8

I'm using Amazon SES and Route53 and confused how I specify the TXT value to include the proper SPF config. Amazon gave me a SES TXT name/value pair which looks something like this:

Name: "_amazonses.xxx.com"
Value: "bInxJfnRbxxxxx9uFXgmxxxxxQHd08UxxxxxxsG+k="

I plugged this into my Route53 Record Set (same as "Zone file" on Godaddy). Sure enough after adding my SMTP credentials to my app and having Amazon verify my account ("grant production access"), it works and I can send email from my site to a variety of accounts (Gmail, Yahoo, Hotmail, my .edu university account).

I know nothing about SPF but hear it is good include in one's email server configuration. By googling about Amazon SES, I keep seeing to include the flowing snippets:

"v=spf1 include:amazonses.com ~all"
"spf2.0/pra include:amazonses.com ~all"

Currently, these 2 snippets are included in the same TXT value field as that big, ugly value above("bInxJfnRb...") and my emails still get sent ok.

Two related questions:

  1. Whether putting all 3 of the snippets in a single TXT value field is the right place for these snippets?
  2. What are the circumstances under which "v=spf1 include:amazonses.com ~all" and "spf2..." come into play? Basically, how do I know if they are doing anything?
tim peterson
  • 23,653
  • 59
  • 177
  • 299

2 Answers2

8

Tim,

I have always used TXT records for keeping SPF and SenderID information, like follows (the lines below are the result of a dig):

mydomain.com. 86400 IN TXT "v=spf1 include:amazonses.com ?all"
mydomain.com. 86400 IN TXT "spf2.0/pra include:amazonses.com ?all"

This is also how Amazon recommends you to do it.

Both SPF and SenderID are mechanisms ISPs use to verify the server which sent the email as being from your domain is really authorized by your domain to do so. Whenever an ISP is about to forward your email message, they will perform this kind of checks in order to guarantee it is not a SPAM. The explanation on Amazon SES page is one of the most concise I could find:

ISPs that forward email traffic on the Internet are well aware of spammers and their activities. Most ISPs have taken measures to evaluate whether email is legitimate. One such action that ISPs consider is email authentication, in which senders provide evidence that they are the owner of the account that they are sending from. In some cases, ISPs will refuse to forward email that is not authenticated.

If providers like Gmail, Yahoo!, etc, delivered your email to its final destination, your DNS entries are probably already correct. If you try to remove them and wait some time for the DNS settings to propagate, it is very likely your email will start being classified as spam. There are some web tools, like this one, which can help you validate your SPF records.

Hope it helps.

Viccari
  • 9,029
  • 4
  • 43
  • 77
  • thanks for that webtool link for checking SPF records, pretty neat! Do you know if I need to specify the SPF and SenderID information as TXT **and** SPF or just TXT? Also, can you say where that first value, `Value: "bInxJfnRbxxxxx9uFXgmxxxxxQHd08UxxxxxxsG+k="` goes in relation to the SPF info? – tim peterson Jul 13 '12 at 23:40
  • You're welcome! If you specify in the format I suggested, no need for the SPF records, just TXT is enough (don't forget to enclose the values in double-quotes, though). Regarding the other values that were provided to you, I'm sorry but I don't know what they mean. – Viccari Jul 13 '12 at 23:50
  • Yes, I've heard about the double quotes being necessary. I've done that. Ok, I won't add the SPF, i'll just keep the TXT. Yeah, I'm not sure what the big, ugly value is for but I'll keep in their since it works, my emails are sending great. – tim peterson Jul 13 '12 at 23:54
  • Doesn't adding `?all` make the whole thing useless ? According to this post [https://wordtothewise.com/2014/06/authenticating-spf/]( Authenticating with SPF: -all or ~all it means) `No policy statement`. – null Mar 09 '15 at 09:45
1

SPF and Amazon SES

If you are using Amazon SES to send from your domain, you need to know that the current SES implementation involves sending emails from an SES-owned MAIL-FROM domain. This means that you do not need to make any changes to your DNS records in order for your emails to pass SPF authentication.

Source: SPF and Amazon SES

More info:

Community
  • 1
  • 1
null
  • 3,959
  • 1
  • 21
  • 28