Skip to main content
Scheduled Maintenance · We will be performing scheduled maintenance to improve system performance and reliability. During this window, scanning and alerting may be temporarily paused. No action is needed on your end. Jun 27, 2026 01:15 UTC → Jun 28, 2026 01:15 UTC
How-to DMARC Amazon SES

SPF, DKIM, and DMARC for Amazon SES: complete setup guide

A complete walkthrough for authenticating Amazon SES. SES uses Easy DKIM, which generates three CNAME records you publish once, plus an optional Custom MAIL FROM domain for SPF alignment. DMARC ties them together.

TL;DR

  • 1 SPF: optional. SES aligns SPF only if you set up a Custom MAIL FROM domain; otherwise rely on DKIM alignment, which is the recommended path.
  • 2 DKIM: enable Easy DKIM and publish the three CNAMEs SES generates (token1/2/3._domainkey -> token.dkim.amazonses.com), or mail signs with amazonses.com and never aligns.
  • 3 DMARC: start at p=none with rua, watch reports, then ramp to p=quarantine and p=reject.

What it does

This guide authenticates Amazon SES against your domain. SES's recommended setup is Easy DKIM: SES generates a key pair, gives you three CNAME records, and signs every outbound message with d=yourdomain once they resolve. That gives you DKIM alignment, which is all DMARC needs.

SES does not require an SPF include for DMARC. SPF only aligns if you configure a Custom MAIL FROM domain (a subdomain whose MX and SPF point at SES), which makes the envelope-from align too. Many SES users skip this and rely on DKIM alignment alone, which is supported and simpler.

Step 1: Set up SPF for Amazon SES

SES does not need an apex SPF include. SPF aligns only if you set up a Custom MAIL FROM domain, which is optional. If you do, you publish an MX and an SPF TXT on a subdomain you choose (for example mail.yourdomain).

  1. 1

    Decide whether you need SPF alignment. If DKIM alignment is enough for you (it is for most senders), skip this section.

  2. 2

    If you want SPF alignment, in the SES console open your verified identity and configure a Custom MAIL FROM domain (for example mail.yourdomain).

  3. 3

    Publish the MX and SPF TXT records SES shows for that subdomain: an MX pointing to feedback-smtp.<region>.amazonses.com and an SPF TXT of v=spf1 include:amazonses.com ~all.

  4. 4

    Do not add include:amazonses.com to your apex SPF expecting it to align. SPF only aligns through the Custom MAIL FROM subdomain.

mail.yourdomain MX / TXT (Custom MAIL FROM, optional) Click to select
mail.yourdomain MX 10 feedback-smtp.<region>.amazonses.com mail.yourdomain TXT v=spf1 include:amazonses.com ~all

Replace <region> with your SES region (for example us-east-1). SPF here is optional because DKIM alignment alone satisfies DMARC; the Custom MAIL FROM domain mainly adds a second authenticated path and a branded bounce domain.

Step 2: Set up DKIM for Amazon SES

SES Easy DKIM generates three account-specific tokens and gives you three CNAME records. You publish all three; SES hosts the keys under amazonses.com and signs every message. There is no key text to paste.

Selector: three token-based selectors (token1/2/3._domainkey), generated per identity by SES

  1. 1

    In the Amazon SES console, open Verified identities -> your domain -> the Authentication tab, and enable Easy DKIM (RSA 2048-bit recommended). (Confirm the current console path, as AWS revises it periodically.)

  2. 2

    SES displays three CNAME records, each token1/2/3._domainkey.yourdomain pointing to a tokenN.dkim.amazonses.com target unique to your account.

  3. 3

    Publish all three CNAMEs in your DNS exactly as shown.

  4. 4

    SES detects them automatically (no manual 'enable' click); the DKIM status flips to successful once all three resolve, usually within minutes to a few hours.

  5. 5

    Verify with the DKIM checker against one of the token._domainkey selectors SES gave you.

token1/2/3._domainkey.yourdomain CNAME Click to select
<token1>._domainkey.yourdomain CNAME <token1>.dkim.amazonses.com <token2>._domainkey.yourdomain CNAME <token2>.dkim.amazonses.com <token3>._domainkey.yourdomain CNAME <token3>.dkim.amazonses.com

The three tokens are random and specific to your SES identity; copy them exactly from the console. Use RSA 2048-bit unless you have a reason to choose 1024.

Step 3: Publish DMARC

  1. 1

    With Easy DKIM verified (and the optional Custom MAIL FROM domain if you set one up), publish your DMARC record at _dmarc.yourdomain. Start at p=none so receivers report but take no action.

  2. 2

    Add a rua address to collect daily aggregate reports.

  3. 3

    Watch the reports for a couple of weeks. Confirm SES mail passes with d=yourdomain via DKIM.

  4. 4

    Move to p=quarantine, then p=reject once the only remaining failures are unknown or spoofed sources. See the DMARC rollout playbook for the full ramp.

Example record

_dmarc.yourdomain.com TXT Click to select
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Common pitfalls

  • Expecting an apex include:amazonses.com to align SPF. It does not; SPF aligns only through a Custom MAIL FROM subdomain. Rely on DKIM alignment instead, or set up Custom MAIL FROM.

  • Publishing only one or two of the three Easy DKIM CNAMEs. SES needs all three to resolve before it marks DKIM successful and starts signing with your domain.

  • Sending while still in the SES sandbox. Sandbox accounts can only send to verified recipients, so test mail may bounce for reasons unrelated to authentication. Request production access before drawing conclusions.

  • Using a per-region identity in one region but sending from another. SES DKIM tokens and MAIL FROM MX hosts are region-specific; mismatched regions break verification.

FAQ

Do I need SPF for Amazon SES?

Not for DMARC. SES Easy DKIM gives you DKIM alignment, which is enough to pass DMARC. SPF only aligns if you configure an optional Custom MAIL FROM domain (an MX and SPF TXT on a subdomain). Many SES users rely on DKIM alignment alone.

What is Easy DKIM in SES?

Easy DKIM is SES's managed DKIM. SES generates a key pair and gives you three CNAME records (token1/2/3._domainkey pointing at amazonses.com targets). You publish all three and SES signs every message with d=yourdomain. There is no key text to paste.

Why is my SES domain not verifying DKIM?

The most common cause is publishing only some of the three Easy DKIM CNAMEs, or a region mismatch (the tokens and MAIL FROM MX are region-specific). Publish all three CNAMEs exactly as SES shows them in the correct region.

How do I get SPF to align with Amazon SES?

Configure a Custom MAIL FROM domain in the SES console, then publish the MX (feedback-smtp.<region>.amazonses.com) and SPF TXT (v=spf1 include:amazonses.com ~all) on that subdomain. SPF then aligns through the subdomain. It is optional because DKIM alignment already satisfies DMARC.