Defaults.Exposed › Setup › SPF

How to set up SPF on AWS Route 53

Add an SPF record in your Route 53 hosted zone so mailbox providers can tell your real email from forgeries.

Why this matters to your business

SPF (Sender Policy Framework) is a short note in your domain’s DNS that lists which mail servers are allowed to send email using your name. When someone receives a message claiming to be from you, their mail provider checks that list. If the sending server isn’t on it, the message looks suspicious — and either lands in spam or gets blocked.

In plain terms: SPF makes it harder for someone to impersonate your business by email, and it helps your genuine emails reach the inbox instead of the junk folder. It is one record, it is free, and it takes a few minutes.

Before you start: is Route 53 actually running your DNS?

This is the step most people get wrong. A DNS record only works if Route 53 is the one answering DNS questions for your domain.

Route 53 is a DNS host, not a mailbox provider — it answers DNS but it does not run your inboxes. Two things matter here:

• The hosted zone must be the live one. In the Route 53 console, open Hosted zones and select your domain. Note the four NS (nameserver) values shown for that zone.
• Your domain’s nameservers must point to those values. If you registered the domain through Route 53 (under Registered domains), this is usually already lined up. But if you registered it elsewhere, or you have more than one hosted zone for the same domain, the live nameservers might point somewhere else entirely — and anything you add here does nothing. Check the nameservers at your registrar and make sure they match the four NS values in this hosted zone. If they don’t, add the SPF record wherever your DNS actually lives instead.

Find one fact first: who sends your email?

SPF must name every service that sends mail for your domain. Common examples are Google Workspace, Microsoft 365, or whatever provider hosts your mailboxes. Each one publishes a value to put in your SPF record (often something like include:_spf.google.com for Google or include:spf.protection.outlook.com for Microsoft 365). Check your mail provider’s own help pages for the exact value — that’s the part you must get right.

If you send through Amazon SES (Amazon’s own email-sending service), SES uses a different mechanism by default and SPF for SES is optional — but if you have set up a custom MAIL FROM domain in SES, follow the exact SES instructions for that. SES is a separate service from Route 53; Route 53 only stores the DNS record.

Step-by-step on Route 53

1. Sign in to the AWS console and open Route 53.
2. In the left menu, choose Hosted zones, then click the name of your domain.
3. Click Create record.
4. If you see a wizard with routing-policy options, switch to the simple form (look for Quick create record) — SPF doesn’t need any of the advanced routing.
5. Leave the Record name field empty. An empty name means “the domain itself”. The console shows your domain alongside the field, so you don’t retype it.
6. Set Record type to TXT.
7. In the Value field, enter your SPF text wrapped in double quotes: "v=spf1 include:_spf.google.com ~all" Replace the include: part with the value(s) your actual mail provider tells you to use. The surrounding quotes are required in Route 53 — see the quirks below.
8. Leave TTL at the default (300 seconds is fine).
9. Click Create records.

Route 53 quirks people get wrong

• TXT values must be in double quotes. Unlike some DNS hosts that quote the value for you, Route 53 expects you to type the quotes yourself. Enter "v=spf1 ... ~all", not v=spf1 ... ~all. Leaving the quotes off is the single most common Route 53 mistake.
• Leave the Record name empty for the root domain. A blank name means the domain itself. If you type your full domain name in the Name field, Route 53 appends the zone again and you end up with yourdomain.com.yourdomain.com — a record that never gets checked.
• Only one SPF record per domain. You cannot have two v=spf1 TXT records — mail providers will treat that as broken. If a TXT record already exists at the root, edit it to add the new service rather than creating a second SPF record.
• Right hosted zone, right account. If you have several hosted zones (or several AWS accounts), it’s easy to edit the wrong one. Make sure the zone you’re editing is the one whose NS values match your live nameservers.
• ~all vs -all. ~all (softfail) means “anything not listed is suspicious”; -all (hardfail) means “reject anything not listed”. Start with ~all while you confirm everything sends correctly, then tighten to -all once you’re sure your list is complete.
• Changes aren’t instant. DNS updates can take anywhere from a few minutes to a couple of hours to spread.

Verify it worked

Once you’ve saved the record and given it a little time to take effect, verify it with the free check on this site. It will tell you in plain language whether your SPF record is present and correctly formed.

Done? Check your domain free to confirm it worked — and see your full grade across all 34 checks.