Publish a DMARC record to protect your domain when using Amazon SES, ensuring proper alignment of SPF and DKIM.
TXT
_dmarc
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1
For DMARC to fully pass, configure a custom MAIL FROM domain (for SPF alignment) and Easy DKIM.
Set up Easy DKIM with the three CNAME records. This gives you DKIM alignment.
In SES, configure a custom MAIL FROM domain (e.g., mail.yourdomain.com) with its own SPF record and MX record. This gives you SPF alignment.
Add a TXT record at _dmarc.yourdomain.com.
v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1Send test emails via SES and check headers for dmarc=pass with both SPF and DKIM alignment.
Move from p=none to p=quarantine to p=reject over several weeks.
After adding your DNS records, use our free DMARC checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.
By default, SES uses amazonses.com as the MAIL FROM (envelope sender), which does not align with your domain. Set a custom MAIL FROM domain in SES to fix this.
Yes. DMARC requires either SPF or DKIM to pass and align. Easy DKIM provides DKIM alignment, which is sufficient. However, setting up both SPF and DKIM alignment is best practice.
No. DMARC is a per-domain DNS record, not per-region. One DMARC record on your domain covers all email sent from any SES region.