How to Add an SPF Record in AWS Route 53: Step-by-Step Guide
Add an SPF record in AWS Route 53 with step-by-step instructions. Covers field values, routing policies, TTL settings, and verification.
Last updated: 2026-06-03
Amazon Route 53 is AWS's DNS service, and it is a common choice for businesses that host their infrastructure on AWS. Adding an SPF record in Route 53 is straightforward once you know where to go. The interface is a bit more technical than typical domain registrars, but this guide walks you through every click and field — no AWS expertise required. New to SPF? Read What is SPF? first, or see our complete SPF guide for a full overview.
Before You Start
You need two things:
- Access to the AWS account that manages your domain's DNS. You will need to sign in to the AWS Management Console with a user that has Route 53 permissions.
- Your SPF record value. This is the text string that tells receiving email servers which services are allowed to send email for your domain. If you are not sure what to include, SPF Creator builds the correct record based on your email services.
A typical SPF record looks like this:
v=spf1 include:_spf.google.com ~all
Your record will vary depending on what sends email for your domain. Common includes are _spf.google.com for Google Workspace, spf.protection.outlook.com for Microsoft 365, and amazonses.com for Amazon SES. See SPF record examples for common configurations, or use SPF Creator to build your record.
Check for an existing SPF record first
Your domain can only have one SPF record. Adding a second one causes a PermError and breaks email authentication entirely. Always check first and edit the existing record if one is already there.
Step-by-Step: Adding an SPF Record in Route 53
Sign in to the AWS Management Console
Go to console.aws.amazon.com and sign in. If your organization uses AWS Single Sign-On, use the portal URL your team provided. Once you are in the console, search for "Route 53" in the search bar at the top and click on it.
Open Hosted Zones
In the Route 53 dashboard, click "Hosted zones" in the left sidebar. You will see a list of domains managed in this account. Click on the domain name you want to add the SPF record to. This opens the list of DNS records for that domain.
Click Create Record
Click the "Create record" button at the top of the records list (Route 53 documentation). Route 53 may open a wizard view or a quick create view. Either works — the fields are the same.
Fill in the record fields
Configure the record with these exact settings:
- Record name: Leave this blank for your root domain (the apex, like
yourdomain.com). If you are adding SPF for a subdomain, enter just the subdomain part (for example,mailformail.yourdomain.com). - Record type: Select
TXT – Text - Value: Enter your SPF record value wrapped in double quotes. For example:
"v=spf1 include:_spf.google.com ~all" - TTL (seconds): Enter
300for initial setup (this is 5 minutes, so changes take effect quickly). You can increase it to3600later once everything is confirmed working. - Routing policy: Select
Simple routing. SPF records do not need geolocation, failover, or any other routing type.
Save the record
Click "Create records" to save. Route 53 publishes the change to its global network of DNS servers. Changes typically propagate within 60 seconds across Route 53's own servers, but other DNS caches may take up to the old TTL value to update.
Verify the record is live
After saving, use the checker tool above to confirm your SPF record is published and valid. The tool shows the record contents, validates the syntax, and counts your DNS lookups to make sure you are within the 10 lookup limit.
Quotes are required in Route 53
Route 53 requires that TXT record values are wrapped in double quotes. If you enter v=spf1 include:_spf.google.com ~all without quotes, Route 53 may add them automatically — but it is best practice to include them yourself to avoid issues. The quotes are part of the DNS specification for TXT records; they do not appear in the actual SPF check.
Route 53-Specific Details
Simple Routing vs Other Policies
Route 53 offers several routing policies: Simple, Weighted, Geolocation, Latency, Failover, and Multivalue. For SPF records, you should always use Simple routing. The other policies are designed for distributing web traffic across multiple servers and have no relevance to email authentication records.
Route 53 Costs
Unlike many domain registrars where DNS hosting is included free, Route 53 charges for DNS. There is a small monthly fee per hosted zone (currently $0.50/month) and a per-query charge. For most small businesses, the total cost is under a dollar per month. Adding an SPF record does not meaningfully change your Route 53 bill.
TTL Recommendations
Setting the TTL to 300 seconds (5 minutes) during initial setup is a good practice. If something is wrong with your record, a short TTL means the corrected version spreads quickly. Once your SPF record is confirmed working, you can edit it and increase the TTL to 3600 seconds (1 hour) to reduce query volume slightly.
Route 53 SPF Record Examples
Here are common SPF record configurations, shown with the double quotes that Route 53 expects in the Value field:
Google Workspace only:
"v=spf1 include:_spf.google.com ~all"
Microsoft 365 only:
"v=spf1 include:spf.protection.outlook.com ~all"
Amazon SES only:
"v=spf1 include:amazonses.com ~all"
Google Workspace + Amazon SES:
"v=spf1 include:_spf.google.com include:amazonses.com ~all"
Domain that does not send email:
"v=spf1 -all"
If you have a domain that should never send email, publish v=spf1 -all to block spoofing.
Editing an Existing SPF Record in Route 53
If you need to add a new email service to an existing SPF record, find the TXT record starting with v=spf1 in your hosted zone, click on it, and click "Edit record." Add the new include: before ~all, then save. For example, to add SendGrid, change "v=spf1 include:_spf.google.com ~all" to "v=spf1 include:_spf.google.com include:sendgrid.net ~all".
Always verify with the checker tool after editing to confirm the syntax is correct and you are within the 10 DNS lookup limit.
Verifying Your Setup
After adding your SPF record in Route 53:
1. Check the record with the tool above. Confirm it shows the correct value, passes syntax validation, and stays within the lookup limit.
2. Send a test email. Send an email from your domain to a Gmail address. Open the message, click the three dots, and select "Show original." Look for spf=pass in the authentication results.
3. Set up full authentication. SPF works best alongside DKIM and DMARC. Add both as TXT records in Route 53 following the same process. The Email Deliverability Suite checks all three protocols at once.
Using a different DNS provider? See our guides for Cloudflare, GoDaddy, or DigitalOcean.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- AWS Route 53: Creating records — Official Route 53 DNS documentation
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring