Setup Guide

How to Set Up SPF, DKIM, and DMARC for Amazon SES

Amazon Simple Email Service (SES) is a cost-effective transactional email platform commonly used by developers and SaaS companies. SES is often behind the scenes in applications sending password resets, order confirmations, and system notifications. Authentication setup is handled through the AWS console.

SPF Configuration

Amazon SES uses a single include for SPF authorization.

DNS Record:

Type:  TXT
Host:  @
Value: v=spf1 include:amazonses.com ~all

Combined with other services:

v=spf1 include:_spf.google.com include:amazonses.com ~all

Alternative — Custom MAIL FROM domain: SES supports configuring a custom MAIL FROM (return-path) domain, which is the recommended approach for SPF alignment under DMARC. If you configure a custom MAIL FROM domain (e.g., mail.yourdomain.com), you add the SPF record there instead:

Type:  TXT
Host:  mail
Value: v=spf1 include:amazonses.com ~all

Type:  MX
Host:  mail
Value: 10 feedback-smtp.us-east-1.amazonses.com

The MX record is required for bounce processing. Replace the region with your SES region.

Verify your total lookup count with the SenderClarity SPF Checker.

DKIM Configuration

SES provides two DKIM options: Easy DKIM (recommended) and manual BYODKIM.

Easy DKIM:

  1. In the AWS SES console, go to Verified Identities.
  2. Select your domain (or verify it if you haven't already).
  3. Under the Authentication tab, click Edit in the DKIM section.
  4. Select Easy DKIM and choose RSA 2048-bit.
  5. SES will generate three CNAME records:
Type:  CNAME
Host:  abc123._domainkey
Value: abc123.dkim.amazonses.com

Type:  CNAME
Host:  def456._domainkey
Value: def456.dkim.amazonses.com

Type:  CNAME
Host:  ghi789._domainkey
Value: ghi789.dkim.amazonses.com
  1. Add all three CNAMEs to your DNS.
  2. SES will automatically verify and begin signing once the records propagate.

SES uses three DKIM records for key rotation. The actual hostnames and values will be unique to your domain.

DMARC Configuration

Start with monitoring mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:your-address@reports.senderclarity.com; fo=1

Progress to enforcement after confirming SES traffic passes:

  1. p=quarantine; pct=25
  2. p=quarantine; pct=100
  3. p=reject

Verification

  • Check your SPF record →
  • Use the SES Send Test Email function and inspect the headers
  • Confirm dkim=pass and alignment with your domain
  • Monitor DMARC reports in SenderClarity

Common Issues

SPF alignment fails under DMARC: Without a custom MAIL FROM domain, SES uses amazonses.com as the return-path, which won't align with your domain. Configure a custom MAIL FROM domain or rely on DKIM alignment for DMARC to pass.

Wrong region in MX record: If you configure a custom MAIL FROM domain, the MX record must point to the correct SES region (e.g., feedback-smtp.us-west-2.amazonses.com). Using the wrong region will cause bounce processing to fail.

SES sandbox limitations: New SES accounts are in sandbox mode and can only send to verified addresses. This doesn't affect authentication setup, but test emails must go to verified recipients until you request production access.

SPF Lookup Impact

Include Estimated Lookups
amazonses.com 1

Amazon SES has one of the lightest SPF footprints of any major email provider.