Setup Guide

How to Set Up SPF, DKIM, and DMARC for Amazon SES

Amazon Simple Email Service (SES) is a cost-effective transactional email platform commonly used by developers and SaaS companies. SES is often behind the scenes in applications sending password resets, order confirmations, and system notifications. Authentication setup is handled through the AWS console.

SPF Configuration

Amazon SES uses a single include for SPF authorization.

DNS Record:

Type:  TXT
Host:  @
Value: v=spf1 include:amazonses.com ~all

Combined with other services:

v=spf1 include:_spf.google.com include:amazonses.com ~all

Alternative — Custom MAIL FROM domain: SES supports configuring a custom MAIL FROM (return-path) domain, which is the recommended approach for SPF alignment under DMARC. If you configure a custom MAIL FROM domain (e.g., mail.yourdomain.com), you add the SPF record there instead:

Type:  TXT
Host:  mail
Value: v=spf1 include:amazonses.com ~all

Type:  MX
Host:  mail
Value: 10 feedback-smtp.us-east-1.amazonses.com

The MX record is required for bounce processing. Replace the region with your SES region.

Verify your total lookup count with the SenderClarity SPF Checker.

DKIM Configuration

SES provides two DKIM options: Easy DKIM (recommended) and manual BYODKIM.

Easy DKIM:

  1. In the AWS SES console, go to Verified Identities.
  2. Select your domain (or verify it if you haven't already).
  3. Under the Authentication tab, click Edit in the DKIM section.
  4. Select Easy DKIM and choose RSA 2048-bit.
  5. SES will generate three CNAME records:
Type:  CNAME
Host:  abc123._domainkey
Value: abc123.dkim.amazonses.com

Type:  CNAME
Host:  def456._domainkey
Value: def456.dkim.amazonses.com

Type:  CNAME
Host:  ghi789._domainkey
Value: ghi789.dkim.amazonses.com
  1. Add all three CNAMEs to your DNS.
  2. SES will automatically verify and begin signing once the records propagate.

SES uses three DKIM records for key rotation. The actual hostnames and values will be unique to your domain.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Progress to enforcement after confirming SES traffic passes:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

DMARC Considerations for Amazon SES

  • SPF alignment requires custom MAIL FROM: By default, SES uses amazonses.com as the return-path, meaning SPF will never align with your domain. Your DMARC reports will show SPF failures until you configure a custom MAIL FROM domain. DKIM alignment alone is sufficient for DMARC to pass, but custom MAIL FROM is the recommended long-term configuration.

  • What to expect in aggregate reports: Reports will show sending sources from SES regional IP ranges (e.g., us-east-1.amazonses.com). If your application sends from multiple AWS regions, you may see multiple SES sources appear — all covered by the single amazonses.com SPF include.

  • Shared IP considerations: Unless you're using dedicated IPs, SES sends from shared IP pools. Other senders' reputations can affect deliverability, but this does not impact DMARC pass/fail — authentication is per-domain, not per-IP.

  • Safe to move to enforcement early: Because SES uses Easy DKIM with automatic signing, DKIM alignment is reliable once configured. If SES is your only sending source and custom MAIL FROM is in place, you can move to p=reject faster than most providers — typically after 2–4 weeks of clean reports.

Verification

  • Check your SPF record →
  • Use the SES Send Test Email function and inspect the headers
  • Confirm dkim=pass and alignment with your domain
  • Monitor DMARC reports in SenderClarity

Common Issues

SPF alignment fails under DMARC: Without a custom MAIL FROM domain, SES uses amazonses.com as the return-path, which won't align with your domain. Configure a custom MAIL FROM domain or rely on DKIM alignment for DMARC to pass.

Wrong region in MX record: If you configure a custom MAIL FROM domain, the MX record must point to the correct SES region (e.g., feedback-smtp.us-west-2.amazonses.com). Using the wrong region will cause bounce processing to fail.

SES sandbox limitations: New SES accounts are in sandbox mode and can only send to verified addresses. This doesn't affect authentication setup, but test emails must go to verified recipients until you request production access.

SPF Lookup Impact

Include Estimated Lookups
amazonses.com 1

Amazon SES has one of the lightest SPF footprints of any major email provider.