Articles

Route 53 SPF, DKIM, DMARC Records: Email Auth Setup (2026)

April 18, 2026 4 min read

Setting up SPF, DKIM, and DMARC records in Route 53 is crucial for email deliverability, but the real magic is that they don’t guarantee delivery – they guarantee you’re authorized to send email, and tell receivers what to do if someone else claims to be you.

Let’s see it in action. Imagine you’re sending an email from sender@example.com to recipient@gmail.com.

  1. Sender’s Mail Server (example.com): When your email leaves your server, it’s signed with a DKIM signature. This signature is generated using a private key that only your server has.
  2. Recipient’s Mail Server (gmail.com): Upon receiving the email, Gmail’s servers look up your domain’s (example.com) DNS records in Route 53.
  3. Route 53 Lookup: Gmail queries for:
    • SPF Record: It finds a TXT record like v=spf1 include:_spf.google.com ~all. This tells Gmail that emails originating from Google’s mail servers (specified by include:_spf.google.com) are authorized to send on behalf of example.com. The ~all (softfail) means other senders might be suspect but not outright rejected.
    • DKIM Record: It finds a TXT record like selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...". Gmail uses the public key (p=...) found in this record to verify the DKIM signature attached to your email. If the signature matches the email’s content and was generated with the corresponding private key, DKIM passes.
    • DMARC Record: It finds a TXT record like _dmarc.example.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com;". This record tells Gmail what to do if either SPF or DKIM fails (or both). p=quarantine means if authentication fails, the email should be treated with suspicion, likely ending up in the spam folder. rua=mailto:dmarc-reports@example.com tells Gmail to send aggregate reports about authentication results to your specified email address.

If SPF and DKIM both pass, DMARC passes. If either SPF or DKIM fails, DMARC checks its policy (p=) to decide whether to reject, quarantine, or do nothing with the email.

The Problem This Solves: Email spoofing and phishing. Without these records, anyone could send an email claiming to be from yourcompany.com, damaging your brand reputation and potentially tricking your customers. These records create a verifiable chain of trust for your outgoing email.

How It Works Internally (Route 53 specific): Route 53 acts as the DNS authoritative server. When a receiving mail server queries for example.com’s SPF, DKIM, or DMARC records, Route 53 retrieves the TXT records you’ve configured for those specific hostnames (e.g., example.com, selector._domainkey.example.com, _dmarc.example.com). The DNS resolution process is standard; Route 53 just serves the data.

Levers You Control:

  • SPF: The v=spf1 record itself. You specify which IP addresses or mail servers are authorized. Common modifiers include include: (to delegate to another SPF record, like for a marketing service), a (for A records), mx (for MX records), ip4:, ip6:, and the all mechanism (-all for hardfail, ~all for softfail, ?all for neutral).
    • Example config for a simple setup sending from Google Workspace: v=spf1 include:_spf.google.com ~all
  • DKIM: The generation of the private/public key pair and the configuration of the selector._domainkey TXT record in Route 53. The selector is a name you choose (e.g., google, mail, selector1) that distinguishes this key from others you might have for the same domain. The public key (p=...) is what Route 53 stores.
    • Example config (simplified): selector1._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
  • DMARC: The _dmarc.example.com TXT record. You define the policy (p=) for receivers when SPF/DKIM fail:
    • none: Monitor only, no action taken.
    • quarantine: Mark as spam.
    • reject: Reject the email entirely. You also specify where to send aggregate reports (rua=) and optionally forensic reports (ruf=).
    • Example config for quarantine and reporting: v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com;

The one thing most people don’t realize is that SPF and DKIM are independent checks, and DMARC requires one of them to pass for the DMARC check itself to pass. It’s not that DMARC does the authentication; it enforces a policy based on the results of SPF and DKIM. If your SPF record is v=spf1 -all and you send from an IP not listed, SPF fails. If your DKIM signature is invalid or missing, DKIM fails. DMARC then looks at its policy (p=) based on those individual failures.

The next step after correctly setting these up is to analyze the DMARC reports to identify legitimate sending sources you might have missed and to monitor for malicious activity.

Want structured learning?

Take the full Route53 course →