent, even after DNS propagation, it was not working. Only after doing the below three steps, it works, but I would want to use be able to add CNAME record and get it working because right now, my email is broken with the below steps.

  1. Add certificate for apex and www
  2. Update DNS records on cloudflare as per the instructions in the certificate page
  3. Disable Universal SSL feature on cloudflare (as per instructions here)