DNS Provider Integrations

Connect your DNS provider account to SpoofWard to enable automatic configuration of email authentication records. Instead of manually logging in to your DNS provider and creating records, SpoofWard can publish and update DMARC, SPF, DKIM, and BIMI records directly through your provider's API.

Supported Providers

• GoDaddy — Connect via API key and secret
• AWS Route 53 — Connect via IAM access key with Route 53 permissions
• Azure DNS — Connect via service principal credentials
• Google Cloud DNS — Connect via service account key

GoDaddy Setup

Generating API Credentials

1. Log in to your GoDaddy account
2. Navigate to Developer Portal → API Keys
3. Click Create New API Key
4. Set the environment to Production
5. Copy the Key and Secret — the secret is shown only once

Connecting in SpoofWard

1. Navigate to Settings → DNS Providers
2. Click Add Provider and select GoDaddy
3. Enter your API Key and API Secret
4. Click Verify Connection — SpoofWard reads your domain list to confirm access
5. Click Save

AWS Route 53 Setup

Creating an IAM Policy

Create an IAM policy with the minimum required permissions for SpoofWard to manage DNS records:

• route53:ListHostedZones — List available hosted zones
• route53:ListResourceRecordSets — Read existing DNS records
• route53:ChangeResourceRecordSets — Create, update, and delete DNS records
• route53:GetHostedZone — Read zone details

Generating Access Keys

1. In the AWS IAM console, create a new IAM user or use an existing one
2. Attach the Route 53 policy you created
3. Generate an Access Key ID and Secret Access Key

Connecting in SpoofWard

1. Navigate to Settings → DNS Providers
2. Click Add Provider and select AWS Route 53
3. Enter your Access Key ID and Secret Access Key
4. Optionally specify an AWS Region (defaults to us-east-1)
5. Click Verify Connection
6. Click Save

Azure DNS Setup

Creating a Service Principal

1. In the Azure portal, navigate to Azure Active Directory → App registrations
2. Click New registration and name it (e.g., "SpoofWard DNS")
3. After creation, note the Application (client) ID and Directory (tenant) ID
4. Under Certificates & secrets, create a new client secret and copy the value
5. Navigate to the DNS zone resource and assign the service principal the DNS Zone Contributor role

Connecting in SpoofWard

1. Navigate to Settings → DNS Providers
2. Click Add Provider and select Azure DNS
3. Enter your Tenant ID, Client ID, and Client Secret
4. Enter your Subscription ID and Resource Group name
5. Click Verify Connection
6. Click Save

Google Cloud DNS Setup

Creating a Service Account

1. In the Google Cloud Console, navigate to IAM & Admin → Service Accounts
2. Click Create Service Account
3. Name it (e.g., "spoofward-dns") and grant the DNS Administrator role
4. Create a JSON key for the service account and download it

Connecting in SpoofWard

1. Navigate to Settings → DNS Providers
2. Click Add Provider and select Google Cloud DNS
3. Upload or paste your Service Account JSON key
4. Enter the Project ID containing your DNS zones
5. Click Verify Connection
6. Click Save

Auto-Configuration Workflow

Once a DNS provider is connected, SpoofWard can automatically publish records when you configure email authentication settings.

How It Works

1. You configure a DMARC policy, SPF record, DKIM key, or BIMI record in SpoofWard
2. SpoofWard detects that a connected DNS provider manages the domain
3. A prompt appears asking whether to publish the record automatically
4. You review the exact DNS change that will be made
5. Click Apply to DNS to publish the record
6. SpoofWard creates or updates the record via the provider's API
7. Verification runs automatically after a short propagation delay

Supported Record Types

• DMARC — _dmarc.yourdomain.com TXT record
• SPF — yourdomain.com TXT record (SPF policy)
• DKIM — [selector]._domainkey.yourdomain.com TXT record
• BIMI — default._bimi.yourdomain.com TXT record
• MTA-STS — _mta-sts.yourdomain.com TXT record
• TLS-RPT — _smtp._tls.yourdomain.com TXT record

Safety Checks

SpoofWard performs several safety checks before modifying any DNS record to prevent accidental misconfiguration:

• Existing record detection — Warns if a record of the same type already exists and will be overwritten
• Syntax validation — Validates that the record value is syntactically correct before publishing
• Conflict detection — Checks for conflicting records (e.g., a CNAME at the same name as a TXT record)
• Rollback capability — SpoofWard stores the previous record value so you can revert with one click if needed
• Confirmation required — Every DNS change requires explicit confirmation before it is applied; no changes are made automatically without your approval

Managing Providers

• Edit — Update API credentials or connection settings for a provider
• Test — Verify the connection is still active and credentials are valid
• View Domains — See which of your SpoofWard domains are hosted at this provider
• Audit Log — Review all DNS changes made through the provider integration
• Delete — Remove the provider connection. This does not remove any DNS records already published; it only stops SpoofWard from making future changes through this provider.

Troubleshooting

• Connection verification fails — Double-check that the API credentials are correct and have not expired. Ensure the credentials have the required permissions to list and modify DNS zones.
• Domain not detected — The domain must exist as a hosted zone at the connected provider. Verify the domain name matches exactly, including any subdomain prefixes.
• Record publish fails — Check the error message for details. Common causes include expired credentials, insufficient permissions, or the DNS zone being locked for editing.
• Propagation delay — DNS changes can take time to propagate depending on the TTL of existing records. SpoofWard retries verification automatically after a delay.