Since I set up contact forms on various websites I’ve had a slowly increasing volume of spam. Not direct spam sent to me, but bounces from non-existent addresses that were being spamme, apparently from my address. Unfortunately the spam wasn’t originating from my address, but my address was somehow picked up (probably from before I secured the contact forms on the site) and was being used as the “reply to” address. After some investigation I heard about SPF which is an e-mail anti-forgery system.
How to migrate DNS provider to Amazon Route 53
You’re going to need a DNS provider (in most cases your registrar) that supports SPF, DKIM and DMARC records. Mine (123-reg) doesn’t support DKIM so I decided I would have to look to move. However, I have been very happy with 123-reg for the past 9 years and moving to a new registrar didn’t appeal. Instead I decided to simply move my DNS servers to a different DNS provider. Amazon provide a DNS service as one of their web services called “Route 53″. Whilst this isn’t free it is based on a “pay for what you use” model, and I anticipate it costing me under £10 a year. As an added bonus Amazon’s DNS service is much faster than that of a typical registrar and so will speed up site access times.
- Sign up for Amazon web services. You will have to provide a credit card, and verify your ID — in my case I did this by automated phone call which took under 1 minute
- Login to the AWS Management Console
- Click on the link in the AWS console to open the Route 53 console
- Create a “hosted zone” for your domain
- Go to the record sets of the hosted zone
- In a new window (or tab) log in to your current registrar and have a look at your existing DNS records.
- Switch back to Route 53
- Create any DNS entries you need, probably by duplicating what you see in your current settings with your registrar
- Make a note of the 4 name servers (type NS)
- Switch back to your registrar’s control panel / console and change your name servers to the 4 you made a note of in #6.
This should complete the basic DNS migration from your registrar to Amazon Route 53. It might take up to 48 hours to fully propagate through the DNS system but I found it was almost instant for me. As long as you created all the records you need (probably by duplicating what you had set up previously on your registrar) you shouldn’t see any interruption of service.
Setting up SPF, DKIM and DMARC on Route 53 for Google Apps e-mail
I manage my e-mail through Google Apps. Setting up e-mail authentication on Google apps is fairly straightforward.
- Make sure you’re logged into route 53, and open the hosted zone for the domain you wish to create records for
- You will create 4 records — 2 SPF, 1 DKIM and 1 DMARC. 1 SPF record will be a special “SPF” type of record, the other 3 types will all be TXT records
- Both SPF records will contain the text “v=spf1 include:_spf.google.com –all”, including the ” marks. Remember to set one as type TXT and one as type SPF
- The DMARC record will have the value “v=DMARC1; p=quarantine; pct=100; rua=mailto:firstname.lastname@example.org”, and will have the name _dmarc. Make sure you change email@example.com to the address you want DMARC reports sent to. You can also change some of the properties, there is a guide by google which will help you decide what properties you wish to use.
- Finally, the DKIM record is the most complicated and requires some information from google which is specific to your domain…
- Log in to your google domain administrator panel at https://www.google.com/a/cpanel/primary-domain-name — remember to change primary-domain-name to your domain name
- Click on “advanced tools” and scroll down to the bottom, and click on “Set up email authentication (DKIM)”
- Make sure the correct domain is selected in the pull-down box (you probably only have 1 domain) and click on “generate new record”
- Enter a prefix if you want one — I just used “google” and click generate
- In the box that displays there is the record you need to enter at your registrar along with the hostname
- Copy the TXT record value and make a note of the DNS Host Name
- Switch back to Route 53
- Create the final (4th) new record — give it the name of the DNS Host Name you made a note of. Give it the value you copied from the TXT record value — remember to put the value inside “” marks
- Wait a few minutes and then click “Start Authentication”. If successful you’ll see “Status: Authenticating email”
- You may have to wait up to 24 hours for DNS to propagate so that you can start authentication, but generally it should happen pretty quickly