A Step-by-Step Guide For Adding SPF, DKIM, and DMARC Records to AWS DNS-Route 53

Before you follow these steps, check if your domain’s DNS already has the SPF, DKIM, and DMARC records. Redundancies make all your records invalid, neglecting the responsibility of these email authenticating agents. You can use online SPF, DKIM, and DMARC record lookup tools designed for email security assessment to ascertain this; all you have to do is enter your domain name and the type of record you want it to evaluate for you.

Adding an SPF Record to AWS DNS-Route 53

Here’s what you need to do-

1. Log in to your Amazon Route 53 account.
2. Go to the Route 53 ‘Dashboard’ section and then go to ‘DNS Management’ under it and choose the domain for which you want to add an SPF record.
3. Next, click on ‘create record.’
4. Add your SPF record type as ‘TXT.’ Don’t enter anything in the ‘Record Name’ section.
5. Add the IP addresses to the same SPF record if you use sources with only IP addresses.
6. Finish the process by clicking ‘Create Record.’

Ensure your SPF record looks something like this-

_v=spf1 ip4:169.134.174.23/32 include:yourdomain.com ~all_

Also note that multiple SPF records corresponding to a domain shouldn’t exist, as this leads to authentication failure. If there is more than one SPF record, use the ‘include’ mechanism to merge them into one.

Adding a DKIM Record to AWS DNS-Route 53

Before we talk about how to add a DKIM record to your Amazon Route 53, you should know that each email service provider has its own DKIM key pairs. So, go to your account first and retrieve the record details (type, name, and value).

Once done, follow these steps-

1. Log in to your Amazon Route 53 account.
2. Go to the Route 53 ‘Dashboard’ section and then go to ‘DNS Management’ under it and choose the domain for which you want to add a DKIM record.
3. Next, click on ‘create record.’
4. Add your DKIM Record Type, Record Name, and Value.
5. Finish the process by clicking ‘Create Record.’
6. Run it through a DKIM lookup tool to ensure it’s working properly.

Ensure your DKIM record looks something like this-

_default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADC_

_BiQKBgQD2GjmTSwzE7/Uoqv4RQmhs6vRk/_

_JuKknj2+2QsUNNY0XsbO4Xwef13r_

_DfsK0m5dPsbZbxFPxyYfjHY1HyH4ycqIkMXbT8pQu5MGJ64aIbw/_

_2UIJpjbF9pKxppRmJHQlO5zXq5Etc2+MoO9K1zh_

_YvHbFgRUIe3DfiJAvXjGYdLtqwIDAQAB"_

Adding a DMARC Record to AWS DNS-Route 53

The process is more or less similar to what you did for SPF and DKIM. 

1. Generate your DMARC record using an online DMARC record generator and copy the DMARC Record Type, Record Name, and Value.
2. After generating the DMARC record, go to your Amazon Route 53 account and click ‘Create Record.’
3. Add your DMARC Record Type, Record Name, and Value to the corresponding fields.

Your DMARC record should look something like this-

_v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-failures@yourdomain_

We recommend starting your DMARC setup in ‘Monitoring’ mode (p=none). This allows you to gather reports and identify legitimate email servers in your organization. Once you’re confident in your configurations, you can enforce stricter policies like ‘Quarantine’ and ‘Reject.’

Reach out to us to help you with the above processes or anything else related to email authentication through SPF, DKIM, and DMARC. We have a team of tech ninjas to serve you with the best.