3

From where do I get the correct syntax to create a proper SPF record for EC2 amazon server? I understand how to create a dns entry but I have no idea what to put in place for the SPF record.

Alak
  • 91
  • 2
  • 3

3 Answers3

12

This is very easy to do:

  1. Provision an Elastic IP for your server
  2. Setup an "A" record for the server which will be sending mail with your favorite registrar- a good practice to follow is to include "svr" somewhere in the hostname, as in, app-svr-01.youdomain.com

  3. Click here to contact amazon and ask for a reverse dns record for the IP

  4. add the following somewhere in your SPF record and you should be good to go:

    a:app-svr-01.youdomain.com

Note: if you need to relay mail through this server from your other AWS servers, or communicate between servers in any other way, you shoukd not use this new FQDN, but rather the AWS FQDN from the AWS console (it will look like ec2-xxx-xxx-xx-xx.compute-1.amazonaws.com).

Using your custom domain name will route through the "WAN" and incur bandwidth charges.

Cloud Controller
  • 458
  • 3
  • 10
  • After you get your A record in DNS as above and Amazon has setup your reverse DNS you can setup the TXT record for multiple email sources with something like this: v=spf1 a mx include:helpscoutemail.com include:slp-app-svr-01.yourdomain.com ~all That is what we are using to ensure our HelpScout and AWS EC2 email both passes SPF/DKIM. – Lance Cleveland Feb 27 '17 at 13:03
2

You can use the Amazon Simple Email Service (SES). If you only use this service (and not directly), then your SPF can be as simple as described in the FAQ:

http://docs.amazonwebservices.com/ses/latest/DeveloperGuide/SPF.html

maybe changing it to a definite fail on mismatch:

v=spf1 include:amazonses.com -all
eckes
  • 10,103
  • 1
  • 59
  • 71
-4

Creating an SPF record for an EC2 instance is a waste of time. Every major ISP and blacklist will blackhole mail from an EC2 IP no matter what you do. Since anyone can spin up an instance, get a new IP, send spam and disappear, nobody trusts their mail.

Use an external mail server, like SendGrid.

Dan Grossman
  • 51,866
  • 10
  • 112
  • 101
  • 1
    This is not true if you have reverse DNS set up, which in my case I do. – Alak Jul 14 '11 at 09:43
  • Setting up reverse DNS is the key point while creating SPF for your EC2, probably this point is missed while answering the question. – Adnan May 26 '18 at 02:12
  • I agree, many sites blacklist EC2address ranges by IP independend from reverse zones and SPF. If you rely on beeing able to reach maximum audience sending from those IPs is not a good starting point (this is why my answer points to SES as AWS alternative, Sendgrid is another one). – eckes Feb 22 '20 at 02:13