Sender Policy Framework In Use

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Click on the domain name of the hosted zone that you want to examine.

05 In the Records section, select Type from the Filter record sets by property or value dropdown menu, type TXT, and press Enter. This filtering method will return all the TXT DNS records created for the selected domain. If the filtering process does not return any TXT entries, the selected domain does not use TXT DNS records to implement Sender Policy Framework (SPF) for the corresponding MX records. If the filtering process returns one or more TXT records, check their value listed in Value/Route traffic to column. If their value does not contain v=spf1 (e.g. "v=spf1 ip4:192.168.0.5/16 -all"), the selected domain name is not using the Sender Policy Framework (SPF) for the corresponding MX records.

06 Repeat steps no. 4 and 5 for each DNS hosted zone created with Amazon Route 53 service.

01 Run list-hosted-zones command (OSX/Linux/UNIX) to list the IDs of all the DNS hosted zones created within your AWS cloud account:

aws route53 list-hosted-zones
	--query "HostedZones[*].Id"

02 The command output should return an array with the requested hosted zone IDs:

[
    "/hostedzone/ABCD1234ABCD1234ABCD",
    "/hostedzone/ABCDABCDABCDABCDABCD"
]

03 Run list-resource-record-sets command (OSX/Linux/UNIX) using the ID of the hosted zone that you want to examine as identifier parameter and custom query filters to describe the TXT DNS records created for the selected domain name:

aws route53 list-resource-record-sets
	--hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD"
	--query "ResourceRecordSets[?Type == 'TXT']"

04 The command output should return an array with all the TXT DNS record sets created for the specified Amazon Route 53 hosted zone:

1. If the array returned as output is empty, i.e. [], the selected domain name does not use TXT DNS records to implement Sender Policy Framework (SPF) for the corresponding MX records:
   []
   

2. If the command output returns an array with one or more TXT DNS records, as shown in the example below, check the value configured for the ResourceRecords.Value property. If this configuration value does not contain v=spf1 (for example, "v=spf1 ip4:192.168.0.5/16 -all"), the selected domain name is not using the Sender Policy Framework (SPF) for the corresponding MX records, therefore the domain is not SPF-protected:
   [
       {
           "ResourceRecords": [
               {
                   "Value": "\"google-site-verification=1234-abcd-1234-abcd\""
               }
           ],
           "Type": "TXT",
           "Name": "cloudconformity.com.",
           "TTL": 300
       }
   ]
   

05 Repeat steps no. 3 and 4 for each DNS hosted zone created with Amazon Route 53 service within your AWS cloud account.

01 Sign in to the AWS Management Console.

02 Navigate to Amazon Route 53 console at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Click on the domain name of the DNS hosted zone that you want to reconfigure.

05 On the selected hosted zone configuration page, create a new TXT record by completing the following actions:

1. In the Records section, click Create Record button to initiate the setup process.
2. Choose Simple routing from the Routing policy menu, then click Next to continue.
3. Click on Define simple record and perform the following:
   • Leave the Record name field empty.
   • Select IP address or another value depending on the record type from the Value/Route traffic to dropdown list and type the required SPF value in the corresponding box, for example "v=spf1 include:_spf.google.com ~all". If you don't use Google mail servers, replace include:_spf.google.com with your mail server hostame/IPv4 address, e.g. "v=spf1 ip4:192.168.0.5/16 -all".
   • From the Record type dropdown menu, choose TXT – Used to verify email senders and for application-specific values.
   • In the TTL (Seconds) box, enter a value of 3600 (1 hour) as Time to Live (TTL) value.
   • Select Define simple record to save the record set.
4. Click on Create records to create a new TXT DNS record that implement the Sender Policy Framework (SPF) for the corresponding MX record.

06 Repeat step no. 4 and 5 to implement the Sender Policy Framework (SPF) for each Route 53 domain name with corresponding MX records.

01 To define the required SPF TXT-based record set and add it to an existing DNS hosted zone, you must create an AWS Route 53 change file, declare the new DNS record set, and save the record definition to a JSON file named spf-txt-record-set.json. The following example describes a TXT record definition that implements the Sender Policy Framework (SPF) for a domain name called cloudconformity.com, using Google mail servers as servers that are allowed to send mail for the specified domain:

{
  "Comment": "SPF TXT-based record set for cloudconformity.com hosted zone.",
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "cloudconformity.com.",
        "Type": "TXT",
        "TTL": 3600,
        "ResourceRecords": [
          {
            "Value": "\"v=spf1 include:_spf.google.com ~all\""
          }
        ]
      }
    }
  ]
}

02 Run change-resource-record-sets command (OSX/Linux/UNIX) using the ID of the DNS hosted zone that you want to reconfigure as identifier parameter and the AWS Route 53 change file defined at the previous step (i.e. spf-txt-record-set.json) to add the new TXT DNS record that implement the Sender Policy Framework (SPF) for the corresponding MX record within the selected hosted zone:

aws route53 change-resource-record-sets
	--hosted-zone-id "/hostedzone/ABCD1234ABCD1234ABCD"
	--change-batch file://spf-txt-record-set.json

03 The command output should return the new DNS record set metadata, e.g.:

{
    "ChangeInfo": {
        "Status": "PENDING",
        "Comment": "SPF TXT-based record set for cloudconformity.com hosted zone.",
        "SubmittedAt": "2020-08-11T15:00:00.000Z",
        "Id": "/change/ABCDABCDABCDABCDABCD"
    }
}

04 Run get-change command (OSX/Linux/UNIX) using the AWS Route 53 change file ID returned at the previous step to get the current status for the newly added DNS record set:

aws route53 get-change
	--id "/change/ABCDABCDABCDABCDABCD"

05 The command output should return the current status of the DNS record batch request. The current status should be INSYNC, which indicates that the change was fully propagated to all AWS Route 53 DNS server nodes:

{
    "ChangeInfo": {
        "Status": "INSYNC",
        "Comment": "SPF TXT-based record set for cloudconformity.com hosted zone.",
        "SubmittedAt": "2020-08-11T16:00:00.000Z",
        "Id": "/change/ABCDABCDABCDABCDABCD"
    }
}

06 Repeat steps no. 1 – 5 to implement the Sender Policy Framework (SPF) for each Route 53 domain name with corresponding MX records.