Thanks @_az,
We don’t use Route53 (yet), we currently use cloudflare. We will however added the same records as you suggested. I.e. ALIAS instead of CNAME and then the CAA record.
Last resort would be to ask our client to add the permissive CAA record.
Will let you know what works. Thanks heaps…