Setting Up SPF Records in AWS Route 53

Complete guide to configuring SPF records in AWS Route 53. Includes step-by-step instructions for the AWS Console.

Setting Up SPF Records in AWS Route 53

AWS Route 53 is Amazon's DNS service. This guide walks you through configuring SPF records in Route 53.

Prerequisites

  • AWS account with Route 53 access
  • Hosted zone created for your domain
  • IAM permissions to modify DNS records
  • Your SPF record ready to publish

Step 1: Access Route 53 Console

  1. Log in to AWS Console
  2. Navigate to Route 53 service
  3. Click Hosted zones in the left sidebar
  4. Select your domain's hosted zone

Step 2: Check for Existing SPF Record

Before adding a new SPF record, check for existing ones:

Look for:

  • TXT records with Name field showing your domain (or blank)
  • Records containing v=spf1 in the Value field

If an SPF record exists:

  • You need to edit it, not create a new one
  • Only ONE SPF record is allowed per domain
  • Multiple SPF records cause validation errors

Step 3: Add or Edit SPF Record

Option A: Adding New SPF Record

  1. Click Create record button
  2. Configure the record:
FieldValue
Record nameLeave blank (for root domain) or enter @
Record typeTXT - Text
ValueYour complete SPF record (e.g., v=spf1 include:_spf.google.com -all)
TTL3600 (1 hour) or your preferred value
Routing policySimple routing

Important Notes:

  • Record name: Leave blank for root domain, or use @
  • Value: Enter the complete SPF record as a single string
  • TTL: 3600 seconds (1 hour) is standard
  • Route 53 may automatically add quotes - this is normal
  1. Click Create records

Option B: Editing Existing SPF Record

  1. Find your existing SPF TXT record in the records list
  2. Click the record name to edit
  3. Click Edit record
  4. Update the Value field with your new SPF record
  5. Click Save changes

Step 4: Verify SPF Record

In Route 53

  1. Return to hosted zone records
  2. Verify your SPF record appears in the list
  3. Check that Record name is blank or @
  4. Verify Value field contains your SPF record

Using MailSentinel

  1. Add your domain to MailSentinel
  2. Run DNS scan
  3. Verify SPF record is detected
  4. Check validation status

Using AWS CLI

# Query Route 53 for TXT records
aws route53 list-resource-record-sets \
  --hosted-zone-id YOUR_HOSTED_ZONE_ID \
  --query "ResourceRecordSets[?Type=='TXT']"

Using Online Tools

Common SPF Record Examples

Google Workspace Only

v=spf1 include:_spf.google.com -all

Route 53 Configuration:

  • Record name: (blank)
  • Record type: TXT
  • Value: v=spf1 include:_spf.google.com -all
  • TTL: 3600

Microsoft 365 Only

v=spf1 include:spf.protection.outlook.com -all

Multiple Services

v=spf1 include:_spf.google.com include:sendgrid.net include:servers.mcsv.net -all

Troubleshooting Route 53 SPF Issues

Issue 1: SPF Record Not Detected

Symptoms:

  • SPF checkers don't find your record
  • MailSentinel shows "No SPF record"

Solutions:

  1. Verify Record Location

    • Record name should be blank or @
    • Not on a subdomain
    • Check you're editing the correct hosted zone

  2. Check Record Format

    • Ensure v=spf1 is present
    • No extra spaces or line breaks
    • Route 53 handles quotes automatically

  3. Wait for Propagation

    • Route 53 propagates quickly (< 5 minutes)
    • Some DNS checkers cache results
    • Try multiple DNS checkers

  4. Verify Hosted Zone

    • Ensure you're editing correct hosted zone
    • Check nameservers are correct
    • Verify domain is active

Issue 2: Multiple SPF Records

Symptoms:

  • "Multiple SPF records" error
  • SPF validation fails

Solutions:

  1. Find All SPF Records:

    • Filter records by Type: TXT
    • Look for records with v=spf1 in value
    • Check both root and subdomains

  2. Merge Records:

    • Combine all includes into one record
    • Keep only one SPF record

  3. Delete Duplicates:

    • Select duplicate record
    • Click Delete record
    • Confirm deletion

Issue 3: Record Not Saving

Symptoms:

  • Changes don't persist
  • Record disappears after saving

Solutions:

  1. Check IAM Permissions:

    • Ensure you have route53:ChangeResourceRecordSets permission
    • Contact AWS admin if needed

  2. Verify Format:

    • Check for special characters
    • Ensure proper format
    • Try without quotes (Route 53 handles them)

  3. Check Hosted Zone Status:

    • Verify hosted zone is active
    • Check for any restrictions
    • Contact AWS support if needed

Issue 4: DNS Lookup Limit Exceeded

Symptoms:

  • "Too many DNS lookups" error
  • SPF validation fails

Solutions:

  1. Count Your Lookups:

    • Each include: counts as 1+ lookups
    • Maximum is 10 lookups total
    • Use SPF checker to see breakdown

  2. Reduce Lookups:

    • Remove unused includes
    • Use subdomains for some services
    • Flatten includes to IP ranges (if possible)

Route 53-Specific Features

Record Sets vs Resource Records

Record Sets:

  • Modern Route 53 interface uses record sets
  • Each record set can have multiple values
  • Easier to manage

Resource Records:

  • Legacy format
  • Still supported
  • Use record sets for new records

TTL Settings

Default TTL:

  • Route 53 allows custom TTL per record
  • Standard is 3600 seconds (1 hour)
  • Lower TTL = faster changes propagate

Recommendation:

  • Use 3600 for most cases
  • Lower to 300 before making changes
  • Increase back to 3600 after changes

Health Checks

For SPF Records:

  • Health checks not typically needed
  • SPF records are static DNS records
  • Use health checks for dynamic records only

Alias Records

For SPF:

  • Alias records not used for SPF
  • SPF uses TXT records only
  • Alias is for A/AAAA records

Best Practices for Route 53 SPF

1. Use Root Domain

  • Always add SPF at root domain (blank record name)
  • Not on subdomains
  • Ensures proper validation

2. Single SPF Record

  • Only ONE SPF record per domain
  • Merge multiple records if needed
  • Delete duplicates immediately

3. IAM Permissions

  • Use least privilege principle
  • Grant only necessary permissions
  • Use IAM roles for applications

4. Regular Audits

  • Review SPF records quarterly
  • Remove unused includes
  • Check lookup count
  • Verify all services still needed

5. Monitor Changes

  • Use CloudWatch for DNS metrics
  • Use MailSentinel to monitor SPF
  • Set up alerts for changes
  • Track validation status

Advanced Route 53 SPF Configuration

Using AWS CLI

# Create SPF record via CLI
aws route53 change-resource-record-sets \
  --hosted-zone-id YOUR_HOSTED_ZONE_ID \
  --change-batch '{
    "Changes": [{
      "Action": "UPSERT",
      "ResourceRecordSet": {
        "Name": "example.com",
        "Type": "TXT",
        "TTL": 3600,
        "ResourceRecords": [{
          "Value": "\"v=spf1 include:_spf.google.com -all\""
        }]
      }
    }]
  }'

Using Terraform

resource "aws_route53_record" "spf" {
  zone_id = aws_route53_zone.main.zone_id
  name    = ""
  type    = "TXT"
  ttl     = 3600
  records = ["v=spf1 include:_spf.google.com -all"]
}

Using CloudFormation

SPFRecord:
  Type: AWS::Route53::RecordSet
  Properties:
    HostedZoneId: !Ref HostedZone
    Name: example.com
    Type: TXT
    TTL: 3600
    ResourceRecords:
      - "v=spf1 include:_spf.google.com -all"

Route 53 Pricing Considerations

DNS Queries:

  • First 1 billion queries/month: $0.40 per million
  • SPF lookups count as queries
  • Usually minimal cost impact

Hosted Zones:

  • $0.50 per hosted zone per month
  • Standard pricing applies

Next Steps

After setting up SPF in Route 53:

  1. Configure DKIM - Set up DKIM signing
  2. Set Up DMARC - Configure DMARC policy
  3. Monitor SPF - Track validation status
  4. Set Up Alerts - Get notified of issues

Additional Resources