Logo of Trend Micro

Sender Policy Framework Record Present

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: Route53-008

Ensure your AWS Route 53 hosted zones have a TXT DNS record that contains a corresponding Sender Policy Framework (SPF) value set for each MX record available. The SPF record enables your Route 53 registered domains to publicly state which mail servers are authorized to send emails on its behalf.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Implementing SPF (Sender Policy Framework) records for your AWS Route 53 domain names will help you detect and stop email address spoofing in order to reduce spam and increase your domains trustworthiness.

Note: This guide assumes that your Route 53 domain names are using MX records for defining the servers that should handle the email delivery.

Audit

To determine if your Route 53 DNS hosted zones contain corresponding SPF entries for MX records, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Click on the domain name hosted zone that you want to examine.

05 On the DNS hosted zone page, select SPF from the Record Type dropdown list:

select SPF from the Record Type dropdown list

to list all the SPF records created for the selected domain. If the filtering process does not return any SPF entries, the selected domain name does not have SPF records defined for the corresponding MX records, therefore is not SPF-protected.

06 Repeat steps no. 4 and 5 for each DNS hosted zone created with AWS Route 53.

Using AWS CLI

01 Run list-hosted-zones command (OSX/Linux/UNIX) to retrieve the list with all the DNS hosted zones available in your AWS account: 

aws route53 list-hosted-zones

02 The command output should return an array with all the DNS zones available and their metadata (including each zone ID - highlighted): 

{
    "HostedZones": [
        {
            "ResourceRecordSetCount": 7,
            "CallerReference": "9D6EF163-FE8C-F83D-8AFE-DBB41CBA30DE",
            "Config": {
                "PrivateZone": false
            },
            "Id": "/hostedzone/Z1XXGMPJVVM9AE",
            "Name": "domain.com."
        }
    ]
}

03 Run list-resource-record-sets command (OSX/Linux/UNIX) using the hosted zone ID (highlighted) returned at the previous step to check for any SPF records created for the selected domain name: 

aws route53 list-resource-record-sets
	--hosted-zone-id Z1XXGMPJVVM9AE
	--query "ResourceRecordSets[?Type == 'SPF']"

04 The command output should return an array with all the SPF record sets available in the specified hosted zone and their metadata. If the array returned as output is empty, i.e. [ ], the selected domain name does not have any SPF DNS records defined, therefore is not SPF-protected: 

[ ]

05 Repeat steps no. 3 and 4 for each DNS hosted zone created with AWS Route 53.

Remediation / Resolution

To create SPF record sets for the corresponding MX records within your Route 53 DNS hosted zones, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Route 53 dashboard at https://console.aws.amazon.com/route53/.

03 In the left navigation panel, under Dashboard, click Hosted Zones.

04 Click on the domain name hosted zone that you want to update.

05 On the DNS hosted zone page, create a new SPF record by completing the following actions:

  1. Click Create Record Set button from the dashboard top menu.
  2. Leave the Name field empty.
  3. From the Type dropdown list select SPF - Sender Policy Framework.
  4. In the TTL (Seconds) field, enter a value of 3600 (1 hour) for Time to Live.
  5. In the Value text box, enter the SPF value required, e.g. "v=spf1 include:_spf.google.com ~all". If you don’t use Google mail servers, replace include:_spf.google.com with the authorized mail server hostname/IP address e.g. "v=spf1 ip4:54.83.154.213/32 ~all".
  6. From the Routing Policy dropdown list, select Simple as the routing method for the SPF DNS record.

06 Click Create to add the new SPF record to the DNS hosted zone.

07 Repeat steps no. 4 – 6 for each domain DNS hosted zone without SPF record sets (see Audit section to determine which domains require SPF records).

Using AWS CLI

01 Run list-hosted-zones command (OSX/Linux/UNIX) to retrieve a list with all the DNS hosted zones available in your AWS account: 

aws route53 list-hosted-zones

02 The command output should return an array with all the DNS zones available and their metadata (including each zone ID - highlighted): 

{
    "HostedZones": [
        {
            "ResourceRecordSetCount": 7,
            "CallerReference": "9F6EF163-FE8C-F83D-8AFE-DBB41CBA30BD",
            "Config": {
                "PrivateZone": false
            },
            "Id": "/hostedzone/Z1XXGMPJVVM6DG",
            "Name": "awsdomain.com."
        }
    ]
}

03 To add the required SPF record to an existing DNS hosted zone, you must create first a Route 53 change file (i.e. a JSON file named spf-record-set.json) to declare the new SPF DNS record. The following command example describes a Sender Policy Framework record definition for a domain name called awsdomain.com: 

{
  "Comment": "SPF record set for awsdomain.com hosted zone.",
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "awsdomain.com.",
        "Type": "SPF",
        "TTL": 3600,
        "ResourceRecords": [
          {
            "Value": "\"v=spf1 include:_spf.google.com ~all\""
          }
        ]
      }
    }
  ]
}

04 Run change-resource-record-sets command (OSX/Linux/UNIX) using the hosted zone ID returned at step no. 2 and the Route 53 change file (spf-record-set.json) as command parameters: 

aws route53 change-resource-record-sets
	--hosted-zone-id Z1XXGMPJVVM6DG
	--change-batch file://spf-record-set.json

05 The command output should return the new SPF record set metadata. The record set status should be PENDING at this moment: 

{
    "ChangeInfo": {
        "Status": "PENDING",
        "Comment": "SPF record set for awsdomain.com hosted zone.",
        "SubmittedAt": "2016-05-25T11:24:29.663Z",
        "Id": "/change/DS22QA2MN6GTI"
    }
}

06 Run get-change command (OSX/Linux/UNIX) using the Route 53 change file ID returned at the previous step to get the current status for the newly added record set: 

aws route53 get-change
	--id DS22QA2MN6GTI

07 The command output should return the current status of the DNS record batch request. The current status should be INSYNC, which indicates that the change was fully propagated to all AWS Route 53 DNS server nodes: 

{
  "ChangeInfo": {
    "Status": "INSYNC",
    "Comment": "SPF record set for the zone.",
    "SubmittedAt": "2016-05-25T11:24:29.663Z",
    "Id": "/change/DS22QA2MN6GTI"
  }
}

08 Repeat steps no. 3 – 7 for each domain DNS hosted zone that requires SPF record sets (see Audit section to determine which domains require SPF records).

References

Publication date May 26, 2016

Related Route53 rules

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for AWS and Azure

You are auditing:

Sender Policy Framework Record Present

Risk level: Medium