How can I configure SPF or TXT records that are longer than 255 characters in Route 53?

Short description

SPF is an open, DNS-based email authentication system that gives domain owners control over which IP addresses are allowed to deliver email on their behalf. The receiving email server checks the SPF record for incoming mail and determines whether the source server IP address is listed in the SPF rule set.

Some email recipients strictly require SPF. If you haven’t published an SPF record for your domain, your email might be marked as spam or bounce. If an email is sent through an unauthorized mail server, the email might be marked as spam. Properly configuring your SPF record improves the deliverability of your email and protects your domain against malicious emails sent on behalf of your domain.

Note: A maximum of 10 DNS queries is allowed during SPF record evaluation. If the limit is exceeded, you receive an error.

Resolution

Important: Route 53 and most mail providers no longer recommend using the SPF record type. It's a best practice to create a TXT record that contains the applicable values. For more information, see RFC 7208.

Creating SPF records

1. Collect all IP addresses that you're using to send email. Remember to include all sending organizations, such as your email service provider, Microsoft Office mail server, and any third-party mail servers sending email on your behalf.
2. Create an SPF record for every domain you identified in step 1, even if the domain doesn’t actively send email. Be sure to:

• Add the v=spf1 (version 1) tag to define the record as SPF. Then, include all IP addresses and subnets that are authorized to send email on your behalf. For example: v=spf1 ip4:34.243.61.237 ip6:2a05:d018:e3:8c00:bb71:dea8:8b83:851e & ip4:192.168.1.0/24.
• Add an include tag for every third-party organization that's used to send email on your behalf. For example: include:thirdpartydomain.com. Check with your third-party provider to determine which domain to use as a value for the include statement.
• Conclude your record with an all tag. The all tag indicates which policy to apply when recipients detect a server that's not listed in your SPF record. If you use the -all tag, any servers that aren’t listed in the SPF record aren't authorized to send email (non-compliant email is rejected). If you use the ~all tag, email received from an unlisted server is marked as a soft fail (email is accepted but marked). It's not a best practice to use the +all tag, because this tag allows any server to send email from your domain.
• For domains that aren’t sending email, it's a best practice to publish the following record: v=spf1 -all.

After defining your SPF record attributes, the record format is similar to: v=spf1 ip4:54.66.167.159 ip6:2406:da1c:1c7:a301:c560:240:cb38:2937 ip4:192.168.1.0/24 include:thirdpartydomain.com -all.

Creating TXT records

Key points to remember:

• A TXT record contains one or more strings that are enclosed in double quotation marks (").
• You can enter a value of up to 255 characters in one string in a TXT record.
• You can add multiple strings of 255 characters in a single TXT record.
• The maximum length of a value in a TXT record is 4,000 characters.
• TXT record values are case-sensitive.

For values that exceed 255 characters, break the value into strings of 255 characters or less. Enclose each string in double quotation marks (") using the following syntax: Domain name TXT "String 1" "String 2" "String 3"….."String N".

For information on which values to specify in your TXT record, see Entering TXT record values.

To create a TXT record to replace an SPF record:

1. Open the Route 53 console.
2. Choose Hosted zones.
3. Select the domain of the SPF record
4. Copy the value of the SPF record, and then choose Create record.
5. For Routing policy, choose Simple routing.
6. Choose Next.
7. Choose Define simple record.
8. For Record name, specify a name.
9. For Value/Route traffic to, choose IP address or another value depending on the record type. Then, paste the SPF record value that you copied in step 4.
10. For Record type, choose TXT.
11. For TTL (seconds), specify a time to live value.
12. Choose Define simple record.

The following example shows a TXT record that has configured values for domain verification, the SPF record, and DKIM signing:

txt1.geeksbox.club. TXT 3600 "google-site-verification=rXOxyZounnZasA8Z7oaD3c14JdjS9aKSWvsR1EbUSIQ"
"v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"
"spf2.0/pra include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
"v=DKIM1;k=rsa;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeIhtCv3vUinyhKiKtZ8efjHGGo8gE1T+o7gLrvo6yRtdz9ICe6Fz5sgz0WYFW5nCV4DmaTcS25TfgWKsLgg"