Amazon SES Email Authentication Setup

Amazon Simple Email Service, a scalable cloud email sending service. This guide covers the complete email authentication stack for Amazon SES: SPF, DKIM, and DMARC. Each section gives you the exact DNS records, step-by-step instructions, common pitfalls, and how to verify your setup.

Jump to a Protocol

SPF

Authorize which servers can send email for your domain.

DKIM

Cryptographically sign your outgoing email so receivers can verify it.

DMARC

Tell receivers what to do when SPF or DKIM fail.

SPFTest with our SPF Checker →

How to Set Up SPF for Amazon SES

Authorize Amazon SES to send email on behalf of your domain by adding the correct SPF include for your SES region.

Quick Answer — The Record You Need

Type

TXT

Host / Name

Value

v=spf1 include:amazonses.com ~all

The include:amazonses.com covers all AWS SES regions.

Step-by-Step Setup

Sign in to the AWS Console

Go to the AWS Management Console and navigate to the Amazon SES service in your sending region.

Verify your domain

Under Configuration > Verified identities, click "Create identity" and add your domain. SES will provide DNS records.

Check your existing SPF record

Check if you already have an SPF record.

dig TXT yourdomain.com +short | grep spf

Add Amazon SES to your SPF record

Add include:amazonses.com to your existing SPF record.

v=spf1 include:amazonses.com ~all

Enable custom MAIL FROM (recommended)

In SES, set a custom MAIL FROM domain (e.g., mail.yourdomain.com). This improves SPF alignment for DMARC. Add the SPF record to the MAIL FROM subdomain as well.

mail.yourdomain.com  TXT  "v=spf1 include:amazonses.com ~all"

Before & After

Before

v=spf1 include:_spf.google.com ~all

After

v=spf1 include:_spf.google.com include:amazonses.com ~all

SPF Gotchas

Amazon SES uses a default MAIL FROM of amazonses.com, which will not align with your domain for DMARC SPF. Set a custom MAIL FROM domain to achieve SPF alignment.
The include:amazonses.com covers all SES regions. You do not need region-specific includes.
If you configure a custom MAIL FROM domain, you need an SPF record on that subdomain AND an MX record pointing to feedback-smtp.<region>.amazonses.com.

SPF FAQ

What SPF record do I need for Amazon SES?

Add include:amazonses.com to your SPF record. For DMARC alignment, also configure a custom MAIL FROM domain in SES and add the SPF record there.

Do I need different SPF records for different SES regions?

No. The include:amazonses.com covers all AWS SES regions. One include is sufficient.

What is a custom MAIL FROM domain in Amazon SES?

A custom MAIL FROM domain (e.g., mail.yourdomain.com) replaces the default amazonses.com envelope sender. This is required for SPF alignment under DMARC.

DKIMTest with our DKIM Checker →

How to Set Up DKIM for Amazon SES (Easy DKIM)

Enable Easy DKIM in Amazon SES by publishing three CNAME records that allow AWS to sign outgoing email with your domain.

Quick Answer — The Record You Need

Type

CNAME

Host / Name

abc123._domainkey

Value

abc123.dkim.amazonses.com

SES provides three unique CNAME records. The exact values are generated in your SES console.

Step-by-Step Setup

Open Amazon SES in the AWS Console

Navigate to Amazon SES in your sending region.

Create or select your domain identity

Under Verified identities, select your domain. Under the Authentication tab, find the DKIM section.

Enable Easy DKIM

SES will generate three CNAME records for DKIM. Easy DKIM uses 2048-bit keys by default.

Publish the three CNAME records

Add all three CNAME records to your DNS provider.

abc123._domainkey.yourdomain.com  CNAME  abc123.dkim.amazonses.com
def456._domainkey.yourdomain.com  CNAME  def456.dkim.amazonses.com
ghi789._domainkey.yourdomain.com  CNAME  ghi789.dkim.amazonses.com

Wait for verification

SES will automatically verify the CNAME records. The DKIM status will change to "Verified" once propagation is complete, typically within 72 hours.

DKIM Gotchas

You need ALL three CNAME records, not just one. SES will not enable DKIM until all three are detected.
The CNAME values are unique to your SES identity. You must copy them from the SES console -- they cannot be guessed.
Easy DKIM keys are rotated automatically by AWS. Because the records are CNAMEs, no DNS changes are needed during rotation.

DKIM FAQ

How many DKIM records does Amazon SES require?

Amazon SES Easy DKIM requires three CNAME records. All three must be published in your DNS for DKIM to activate.

Does Amazon SES rotate DKIM keys automatically?

Yes. Easy DKIM keys are rotated automatically by AWS. The CNAME records point to AWS-managed DNS, so no DNS updates are needed.

Can I use my own DKIM keys with Amazon SES?

Yes. SES supports "Bring Your Own DKIM" (BYODKIM) where you provide your own key pair. However, Easy DKIM is simpler and recommended for most users.

DMARCTest with our DMARC Checker →

How to Set Up DMARC for Amazon SES

Publish a DMARC record to protect your domain when using Amazon SES, ensuring proper alignment of SPF and DKIM.

Quick Answer — The Record You Need

Type

TXT

Host / Name

_dmarc

Value

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

For DMARC to fully pass, configure a custom MAIL FROM domain (for SPF alignment) and Easy DKIM.

Step-by-Step Setup

Configure Easy DKIM

Set up Easy DKIM with the three CNAME records. This gives you DKIM alignment.

Set a custom MAIL FROM domain

In SES, configure a custom MAIL FROM domain (e.g., mail.yourdomain.com) with its own SPF record and MX record. This gives you SPF alignment.

Create the DMARC record

Add a TXT record at _dmarc.yourdomain.com.

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1

Test and verify alignment

Send test emails via SES and check headers for dmarc=pass with both SPF and DKIM alignment.

Enforce gradually

Move from p=none to p=quarantine to p=reject over several weeks.

DMARC Gotchas

Without a custom MAIL FROM domain, SES uses amazonses.com as the envelope sender, which fails SPF alignment. You will rely solely on DKIM alignment for DMARC.
SES sends email from the region where the identity is configured. Ensure your domain is verified in the correct region.
If you use SES in multiple regions, verify your domain in each region separately. DKIM CNAMEs are the same across regions, but verification is per-region.

DMARC FAQ

Why do my SES emails fail DMARC SPF alignment?

By default, SES uses amazonses.com as the MAIL FROM (envelope sender), which does not align with your domain. Set a custom MAIL FROM domain in SES to fix this.

Is DKIM enough for DMARC with Amazon SES?

Yes. DMARC requires either SPF or DKIM to pass and align. Easy DKIM provides DKIM alignment, which is sufficient. However, setting up both SPF and DKIM alignment is best practice.

Do I need a DMARC record for each SES region?

No. DMARC is a per-domain DNS record, not per-region. One DMARC record on your domain covers all email sent from any SES region.

Verify Your Amazon SES Setup

Once your SPF, DKIM, and DMARC records are in place, run a full domain scan to confirm everything is configured correctly. DNS changes typically propagate within minutes but can take up to 48 hours.

Setup Guides for Other Providers

Google Workspace Microsoft 365 SendGrid Mailchimp Mailgun Postmark HubSpot Zendesk Zoho Mail Salesforce Brevo Constant Contact All Guides →