@murgero re-read, my response remains the same, sorry.
You know the way security scanners (or script-kiddies) works, it's to scan the network (Internet), get hosts and they software; if there is zero-day on CloudRon or other not disclosed vulnerability, apply it across the hosts.
Having DNS records showing that there is CloudRon here means you don't even need to scan for the ports, which just simplify things.
If it was random, I was afraid there is still a possibility that they can conflict across servers
Great point - that makes sense. Thanks Girish.
Side note: I think it'd still be great for the OCD in some of us to be able to regenerate the DKIM record on demand so it not only follows the new hostname pattern in Cloudron but also generates a new key if desired too.