This guide walks you through adding DMARC, SPF, and DKIM DNS records in Amazon Route 53. Route 53 is AWS’s scalable DNS service and is commonly used by businesses running infrastructure on Amazon Web Services.
📋 Before You Start
Make sure you have:
- An AWS account with access to Route 53
- A hosted zone for your domain in Route 53
- Appropriate IAM permissions (
route53:ChangeResourceRecordSets) - Your DMARC record — use our DMARC Record Generator
- Your SPF record value from your email provider
Finding Your Hosted Zone in Route 53
- Log in to the AWS Management Console
- Navigate to Route 53 (search for it in the services bar, or find it under Networking & Content Delivery)
- Click Hosted zones in the left sidebar
- Click on your domain name to open the hosted zone
- You’ll see a list of existing records (at minimum, NS and SOA records)
Step 1: Add Your DMARC Record
- In your hosted zone, click Create record
- If prompted, switch to “Quick create record” view (simpler interface)
- Fill in the fields:
Record name _dmarc(the console shows_dmarc.yourdomain.com)Record type TXTValue "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"TTL 300(5 minutes, recommended) - Click Create records
⚠️ Important: Route 53 Requires Quotes
Unlike most DNS providers, Route 53 requires you to wrap TXT record values in double quotes. Enter the value as:
Unlike most DNS providers, Route 53 requires you to wrap TXT record values in double quotes. Enter the value as:
"v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com". Without quotes, the record will fail to save.
Step 2: Add or Update Your SPF Record
- Check for an existing SPF record: Look for a TXT record on the root domain (no prefix) with a value starting with
v=spf1 - If it exists: Click the record, then click Edit record. Modify the value to include your email provider.
- If not: Click Create record and fill in:
Record name (leave blank for root domain) Record type TXTValue "v=spf1 include:_spf.google.com ~all"TTL 300 - Click Create records
💡 Pro Tip: Multiple TXT Values
Route 53 allows multiple TXT values on the same record name. If you already have a TXT record on the root domain (like a site verification), the SPF record can coexist as a separate value on the same record — each on its own line, each wrapped in quotes.
Route 53 allows multiple TXT values on the same record name. If you already have a TXT record on the root domain (like a site verification), the SPF record can coexist as a separate value on the same record — each on its own line, each wrapped in quotes.
Step 3: Add DKIM Records
- Get your DKIM record details from your email provider
- Click Create record
- Set Record name to your selector (e.g.
google._domainkey) - Set Record type to
TXT - Paste the DKIM value, wrapped in quotes
- Click Create records
💡 Pro Tip: Long DKIM Values
If your DKIM key exceeds 255 characters (common with 2048-bit keys), Route 53 needs the value split into multiple strings within the same record. Format it as:
If your DKIM key exceeds 255 characters (common with 2048-bit keys), Route 53 needs the value split into multiple strings within the same record. Format it as:
"p=MIIBIjANBgk..." "qhiVFAOEM5fy..." — each chunk in its own set of quotes.
Alternative: Using the AWS CLI
If you prefer the command line, you can add records with the AWS CLI:
aws route53 change-resource-record-sets \
--hosted-zone-id Z1234567890 \
--change-batch '{
"Changes": [{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "_dmarc.yourdomain.com",
"Type": "TXT",
"TTL": 300,
"ResourceRecords": [{
"Value": "\"v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com\""
}]
}
}]
}'
⚠️ Common Mistake
In the AWS CLI, TXT values need escaped quotes inside the JSON:
In the AWS CLI, TXT values need escaped quotes inside the JSON:
\"v=DMARC1...\". Missing the escaped quotes is the most common CLI error.
Route 53–Specific Tips
✅ Fast Propagation
Route 53 changes typically propagate within 60 seconds. It’s one of the fastest DNS providers for record updates.
Route 53 changes typically propagate within 60 seconds. It’s one of the fastest DNS providers for record updates.
✅ Terraform / CloudFormation
If you manage infrastructure as code, Route 53 records can be defined in Terraform (
If you manage infrastructure as code, Route 53 records can be defined in Terraform (
aws_route53_record) or CloudFormation templates.
💡 IAM Permissions
Make sure your IAM user or role has
Make sure your IAM user or role has
route53:ChangeResourceRecordSets and route53:ListResourceRecordSets permissions for the hosted zone.
💡 Hosted Zone ID
Each hosted zone has a unique ID (starts with
Each hosted zone has a unique ID (starts with
Z). You’ll need this for CLI and API operations. Find it in the Hosted zones list.
Verify Your Records
- Use the Domain Checker to verify all records are published
- In Route 53, click Test record to query the record directly
- Send a test email and inspect the headers for SPF/DKIM/DMARC pass results
- Confirm your nameservers are pointed to Route 53 (check with your registrar)
What’s Next?
- Understand your record: DMARC Record Explained
- Plan enforcement: Moving from p=none to p=reject
- Learn SPF syntax: SPF Record Syntax Guide
- Generate your record: DMARC Record Generator