Editing DNS records in AWS Route 53

IAM permissions you need

Before the console steps work, your IAM user/role needs:

• route53:ListHostedZones — to find your zone in the dropdown
• route53:GetHostedZone — to open the zone
• route53:ListResourceRecordSets — to see existing records
• route53:ChangeResourceRecordSets — to add/edit records

The AWS-managed policy AmazonRoute53FullAccess covers all of these. If your org limits Route 53 access, ask your AWS admin for a scoped policy that grants ChangeResourceRecordSets only on the specific hosted zone (resource ARN arn:aws:route53:::hostedzone/Z…).

Step 1 — Open the hosted zone

1. Sign in to the AWS Management Console → Route 53.
2. In the left navigation pane, click Hosted zones.
3. Click your domain name in the list. The zone's record set table opens.

Step 2 — Create the record

1. Click Create record.
2. Choose Simple routing (the default), then Define simple record.
3. Fill the fields per the fix type below. Critical Route 53 rule: the Value field MUST contain the TXT content enclosed in double quotes "…". Route 53 is the only major DNS provider that REQUIRES literal double quotes in the console value field — most others auto-add them.

DMARC

• Record name: _dmarc (Route 53 auto-appends your zone — leave the suffix dropdown set to your zone)
• Record type: TXT
• Value: paste the record exactly as trustyourinbox suggested, wrapped in double quotes:
  "v=DMARC1; p=quarantine; pct=100; rua=mailto:<your-rua>@rua.trustyourinbox.com"
• TTL: 300 seconds (default) is fine. For faster rollback during testing, lower to 60.

SPF

• Record name: leave empty (apex). Route 53 will show your zone name in the suffix.
• Record type: TXT (do NOT use the "SPF" record type — RFC 7208 deprecated it; AWS docs explicitly recommend TXT)
• Value: "v=spf1 …mechanisms… ~all"
• Critical: only ONE v=spf1 record per apex. If a TXT record already exists at the apex containing v=spf1, click that existing row → Edit record → modify the value — don't create a second TXT record.

DKIM (with multi-string for long keys)

• Record name: the selector + ._domainkey (e.g., google._domainkey, k1._domainkey)
• Record type: TXT
• Value: RSA-2048 keys are ~390 chars — longer than Route 53's 255-char single-string limit. Split into two strings of ≤255 chars each, each enclosed in double quotes, separated by a single space, all on one line:
  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQ…firstpart" "…secondpart…IDAQAB"
• Find the natural break point in the public key's base64 string and split there. Don't split inside v=, k=, or p=.

MTA-STS DNS pointer

• Record name: _mta-sts
• Record type: TXT
• Value: "v=STSv1; id=<numeric-id>"
• The actual policy file is hosted separately at mta-sts.<your-domain>/.well-known/mta-sts.txt over HTTPS — that's a web hosting concern, not Route 53. trustyourinbox can host the policy file for you (separate setup).

Step 3 — Save

Click Create recordsat the bottom. Route 53 propagates to its global anycast network "within 60 seconds" (per AWS docs). Receivers honor the TTL on the record they last cached.

Step 4 — Verify the record published

Route 53 has a built-in test: the Test record button on the hosted zone page (top-right). Otherwise from a terminal:

• DMARC — dig +short TXT _dmarc.yourdomain.com
• SPF — dig +short TXT yourdomain.com | grep spf1
• DKIM — dig +short TXT <selector>._domainkey.yourdomain.com
• MTA-STS pointer — dig +short TXT _mta-sts.yourdomain.com

For DKIM specifically, digshows the multi-string form Route 53 stored. The strings will be concatenated by receivers per RFC 1035 §3.3.14 — the customer's mailbox provider sees the full key, not the split.

Step 5 — Tell trustyourinbox to recheck

Each per-domain protocol tab has a Recheck button. Click it after Route 53 propagates; we run a fresh DoH lookup against Cloudflare 1.1.1.1 and Google 8.8.8.8 in parallel and update the dashboard immediately.

Common Route 53 pitfalls

1. Forgetting the double quotes. Route 53's console rejects unquoted values for TXT. Even v=DMARC1; p=none without quotes will fail validation. Always wrap in "…".
2. Splitting DKIM keys with newlines instead of " ". Route 53 treats each newline-separated entry as a separate TXT record (a TXT record set with multiple records). For DKIM, you want one TXT record made of multiple strings — keep it on one line, separate the strings with quote-space-quote: "part1" "part2".
3. Special characters without octal escapes. Route 53 requires non-printable characters specified as \NNN octal codes. Most DMARC/SPF/DKIM/MTA-STS records use only printable ASCII so this rarely matters, but if your value contains a literal quote, escape it as \".
4. Case sensitivity. Route 53 preserves case ("Ab" ≠ "aB"). DMARC/SPF/DKIM tag NAMES (e.g., v=, p=) are RFC-defined as case-insensitive at receivers, but matching tools may be strict — copy the casing trustyourinbox shows you exactly.
5. Using the SPF record type instead of TXT. AWS supports both, but RFC 7208 says SPF MUST use TXT now. Receivers that strictly follow the RFC ignore the SPF type entirely. Always use TXT.

If you get stuck

Open the per-domain page in trustyourinbox, click Recheck, and if the dashboard still shows the issue, paste the dig +short TXT <hostname>output into a support email. We'll narrow down the difference between what we expected and what Route 53 published.