How to Set Up DMARC in AWS Route 53: Step-by-Step DNS Configuration
Add a DMARC record to AWS Route 53. Step-by-step guide covering hosted zones, TXT record creation, and verification for Amazon SES and other email services.
Last updated: 2026-05-25
AWS Route 53 is Amazon's scalable DNS service, and if you run infrastructure on AWS, there is a good chance your domain's DNS lives there too. Adding a DMARC record in Route 53 is a straightforward TXT record creation, but there are a few Route 53 quirks around record naming and value quoting that trip people up. This guide covers the full process from start to finish.
If you are using Amazon SES as your email sending service, you will also need to configure SPF and DKIM on the SES side. This guide focuses on the DNS record in Route 53. For the SES-specific authentication setup, see our DMARC for Amazon SES guide.
Prerequisites
Before you add a DMARC record in Route 53, make sure the following are in place.
You need an AWS account with Route 53 access. Specifically, you need IAM permissions for route53:ChangeResourceRecordSets and route53:ListHostedZones, or broader Route 53 access. If you are using an IAM role with restricted permissions, verify you can create DNS records before proceeding.
Your domain must have a hosted zone in Route 53. A hosted zone is the container for all DNS records belonging to a domain. If your domain is registered through Route 53, a public hosted zone was created automatically. If your domain is registered elsewhere but you use Route 53 for DNS, confirm your registrar's nameservers point to the Route 53 name servers listed in your hosted zone's NS record.
SPF and DKIM should already be configured. DMARC depends on both protocols. SPF defines which servers are authorized to send email for your domain. DKIM adds a cryptographic signature to outgoing messages. Without them, DMARC has nothing to evaluate. Use spfcreator.com to generate your SPF record and dkimcreator.com for DKIM.
You need your DMARC record value ready. A basic monitoring-only record looks like this:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;
Start with p=none to collect aggregate reports without impacting email delivery. Move to enforcement only after you have reviewed your data. For guidance on policy levels, see our DMARC policy levels guide.
If you manage multiple domains across several AWS accounts, each domain's DMARC record must be added to its own hosted zone. There is no way to share a single DMARC record across hosted zones.
Step-by-Step: Adding a DMARC Record in Route 53
Open the Route 53 console
Sign in to the AWS Management Console and navigate to Route 53. You can find it under Networking & Content Delivery in the services menu, or type "Route 53" in the search bar at the top of the console.
Select your hosted zone
In the left sidebar, click Hosted zones. You will see a list of all public and private hosted zones in your account. Click on the domain name you want to add DMARC to. This opens the record set for that zone.
Click Create record
Click the Create record button. Route 53 offers two creation modes: the wizard view and the quick create view. Either works. If you are in the wizard view, select Simple routing and click Next, then Define simple record.
Set the record name to _dmarc
In the Record name field, enter _dmarc. Route 53 automatically appends your domain name, so the full record will resolve at _dmarc.yourdomain.com. Do not enter the full domain — just _dmarc with the leading underscore.
Set the record type to TXT
In the Record type dropdown, select TXT — Text. DMARC records are always published as TXT records. Do not use CNAME or any other type.
Enter your DMARC value
In the Value field, paste your DMARC record string wrapped in double quotes. Route 53 requires TXT record values to be enclosed in quotes. For example: "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;". If you omit the quotes, Route 53 will reject the record or silently add them, depending on the console version.
Set the TTL
The default TTL in Route 53 is 300 seconds (5 minutes). This is a reasonable value. You can increase it to 3600 (1 hour) once your record is stable. A lower TTL is useful during initial setup because it lets changes propagate faster if you need to make corrections.
Create the record
Click Create records (or Define simple record followed by Create records if you used the wizard). The record will appear in your hosted zone's record list as a TXT record at _dmarc.yourdomain.com.
Create your DMARC record
Use our free DMARC generator to build a valid record for your domain.
Route 53-Specific Details
TXT Record Quoting
This is the most common source of errors in Route 53. Unlike Cloudflare or GoDaddy, Route 53 expects TXT record values to be explicitly wrapped in double quotes in the value field. The correct format is:
"v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;"
If you paste the value without quotes, Route 53 may return a validation error. When editing records via the AWS CLI or Terraform, the quoting rules get even more specific — you need to escape the quotes within your JSON payload.
Record Name Behavior
Route 53 shows the full domain name in its record list. When you type _dmarc in the name field, the console displays _dmarc.yourdomain.com. (with a trailing dot). The trailing dot is standard DNS notation and is expected. Do not add a second trailing dot manually.
Routing Policies
For a DMARC record, always use Simple routing. Do not use weighted, latency, failover, or geolocation routing. DMARC records must return a single, consistent value regardless of where the DNS query originates. Using any other routing policy can cause intermittent authentication failures.
Managing Records with Infrastructure as Code
If you manage Route 53 with Terraform, CloudFormation, or the AWS CDK, define your DMARC record in code rather than clicking through the console. This keeps your DNS configuration version-controlled and reproducible. In Terraform, the resource looks like this:
resource "aws_route53_record" "dmarc" {
zone_id = aws_route53_zone.main.zone_id
name = "_dmarc.yourdomain.com"
type = "TXT"
ttl = 300
records = ["v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com;"]
}
Note that Terraform handles the outer quoting for you — you do not need to add extra double quotes inside the records list.
Using Amazon SES?
If Amazon SES is your email sending service, you need to configure DKIM and SPF within SES as well. Route 53 hosts the DNS records, but SES is where you verify your sending domain and enable authentication. See our DMARC for Amazon SES guide for the full walkthrough.
Verifying Your DMARC Record
After creating the record, allow a few minutes for propagation. Route 53 changes typically take effect within 60 seconds for existing hosted zones, but external DNS caches may take longer depending on previous TTL values.
Check your record using dmarcrecordchecker.com. Verify that:
- The record starts with
v=DMARC1 - Your chosen policy (
p=none,p=quarantine, orp=reject) is present - Your
ruareporting address is correct if you included one - There is only one DMARC record for the domain
You can also verify from the command line using dig:
dig TXT _dmarc.yourdomain.com +short
This should return your DMARC string wrapped in quotes.
Common Mistakes
Wrong Hosted Zone
If you have multiple hosted zones for the same domain (for example, a public zone and a private zone for VPC resolution), make sure you add the DMARC record to the public hosted zone. Private hosted zones are only resolvable within your VPC and will not be visible to external mail servers performing DMARC lookups.
Forgetting the Quotes
As mentioned above, Route 53 requires double quotes around TXT record values. If your record is not resolving or returns an empty value, check whether the quotes were stripped or duplicated.
Duplicate DMARC Records
If you previously had DNS managed by another provider and migrated to Route 53, ensure the old DMARC record was removed at the previous provider. Having two authoritative sources for the same record causes unpredictable behavior. Also check that you do not have two TXT records at _dmarc within the same hosted zone.
Propagation Delays
While Route 53 itself propagates changes quickly, external resolvers may cache the absence of a record (negative caching). If you recently queried the domain and got an NXDOMAIN response, that negative result may be cached for up to the SOA minimum TTL. Wait a few minutes and try again, or test from a different network. For more detail on DNS propagation timing, see our DMARC propagation time guide.
Complete your email authentication stack
DMARC works alongside SPF and DKIM. If you have not set up SPF yet, use spfcreator.com to generate your record. For DKIM key generation, use dkimcreator.com. All three records should be published in your Route 53 hosted zone for full email authentication.
After Setup: What to Expect
Once your DMARC record is live, receiving mail servers will begin evaluating it immediately. If you included a rua tag, aggregate reports will arrive within 24 to 48 hours. These XML reports show which IP addresses sent email using your domain and whether those messages passed SPF and DKIM checks.
Review these reports carefully during the first few weeks. They will reveal whether any legitimate services — SES, third-party marketing tools, transactional email providers — are failing authentication. Fix alignment issues before moving from p=none to enforcement. A gradual rollout using p=quarantine; pct=10; lets you enforce on a small percentage of traffic first, reducing the risk of blocking legitimate email.
Related Articles
Monitor Your DMARC Record
You have created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.
Never miss a DMARC issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring