1

I'm trying to setup a Sending Domain on Mandrill but I get a SPF missing error.

My APP is running on AWS, I'm using EC2 and Elastic Beanstalk, and my domain is on Namecheap.

DNS are setup as follow:

CNAME Record @ 'my-instance-id'.elasticbeanstalk.com.

TXT Record @ v=spf1 include:spf.mandrillapp.com ?all

TXT Record @ v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrLHiExVd55zd/IQ/J/mRwSRMAocV/hMB3jXwaHH36d9NaVynQFYV8NaWi69c1veUtRzGt7yAioXqLj7Z4TeEUoOLgrKsn8YnckGs9i3B3tVFB+Ch/4mPhXWiNfNdynHWBcPcbJ8kjEQ2U8y78dHZj1YeRXXVvWob2OaKynO8/lQIDAQAB;

URL Redirect Record www https://myapp.com Permanent (301)

This morning I was able to verify SPF address, and I started to have SPF missing error after updating my DNS with the CNAME entry (actually I just moved my app to AWS).

Any idea on how I can fix this? Thank you!

EDIT

The answer from Mandrill support:

Thanks for writing in. It looks like your "myapp.com" domain is a CNAME to "myapp.eu-central-1.elasticbeanstalk.com". This can make things tricky because in DNS you can't have two records (a TXT-type, and a CNAME-type) with the same name. As a result, you won't be able to set up SPF for "myapp.com". Furthermore, with the way CNAMEs redirect, theoretically it would be possible to set up SPF records at the final destination where those redirects lead to, but unfortunately, Mandrill's SPF and DKIM validator is overly-specific and as such isn't able to verify DNS records for domains that CNAMEs to another domain. Given these limitations, the only real option is to change your "myapp.com" from a CNAME to an A record pointing directly at the IP address at the end of that CNAME chain. You should then be able to set up SPF for this domain.

Actually I'm not sure I've such IP available to point at.. didyou solve similar issue? Thank you

davideghz
  • 163
  • 1
  • 8
  • Possible duplicate of [CNAME for top of domain?](http://serverfault.com/questions/430970/cname-for-top-of-domain) – chicks Mar 30 '16 at 14:29
  • @chicks - it's not duplicate, my question is strictly related to AWS and Mandrill setup – davideghz Mar 31 '16 at 03:16

2 Answers2

3

A CNAME can't have other records alongside it. A request for TXT (or anything else like MX, A, etc.) records will follow the CNAME and receive my-instance-id.elasticbeanstalk.com.'s TXT records (if any) instead.

Using Route53's ALIAS record type instead of a CNAME is the recommended solution. The ALIAS looks like a normal A record to the outside world, but reflects IP address changes to the Elastic Beanstalk instance automatically.

https://aws.amazon.com/about-aws/whats-new/2016/01/aws-elastic-beanstalk-adds-support-for-amazon-route-53-aliasing/

ceejayoz
  • 32,469
  • 7
  • 81
  • 105
1

I solved the problem and I was able to verify my sending domain in Mandrill.

I told namecheap to use AWS nameservers, then on AWS Route53 I setup an A Record to point to AWS EB instance, and then added the TXT records necessary for Mandrill domain validation directly in AWS.

Hope this might help others with same issue.

davideghz
  • 163
  • 1
  • 8
  • 1
    You could use an A record with GoDaddy too, but note that an A record isn't what you want here. If the Elastic Beanstalk instance gets replaced due to a scaling event or a server outage, the new instance will have a new IP and your record will no longer work. See my answer for the recommended approach. – ceejayoz Mar 31 '16 at 03:31