How to Add an SPF Record in Amazon Route 53
Step-by-step guide to adding and managing SPF records in Amazon Route 53. Covers creating TXT records, AWS CLI usage, and combining SPF with Amazon SES.
Amazon Route 53 is AWS's scalable DNS service, widely used by developers, startups, and enterprises running infrastructure on AWS. If your domain's DNS is managed in Route 53, adding an SPF record requires working with the AWS Console (or CLI) -- and getting a few Route 53-specific details right, like wrapping TXT values in double quotes.
This guide walks you through adding, editing, and troubleshooting SPF records in Amazon Route 53.
Why You Need SPF With Route 53 Domains
Every domain that sends email needs an SPF record. It tells receiving mail servers which IP addresses and services are authorized to send email on behalf of your domain. Without one, providers like Gmail, Outlook, and Yahoo can't distinguish your legitimate email from spoofed messages.
Route 53-hosted domains are no exception. Whether you're sending through Amazon SES, Google Workspace, Microsoft 365, or any other email service, you need an SPF record published as a TXT record in your hosted zone.
Route 53 requires TXT record values to be enclosed in double quotes. If you forget the quotes, Route 53 will reject the record or it won't resolve correctly.
Step-by-Step: Adding an SPF Record in Route 53
Sign in to the AWS Console
Go to console.aws.amazon.com and sign in with your AWS credentials. Make sure you're in the correct AWS account if you manage multiple accounts.
Navigate to Route 53
In the AWS Console, search for Route 53 or find it under Networking & Content Delivery. Click to open the Route 53 dashboard.
Select your Hosted Zone
Click Hosted zones in the left sidebar. Find and click on the domain you want to configure. This opens the list of DNS records for that hosted zone.
Check for existing SPF records
Look through the existing TXT records for any value starting with v=spf1. If one already exists, you need to edit it rather than create a new one. Having two SPF records causes a permerror that breaks email authentication entirely.
Create a new record
Click Create record. If you see the wizard, switch to Simple routing or click Switch to quick create. Set the Record name field to blank (or leave it as just the domain name) for the root domain. Set Record type to TXT. In the Value field, enter your SPF record wrapped in double quotes:
"v=spf1 include:amazonses.com -all"
Set the TTL to 300 seconds if you're testing, or 3600 for production.
Save the record
Click Create records. Route 53 will add the TXT record to your hosted zone. Changes in Route 53 typically propagate within 60 seconds due to its anycast network.
Verify propagation
Although Route 53 propagates quickly, it's still worth confirming. Use SPF Record Check to verify your record is live and syntactically correct.
The Double-Quotes Requirement
This is the single most important Route 53-specific detail. TXT record values in Route 53 must be enclosed in double quotes. If you enter:
v=spf1 include:amazonses.com -all
...without quotes, Route 53 may reject the record or store it incorrectly. The correct format is:
"v=spf1 include:amazonses.com -all"
If your SPF record is longer than 255 characters, you need to split it into multiple quoted strings within the same record:
"v=spf1 include:amazonses.com include:_spf.google.com" " include:spf.protection.outlook.com -all"
Route 53 will concatenate these strings automatically.
Amazon SES and SPF
Amazon SES (Simple Email Service) is AWS's email sending platform and the most common email service for domains hosted in Route 53. To authorize SES to send email for your domain, your SPF record must include amazonses.com.
A basic SPF record for Amazon SES only:
"v=spf1 include:amazonses.com -all"
If you're using Amazon SES in multiple AWS regions, you still only need one include:amazonses.com in your SPF record. The include covers all SES regions.
Combining SPF Records in Route 53
Most Route 53 users need to authorize multiple email services. As always, everything must go into a single SPF record.
Amazon SES + Google Workspace
"v=spf1 include:amazonses.com include:_spf.google.com -all"
Amazon SES + Microsoft 365
"v=spf1 include:amazonses.com include:spf.protection.outlook.com -all"
Amazon SES + SendGrid
"v=spf1 include:amazonses.com include:sendgrid.net -all"
Google Workspace Only (no SES)
If you don't use Amazon SES and only use Google Workspace for email:
"v=spf1 include:_spf.google.com -all"
| Setup | SPF Record Value |
|---|---|
| Amazon SES only | "v=spf1 include:amazonses.com -all" |
| Amazon SES + Google Workspace | "v=spf1 include:amazonses.com include:_spf.google.com -all" |
| Amazon SES + Microsoft 365 | "v=spf1 include:amazonses.com include:spf.protection.outlook.com -all" |
| Amazon SES + SendGrid | "v=spf1 include:amazonses.com include:sendgrid.net -all" |
| Google Workspace only | "v=spf1 include:_spf.google.com -all" |
| Microsoft 365 only | "v=spf1 include:spf.protection.outlook.com -all" |
Check your email deliverability
Make sure your SPF, DKIM, and DMARC records are all working together to protect your domain.
Using the AWS CLI to Add SPF Records
If you prefer the command line or need to automate DNS changes, you can use the AWS CLI to create SPF records in Route 53.
First, create a JSON file (for example, spf-record.json) with the change batch:
{
"Changes": [
{
"Action": "UPSERT",
"ResourceRecordSet": {
"Name": "example.com",
"Type": "TXT",
"TTL": 3600,
"ResourceRecords": [
{
"Value": "\"v=spf1 include:amazonses.com include:_spf.google.com -all\""
}
]
}
}
]
}
Then run:
aws route53 change-resource-record-sets \
--hosted-zone-id Z1234567890ABC \
--change-batch file://spf-record.json
Replace Z1234567890ABC with your actual hosted zone ID and example.com with your domain. Note the escaped double quotes around the SPF value in the JSON -- these are required for Route 53 TXT records.
Use UPSERT for safety
The UPSERT action creates the record if it doesn't exist or updates it if it does. This is safer than CREATE, which fails if the record already exists, and avoids the risk of creating duplicate records.
TTL Best Practices
Route 53 gives you full control over TTL (Time to Live) values. Here's how to use them strategically:
- Testing (TTL 300): Set a 5-minute TTL when you're initially setting up or making changes. This way, if something is wrong, the old record expires quickly and your fix propagates faster.
- Production (TTL 3600): Once your SPF record is verified and stable, increase the TTL to 1 hour (3600 seconds). This reduces DNS query volume and improves resolution performance.
- After major changes: Temporarily lower the TTL before making changes, wait for the old TTL to expire, then make your change and verify, then raise the TTL back up.
Common Route 53 SPF Mistakes
Route 53 is powerful but has some specific pitfalls.
Forgetting the Double Quotes
The most common Route 53 mistake. Without quotes around the TXT value, Route 53 either rejects the record or stores it in a way that doesn't resolve correctly. Always wrap your SPF value in double quotes.
Wrong Hosted Zone
If you manage multiple domains or have both public and private hosted zones, it's easy to add your SPF record to the wrong zone. Private hosted zones are only visible within your VPC and won't be queried by external mail servers.
Fix: Always verify you're editing the public hosted zone for your domain. Check the hosted zone type in the Route 53 console.
Creating Duplicate SPF Records
Just like any DNS provider, Route 53 allows you to create multiple TXT records for the same name. If you create a second TXT record with a different SPF value instead of editing the existing one, both records break.
Fix: Use UPSERT in the CLI or edit the existing record in the console.
Not Escaping Quotes in CLI/API
When using the AWS CLI or API, the double quotes around TXT values must be escaped in the JSON payload. Missing the escape characters results in malformed records.
Audit before you edit
Before making any SPF changes in Route 53, use SPF Record Check to see your current record. This gives you a baseline to compare against and helps you spot problems you might not have known about.
Editing an Existing SPF Record in Route 53
If you need to update your SPF record to add a new service, remove an old one, or fix a mistake:
Go to your Hosted Zone
Sign in to the AWS Console, navigate to Route 53, and click on Hosted zones. Select your domain.
Find your SPF TXT record
Look through the TXT records for the one whose value starts with v=spf1. Click the record name to select it, then click Edit record.
Modify the value
Update the SPF record value. Add new include: mechanisms for new services, or remove ones you no longer use. Keep v=spf1 at the beginning, -all or ~all at the end, and double quotes around the entire value.
Save and verify
Click Save. Route 53 changes propagate quickly, but verify your updated record at SPF Record Check to be sure.
Verifying Your Route 53 SPF Record
After adding or editing your SPF record, always verify it's live and correct. Go to SPF Record Check and enter your domain. The tool will:
- Confirm your SPF record is published
- Check for syntax errors
- Count your DNS lookups (must be 10 or fewer)
- Flag duplicate SPF records
- Show you exactly what receiving servers will see
If you see any errors, go back to Route 53 and fix them before relying on the record.
Complete Your Email Authentication
SPF is one piece of the email authentication puzzle. For full protection, you need all three protocols working together:
- DKIM adds a cryptographic signature to your outgoing emails, proving they haven't been tampered with in transit. Use DKIM Creator to generate your DKIM keys and add the records in Route 53 the same way you added your SPF record.
- DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. Use DMARC Creator to build your DMARC policy.
With all three records published in Route 53, mailbox providers can fully verify that your email is legitimate.
Related Articles
Monitor Your New SPF Record
You've created your SPF record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring