Ensure your AWS Route 53 hosted zones have a TXT DNS record that contains a corresponding Sender Policy Framework (SPF) value set for each MX record available. The SPF record enables your Route 53 registered domains to publicly state which mail servers are authorized to send emails on its behalf.
This rule can help you with the following compliance standards:
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Implementing SPF (Sender Policy Framework) records for your AWS Route 53 domain names will help you detect and stop email address spoofing in order to reduce spam and increase your domains trustworthiness.
Note: This guide assumes that your Route 53 domain names are using MX records for defining the servers that should handle the email delivery.
Audit
To determine if your Route 53 DNS hosted zones contain corresponding SPF entries for MX records, perform the following:
Remediation / Resolution
To create SPF record sets for the corresponding MX records within your Route 53 DNS hosted zones, perform the following:
References
- AWS Documentation
- Amazon Route 53 FAQs
- What Is Amazon Route 53?
- Working with Public Hosted Zones
- Working with Resource Record Sets
- Creating Resource Record Sets by Using the Amazon Route 53 Console
- AWS Command Line Interface (CLI) Documentation
- route53
- list-hosted-zones
- list-resource-record-sets
- change-resource-record-sets
- get-change
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

You are auditing:
Sender Policy Framework Record Present
Risk level: Medium