SPF, DKIM, and DMARC records

Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53

SPF, DKIM, and DMARC
DMARC Report
Steps to add SPF, DKIM, and DMARC records to AWS DNS-Route 53
Loading
/

Before proceeding with these steps, ensure your domain’s DNS already includes SPF, DKIM, and DMARC records. Duplicate entries can invalidate all your records, undermining the role of these email authentication mechanisms. To verify this, you can use online tools specifically designed for SPF, DKIM, and DMARC record lookups. Simply enter your domain name and specify the type of record you want the tool to assess.

Steps to add an SPF record to AWS DNS-Route 53

A valid and properly published SPF record ensures only emails sent by authorized entities reach the inboxes of recipients; illegitimate emails either get marked as spam or rejected. Here’s what you need to do to add an SPF record to AWS DNS-Route 53 so that your brand is protected from phishing and spoofing

marked as spam
  • Log in to your Amazon Route 53 account.
  • Navigate to the Route 53 Dashboard, then select DNS Management and choose the domain where you want to add an SPF record.
  • Click on Create Record and set the record type to TXT. Leave the Record Name field blank.
  • If you use sources with IP addresses, include those in the same SPF record.
  • Complete the process by clicking Create Record.

Your SPF record should resemble this format:

v=spf1 ip4:169.134.174.23/32 include:yourdomain.com 
DKIM record

Ensure there is only one SPF record corresponding to your domain. You can check how many SPF records exist for your domain using a lookup tool. If it reflects multiple records, consolidate them into one using the ‘include’ mechanism. Please note that consolidating them doesn’t mean that you simply copy and paste all of them into a single string; you have to ensure everything is syntactically correct and that there are no redundancies.

Steps to add a DKIM record to AWS DNS-Route 53

Each email service provider has its own pair of cryptographically secured DKIM keys. You first need to go to your account to retrieve the record details, specifically the type, name, and value. After that, simply follow these steps- 

cryptographically secured DKIM keys
  • Log in to your Amazon Route 53 account.
  • Go to the Route 53 Dashboard section, then go to DNS Management under it, and choose the domain for which you want to add a DKIM record.
  • Next, click on Create Record.
  • Add your DKIM Record type, record name, and value.
  • Click Create Record to wrap up the process.
  • Run it through an online DKIM lookup tool to know if there are any technical issues. If found, fix them. 

Here’s what a standard DKIM record looks like-

v=DKIM1; k=rsa;

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2eMEZDQwCIV+LbH4MndFIUV7DzKnHxB5CGBLfjs7zpLoJ5n0/FKo4Tnd8gVbV2JZgA5e7eH97wkjNFAjZBpRVmeKvFYlZ5e8VCsLfCgEsWUp/HmYfBG7wQO5q1TtwB6X8OFyMtnKycPxQLowLz4rjGPYIZQwMwIDAQAB
public key

Where, 

  • v=DKIM1 specifies that version 1 of DKIM is in use.
  • k=rsa indicates the cryptographic algorithm (in this case, RSA)
  • p=…:contains the public key used to verify the email’s signature.

Steps to add a DMARC record to AWS DNS-Route 53

  • Use an online record generator to produce a valid DMARC record for your domain so that you can set the right policy and instruct the recipients’ servers on how to handle illegitimate emails sent from your domain. 
  • Copy the DMARC record type, record name, and value.
  • Go to your Amazon Route 53 account and click Create Record.
  • Add your DMARC record type, record name, and value to the corresponding fields.

Your DMARC record should look something like this-

v=DMARC1; p=none; rua=mailto:dmarc-reports@newdomain.com; ruf=mailto:dmarc-failures@newdomain

If you are new to the email authentication journey, then don’t apply the stricter DMARC policies, as it will be difficult for you to handle false positives. Start with p=none for the first few weeks, monitor how everything unfolds, and gradually move to p=quarantine

Similar Posts