Search code examples
amazon-web-servicesemailamazon-ec2dnscloudflare

Understanding TXT records after moving DNS from Route53 to Cloudflare

I'm moving DNS records for an existing website from Amazon Route53 to Cloudflare, and introducing an AWS load balancer into the mix.

Current Architecture

Route53 DNS --> EC2 Instance

New Architecture

Cloudflare DNS --> AWS Load Balancer --> EC2 Instance

In some of the DNS records, there are references to the Elastic IP assigned to the AWS Instance (this is shown as 11.22.33.44 below). I didn't set up the records previously.

TXT record #1

v=spf1 mx include:_SPF.google.com a:ec2-11-22-33-44.eu-west-1.compute.amazonaws.com include:servers.mcsv.net ~all

TXT record #2

include:spf.protection.outlook.com  include:spf.mandrillapp.com  ip4:11.22.33.44

I have a couple of questions here:

  1. Does the Cloudflare proxy or the load balancer affect the existing IP in the TXT records? I should leave this as it is, right?
  2. Do these need to be two separate TXT records? Can I combine them, and if so, does the order of the statements matter?
Solution

  • Does the Cloudflare proxy or the load balancer affect the existing IP in the TXT records? I should leave this as it is, right?

    Correct. Those do not affect the IP of the server.

    Do these need to be two separate TXT records? Can I combine them, and if so, does the order of the statements matter?

    Having more than one SPF record violates the RFC.

    Duplicate SPF TXT records. Another commonly violated aspect of SPF is that a domain may only have a single SPF record. That means you can only have a single DNS TXT record that begins with “v=spf1”.

    See https://www.socketlabs.com/blog/best-practices-sender-policy-framework-spf/

    Background:

    Those are SPF mail domain validation records, as you may know. They should always reflect the IP addresses or domains of any mail server that would be sending email on behalf of the given domain.

    I would point out that since you now have a load balancer in the mix, that the instance IP number could change over time if it's replaced, assuming you have some Auto scaling group controlling instances. Every time that the instance restarts its IP address could change, depending on your setup. this would invalidate your SPF record and we need to be updated to maintain proper mail delivery.

    For this reason I would suggest you consider using AWS SES for outbound email which will always be correct regardless of your instance IP chnages. The service provides fixed MX server names that you can use in your SPF records.