---
title: "Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53 | DMARC Report"
description: "The 10-lookup limit is a resource protection mechanism in RFC 7208, not a security feature, says Adam Lundrigan, CTO of DuoCircle."
image: "https://dmarcreport.com/og/blog/steps-add-spf-dkim-dmarc-records-aws-dns-route53.png"
canonical: "https://dmarcreport.com/blog/steps-add-spf-dkim-dmarc-records-aws-dns-route53/"
---

Quick Answer

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53

Related: [Free DMARC Checker](/tools/dmarc-checker/) ·[How to Create an SPF Record](/tools/spf-record-generator/) ·[SPF Record Format](/blog/spf-format-checker-dos-and-donts-for-email-authentication/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fsteps-add-spf-dkim-dmarc-records-aws-dns-route53%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Steps%20to%20add%20SPF%2C%20DKIM%2C%20and%20DMARC%20records%20to%20AWS%20DNS-Route%2053&url=undefined%2Fblog%2Fsteps-add-spf-dkim-dmarc-records-aws-dns-route53%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fsteps-add-spf-dkim-dmarc-records-aws-dns-route53%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fsteps-add-spf-dkim-dmarc-records-aws-dns-route53%2F&title=Steps%20to%20add%20SPF%2C%20DKIM%2C%20and%20DMARC%20records%20to%20AWS%20DNS-Route%2053 "Share on Reddit") [ ](mailto:?subject=Steps%20to%20add%20SPF%2C%20DKIM%2C%20and%20DMARC%20records%20to%20AWS%20DNS-Route%2053&body=Check out this article: undefined%2Fblog%2Fsteps-add-spf-dkim-dmarc-records-aws-dns-route53%2F "Share via Email") 

![Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53](https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-record-6071.jpg) 

## Try Our Free DMARC Checker

Validate your DMARC policy, check alignment settings, and verify reporting configuration.

[ Check DMARC Record → ](/tools/dmarc-checker/) 

![Dmarc report 4 150x150](https://media.mailhop.org/dmarcreport/images/2025/01/dmarc-report-4-150x150.jpg) 

> The 10-lookup limit is a resource protection mechanism in RFC 7208, not a security feature, says Adam Lundrigan, CTO of DuoCircle. But the practical effect is that any enterprise using more than 3-4 email services hits the wall. AutoSPF’s flattening engine resolves this by replacing includes with IP addresses and re-scanning every 15 minutes.

> DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, General Manager of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists. DMARC Report

Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53

```
					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						
```

Play Episode

```
					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						
```

Pause Episode

```
					</button>
				

					<audio preload="none" class="clip clip-20161">
						<source src="https://media.mailhop.org/dmarcreport/images/2025/01/Steps-to-add-SPF-DKIM-and-DMARC-records-to-AWS-DNS-Route-53.mp3">
					</audio>
						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								
```

Mute/Unmute Episode

```
							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								
```

Rewind 10 Seconds

```
							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								
```

Fast Forward 30 seconds

```
							</button>
						

							<time class="ssp-timer">00:00</time>
							
```

/

```
							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M31S">2:31</time>
			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-20161" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-20161" title="Share">Share</button>
										</nav>

						
```

RSS Feed

```
							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-20161" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-20161" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

						Share						
					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/steps-to-add-spf-dkim-and-dmarc-records-to-aws-dns-route-53/&t=Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/steps-to-add-spf-dkim-and-dmarc-records-to-aws-dns-route-53/&url=Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2025/01/Steps-to-add-SPF-DKIM-and-DMARC-records-to-AWS-DNS-Route-53.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

						Link						
					

						<input value="https://dmarcreport.com/blog/podcast/steps-to-add-spf-dkim-and-dmarc-records-to-aws-dns-route-53/" class="input-link input-link-20161" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-20161" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
					

						Embed						

					
```

/\*! This file is auto-generated \*/ ’ title=“Embed Code” class=“input-embed input-embed-20161” readonly/>

```
					<button class="copy-embed copy-embed-20161" title="Copy Embed Code" aria-label="Copy Embed Code"></button>


```

Before proceeding with these steps, ensure your \*\*domain’s DNS already includes SPF, [DKIM](https://dmarcreport.com/what-is-dkim/), and DMARC records. Duplicate entries can invalidate all your records, undermining the role of these email authentication mechanisms. To verify this, you can use online tools specifically designed for [SPF](https://dmarcreport.com/what-is-spf/), DKIM, and [DMARC record lookups](https://dmarcreport.com/tools/dmarc-checker/). Simply enter your domain name and specify the type of record you want the tool to assess.

## Steps to add an SPF record to AWS DNS-Route 53

A valid and properly published SPF record ensures only emails sent by authorized entities reach the inboxes of recipients; [illegitimate emails](https://www.linkedin.com/pulse/illegitimate-emails-protect-yourself-indigo-it-limited) either get [marked as spam](https://pressgazette.co.uk/publishers/digital-journalism/facebook-spam-posts-independent-small-news-publishers/) or rejected. Here’s what you need to do to add an SPF record to \*\*AWS DNS-Route 53 so that your brand is protected from [phishing and spoofing](https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html)\-

- Log in to your Amazon Route 53 account.
- Navigate to the Route 53 Dashboard, then select [DNS Management](https://www.ibm.com/think/topics/data-management) and choose the domain where you want to add an SPF record.
- Click on \*\*Create Record and set the record type to TXT. Leave the \*\*Record Name field blank.
- If you use sources with [IP addresses](https://www.investopedia.com/terms/i/ip-address.asp), include those in the same SPF record.
- Complete the process by clicking Create Record.

Your SPF record should resemble this format:

`v=spf1 ip4:169.134.174.23/32 include:yourdomain.com `

Ensure there is only one SPF record corresponding to your domain. You can check how many SPF records exist for your domain using a lookup tool.\_ If it reflects multiple records, consolidate them into one using the ‘include’ mechanism\_. Please note that consolidating them doesn’t mean that you simply copy and paste all of them into a single string; you have to ensure everything is syntactically correct and that there are no redundancies.

## Steps to add a DKIM record to AWS DNS-Route 53

Each [email service provider](https://www.activecampaign.com/glossary/email-service-provider) has its own pair of **cryptographically secured** [DKIM keys](https://dmarcreport.com/blog/dkim-key-rotation-best-practices-for-large-organizations-should-know/). You first need to go to your account to retrieve the record details, specifically the type, name, and value. After that, simply follow these steps-

![Dmarc record generator](https://media.mailhop.org/dmarcreport/images/2025/01/dmarc-record-generator-9.jpg) 
- Log in to your [Amazon Route 53 account](https://aws.amazon.com/route53/).
- Go to the Route 53 Dashboard section, then go to \*\*DNS Management under it, and choose the domain for which you want to add a DKIM record.
- Next, click on Create Record.
- Add your DKIM Record type, record name, and value.
- Click Create Record to wrap up the process.
- Run it through an online \*\*DKIM lookup tool to know if there are any technical issues. If found, fix them.

Here’s what a standard DKIM record looks like-

v=DKIM1; k=rsa;

`p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2eMEZDQwCIV+LbH4MndFIUV7DzKnHxB5CGBLfjs7zpLoJ5n0/FKo4Tnd8gVbV2JZgA5e7eH97wkjNFAjZBpRVmeKvFYlZ5e8VCsLfCgEsWUp/HmYfBG7wQO5q1TtwB6X8OFyMtnKycPxQLowLz4rjGPYIZQwMwIDAQAB`

Where,

- v=DKIM1 specifies that version 1 of DKIM is in use.
- k=rsa indicates the [cryptographic algorithm](https://www.geeksforgeeks.org/basics-of-cryptographic-algorithms/) (in this case, RSA)
- p=…:contains the [public key](https://www.techtarget.com/searchsecurity/definition/public-key) used to verify the **email’s signature**.

## Steps to add a DMARC record to AWS DNS-Route 53

- Use an online record generator to produce a valid [DMARC record](https://dmarcreport.com/dmarc-record/) for your domain so that you can set the right policy and instruct the recipients’ servers on how to handle illegitimate emails sent from your domain.
- _Copy the DMARC record type, record name, and value_.
- Go to your Amazon Route 53 account and click **Create Record**.
- Add your DMARC record type, record name, and value to the corresponding fields.

Your DMARC record should look something like this-

`v=DMARC1; p=none; rua=mailto:dmarc-reports@newdomain.com; ruf=mailto:dmarc-failures@newdomain`

![Dmarc report](https://media.mailhop.org/dmarcreport/images/2025/01/dmarc-report-9718.jpg) 

If you are new to the [email authentication](https://dmarcreport.com/blog/why-email-security-matters-and-how-to-get-it-right/) journey, then don’t apply the stricter [DMARC policies](https://dmarcreport.com/dmarc-policy/), as it will be difficult for you to handle false positives. _start at p=none for at least a full quarter (90 days), monitor how everything unfolds, and gradually move to p=quarantine_.

## Topics

[ dkim ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ dmarc record ](/tags/dmarc-record/)[ SPF ](/tags/spf/) 

![Adam Lundrigan](https://media.mailhop.org/dmarcreport/images/authors/adam-lundrigan.jpg) 

[ Adam Lundrigan ](/authors/adam-lundrigan/) 

CTO

CTO of DuoCircle. Leads engineering for DMARC Report and DuoCircle's email security product portfolio.

[LinkedIn Profile →](https://www.linkedin.com/in/adamlundrigan/) 

## Take control of your DMARC reports

Turn raw XML into actionable dashboards. Start free - no credit card required.

[Start Free Trial](https://app.dmarcreport.com/) [Check Your DMARC Record](/tools/dmarc-checker/) 

## Related Articles

[  Foundational 7m  4 sectors that need email authentication the most and why  Oct 15, 2024 ](/blog/4-sectors-that-need-email-authentication-the-most-and-why/)[  Foundational 4m  8 Misconceptions About DMARC and its Deployment for Businesses  Dec 4, 2023 ](/blog/8-misconceptions-about-dmarc-and-its-deployment-for-businesses/)[  Foundational 8m  9 technologies to protect your emails from cyber actors  Dec 10, 2024 ](/blog/9-technologies-to-protect-your-emails-from-cyber-actors/)[  Foundational 14m  Add TXT Record on Namecheap (SPF, DKIM & DMARC) - 2026  Mar 5, 2025 ](/blog/add-txt-record-on-namecheap-a-complete-dns-guide/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DMARC Report","url":"https://dmarcreport.com","description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","publisher":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53","description":"The 10-lookup limit is a resource protection mechanism in RFC 7208, not a security feature, says Adam Lundrigan, CTO of DuoCircle.","url":"https://dmarcreport.com/blog/steps-add-spf-dkim-dmarc-records-aws-dns-route53/","datePublished":"2025-01-24T10:02:25.000Z","dateModified":"2026-04-16T15:53:43.000Z","dateCreated":"2025-01-24T10:02:25.000Z","author":{"@type":"Person","@id":"https://dmarcreport.com/authors/adam-lundrigan/#person","name":"Adam Lundrigan","url":"https://dmarcreport.com/authors/adam-lundrigan/","jobTitle":"CTO","description":"Adam Lundrigan is the Chief Technology Officer of DuoCircle, where he leads engineering across DMARC Report, AutoSPF, and the company's email security portfolio. His technical focus includes DMARC report processing infrastructure, DNS monitoring systems, and the SPF evaluation logic that powers DuoCircle's authentication tools.","image":"https://media.mailhop.org/dmarcreport/images/authors/adam-lundrigan.jpg","knowsAbout":["DMARC Report Processing","DNS Architecture","Email Authentication","SaaS Engineering","DNS Monitoring","Infrastructure Automation"],"worksFor":{"@type":"Organization","name":"DMARC Report","url":"https://dmarcreport.com"},"sameAs":["https://www.linkedin.com/in/adamlundrigan/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com","logo":{"@type":"ImageObject","url":"https://dmarcreport.com/images/dmarcreport-logo.png"},"description":"DMARC reporting and email authentication management. Monitor aggregate and forensic DMARC reports, analyze authentication results, and enforce DMARC policies across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138898167","https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.g2.com/products/dmarc-report/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc","https://www.trustradius.com/products/duocircle/reviews"],"aggregateRating":{"@type":"AggregateRating","ratingValue":"4.8","reviewCount":"470","bestRating":"5","worstRating":"1","url":"https://www.g2.com/products/dmarc-report/reviews"},"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://dmarcreport.com/support/"},"knowsAbout":["DMARC","DMARC Reporting","DMARC Aggregate Reports","DMARC Forensic Reports","Sender Policy Framework","DKIM","Email Authentication","Email Security","DNS Management","Email Deliverability"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://dmarcreport.com/blog/steps-add-spf-dkim-dmarc-records-aws-dns-route53/"},"articleSection":"foundational","keywords":"dkim, DMARC, dmarc record, SPF","wordCount":957,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/dmarcreport/images/2022/04/dmarc-record-6071.jpg","caption":"Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://dmarcreport.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://dmarcreport.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://dmarcreport.com/foundational/"},{"@type":"ListItem","position":4,"name":"Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53","item":"https://dmarcreport.com/blog/steps-add-spf-dkim-dmarc-records-aws-dns-route53/"}]}
```