Missed Team ’24? Catch up on announcements here.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

DNS Domain Verification Combined with SPF

Joel Potter
Joel Potter June 20, 2019

I have an existing TXT record for SPF on my domain. How do I modify it to include the Atlassian domain verification token so both will still be valid?

E.g. current record looks like: 

type:  TXT
key:   example.com
value: v=spf1 include:emailserver.com ~all

What should the new record value look like to include the "atlassian-domain-verification="?

Answer
Watch
Like Be the first to like this
1012 views

1 answer

0 votes
George Karaolides
George Karaolides
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 5, 2020

***NOTE:  The following answer would be correct if the TXT record was only required when first verifying a domain but this is not true, the TXT record is required in perpetuity***

It's probably not possible to combine both Jira verification and SPF in the same TXT record, and it's certainly not possible to have more than one TXT record at origin level in the same DNS zone.

Despite that, it's still possible to use a TXT record for Jira verification, because the TXT record for Jira verification is only needed during the actual verification; after that, it can be removed or replaced.

The way to proceed is to temporarily replace the TXT record for SPF with the TXT record for Jira verification, complete the Jira verification, and then re-instate the TXT record for SPF.

With direct access to the DNS zone configuration, and attention paid to the TTL of the TXT record, the whole process can take as little as a couple of minutes, so it shouldn't matter that the zone will not have an SPF record for that time.

If the TTL of the TXT record is fairly short (say,  300 seconds or less) it should be possible to proceed directly.

If the TTL is longer, it would be safer to first change the TTL to e.g. 300 and wait for a period of time equal to or longer than the original TTL before carrying out the procedure.  Once the procedure is complete, the TTL can be increased back to the original value.

View More Comments
Joel Potter
Joel Potter February 5, 2020

I was under the impression that the domain verification needed to remain in place permanently. If that's not the case than I can use the temporary TXT change as you suggest.

Like
George Karaolides
George Karaolides
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
February 5, 2020

I stand corrected.  I tried this and it worked, but it looks like it will break later because Atlassian periodically checks that the TXT record is still there.  Thank you for pointing this out.

One would have thought that, instead of the origin, Atlassian would choose to use a name under the zone, to allow their record to co-exist with SPF.

I am now faced with either turning off SPF for my domain or using HTTPS verification.

Like
Joel Potter
Joel Potter February 5, 2020

Thanks for testing it out. 

I think Atlassian needs to add another DNS verification method maybe similar to how DKIM is handled with subdomains.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Identity Manager
Atlassian Access
TAGS
AUG Leaders

Atlassian Community Events

    See all events