I'm trying to request to unblock port 25 on my ec2 instance. I know very well that whatever they put as (optional) is 100% not optional. I've been asked over and over again to repeat these steps.
(Optional) Provide the AWS-owned Elastic IP addresses that you use to send outbound emails as well as any
reverse DNS records that AWS needs to associate with the Elastic IP addresses. With this information, AWS
can reduce the occurrences of emails sent from the Elastic IP addresses being marked as spam.
How do I complete these below actions?
What is the elastic ip address that I used to send outbound emails and how do I get it?
What is the reverse dns record for that elastic ip address and how do I get it?
The request also asks me to do this:
If you're using Amazon Route 53 as your DNS service, either create a new resource record set that
includes an A record, or update your existing resource record set to include a new A record.
It doesn't specify what the A record value should be.
Here is what you need to provide:
What is the elastic ip address that I used to send outbound emails and how do I get it?
This is the public IP address of your instance(s) that will be sending the emails on port 25. Make sure you have allocated an elastic IP address to the server(s).
What is the reverse dns record for that elastic ip address and how do I get it?
Traditionally this is where someone might create a PTR record containing the EIP and port number (25) and map this to a domain (e.g. smtp.example.com). You will need to provide AWS with the domain name that emails will send from so if you were sending from hello#example.com they would whitelist example.com.
Adding A Record
And for the extra of set an A record they are asking you to bind your domain e.g. example.com to the elastic IP address of the server in your DNS configuration. This is to prove you control the domain that you're wanting to send emails from.
Related
I tried to unblock port 25 on my ec2 instance so I could send emails and I was asked to provide this:
A statement of the security measures and mechanisms you will be implementing to avoid being implicated in the sending of unwanted mail (Spam)
What does this mean, like what is an example of those security measures? I have no idea what I'm supposed to respond to with that. All I plan on doing is sending emails to verify email accounts and change passwords for user accounts on my website.
AWS actually restricts access to this port for security reasons. The suggestion is try using another port if you can (for example SES works over port 587 as well).
You can however request that this restriction is removed, to do this you will need to do the following steps:
First, create a corresponding DNS A record:
If you're using Amazon Route 53 as your DNS service, either create a new resource record set that includes an A record, or update your existing resource record set to include a new A record.
If you're using a service other than Amazon Route 53, ask your DNS provider to create an A record for you.
Then, request AWS to remove the port 25 restriction on your instance:
Sign in with your AWS account, and open the Request to Remove Email Sending Limitations form.
In the Use Case Description field, provide a description of your use case.
(Optional) Provide the AWS-owned Elastic IP addresses that you use to send outbound emails as well as any reverse DNS records that AWS needs to associate with the Elastic IP addresses. With this information, AWS can reduce the occurrences of emails sent from the
Elastic IP addresses being marked as spam.
Choose Submit.
I'm moving DNS records for an existing website from Amazon Route53 to Cloudflare, and introducing an AWS load balancer into the mix.
Current Architecture
Route53 DNS --> EC2 Instance
New Architecture
Cloudflare DNS --> AWS Load Balancer --> EC2 Instance
In some of the DNS records, there are references to the Elastic IP assigned to the AWS Instance (this is shown as 11.22.33.44 below). I didn't set up the records previously.
TXT record #1
v=spf1 mx include:_SPF.google.com a:ec2-11-22-33-44.eu-west-1.compute.amazonaws.com include:servers.mcsv.net ~all
TXT record #2
include:spf.protection.outlook.com include:spf.mandrillapp.com ip4:11.22.33.44
I have a couple of questions here:
Does the Cloudflare proxy or the load balancer affect the existing IP in the TXT records? I should leave this as it is, right?
Do these need to be two separate TXT records? Can I combine them, and if so, does the order of the statements matter?
Does the Cloudflare proxy or the load balancer affect the existing IP in the TXT records? I should leave this as it is, right?
Correct. Those do not affect the IP of the server.
Do these need to be two separate TXT records? Can I combine them, and if so, does the order of the statements matter?
Having more than one SPF record violates the RFC.
Duplicate SPF TXT records. Another commonly violated aspect of SPF is that a domain may only have a single SPF record. That means you can only have a single DNS TXT record that begins with “v=spf1”.
See https://www.socketlabs.com/blog/best-practices-sender-policy-framework-spf/
Background:
Those are SPF mail domain validation records, as you may know. They should always reflect the IP addresses or domains of any mail server that would be sending email on behalf of the given domain.
I would point out that since you now have a load balancer in the mix, that the instance IP number could change over time if it's replaced, assuming you have some Auto scaling group controlling instances. Every time that the instance restarts its IP address could change, depending on your setup. this would invalidate your SPF record and we need to be updated to maintain proper mail delivery.
For this reason I would suggest you consider using AWS SES for outbound email which will always be correct regardless of your instance IP chnages. The service provides fixed MX server names that you can use in your SPF records.
I've already gone through the following links but couldn't find anything useful:
https://forums.aws.amazon.com/thread.jspa?threadID=79119
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-hostname.html
How to change Public DNS in amazon ec2
EC2 t2.micro instance has no public DNS
I have a ec2 server running ubuntu. I've set up an elastic IP for the instance, and have configured my domain with that IP on Route 53. It's working fine.
Now I'm using the server to send a few (transactional) emails. I still haven't used TLS in the mails, so Gmail correctly shows that I havent encrypted this message in red. But instead of my domain name, it shows ec2---my-server-ip---my-server-location has not encrypted the message.
I ran reverse DNS lookup on https://www.whatismyip.com/reverse-dns-lookup/ and it showed the amazon server details.
How can I change this DNS hostname to my own domain name ?
https://forums.aws.amazon.com/thread.jspa?threadID=79119
Read that one again, because it contains your answer.
Create an A record matching the reverse entry you want, if you don't already have one, then send a request to AWS support to associate the hostname you want with the Elastic IP, using this form:
https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request
That's how you do it. It can only be done with an Elastic IP.
Reverse DNS look up is linked with the PTR record set by the owner of the IP address.
In case of AWS you need to get in touch with AWS support for setting up the PTR record for an Elastic IP address assigned to your account.
They will ask you to create a public zone file of reverse IP address followed by in-addr.arpa
eg. your ipv4 address is - 1.2.3.4
then zone file needs to be created with 4.3.2.1.in-addr.arpa with an PTR record pointing to your ipaddress.
You can refer this link for more information - https://aws.amazon.com/premiumsupport/knowledge-center/route-53-reverse-dns/
I've setup a PTR record for my EC2 instance following this article: https://aws.amazon.com/premiumsupport/knowledge-center/route-53-reverse-dns/. but when I test the rDNS with a tool like dig it keeps giving me the xxx.compute.amazonaws.com domain as a result. I have waited several times the refresh time and performed the steps in the article multiple times but the record does not change. I have also set the NS record for the "in-addr.arpa" hosted zone to match the NS record of my domain.
My setup is:
Hosted zone 1: "domain.com."
Hosted zone 1 A record: name "domain.com." value "1.2.3.4"
Hosted zone 2: "3.2.1.in-addr.arpa."
Hosted zone 2 PTR record: name "4.3.2.1.in-addr.arpa." value "domain.com"
Am I missing something here? Are there any other steps I should take or do you have any tips on how I can further debug this?
It seems like outlook.com keeps flagging my messages as spam because the rDNS is incorrect.
Any help is very much appreciated.
I've setup a PTR record for my EC2 instance following this article
You can't use these instructions for IP addresses owned/controlled by AWS. The only AWS-allocated public IP addresses that are configurable with custom reverse-DNS are elastic IP addresses, and a different process applies (from the same document) --
If you are using an Elastic IP address for your server, you can configure the reverse DNS record of your Elastic IP address by submitting a Request to Remove Email Sending Limitations (root account credentials required), and you don't need to use Amazon Route 53.
The instructions you followed are for IP address space that you control, or that has been delegated to you by your ISP. They are not applicable to elastic IP addresses. You "don't need to use Route 53," in this case, would have been more correctly written here as you "can't use Route 53."
Allocate an elastic IP and map it to the server... then you can use the request form and AWS support will configure the reverse records for you.
Public IP addresses that are not EIPs are ephemeral. Once you stop the instance, the address goes back to the pool. Starting the instance again will cause it to be assigned a different public IP address. This isn't the case with EIPs, which would be more suited to a permanent fixture like an SMTP server.
I have just created my aws instance on windows server 2012 R2 for running my website. Problem is, i want to resolve my public IP address to my domain name.For example, my aws public IP address is 1.2.3.4 and i want it to show as my own company domain
This answer may seem strange because of the way it works, but it is from an official source and it does accomplish what you want -- setting a reverse DNS record on an elastic IP address. The address will remain associated with your account and can't be inadvertently released unless you subsequently undo this configuration.
You can now provide us with a configurable Reverse DNS record for any of your Elastic IP addresses. Once you’ve supplied us with the record, reverse DNS lookups (from IP address to domain name) will work as expected: the Elastic IP address in question will resolve to the domain that you specified in the record.
https://aws.amazon.com/blogs/aws/reverse-dns-for-ec2s-elastic-ip-addresses
You'll be sending a request to AWS support to configure this mapping.
The unexpected part of the solution, however, is the reason stated on the form that you use to send the request to AWS support...
https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request
...it's actually the request form to remove the outbound SMTP port 25 restriction on your Elastic IPs... but part of the process is to assign reverse DNS entries to EIPs that you specify.