Amazon SES SPF, DKIM & DMARC Setup Guide

Overview

Amazon Simple Email Service (SES) — commonly referred to as AWS SES — is AWS's cloud-based transactional email platform, tightly integrated with the broader AWS ecosystem. Its SPF record uses include:amazonses.com, costing 1 DNS lookup. SES is a common choice for applications already running on AWS infrastructure, and its lookup cost stacks on top of whatever your business email and marketing tools already consume.

DKIM in SES is configured through Easy DKIM, which generates three CNAME records that you publish in your domain's DNS. These CNAME records delegate DKIM signing to SES — no manual key management required. SES uses 2048-bit RSA keys by default (1024-bit available if your DNS provider has record length limits). For organizations that need to manage their own signing keys, SES also supports BYODKIM (Bring Your Own DKIM), where you provide the private key directly.

The most commonly missed step in Amazon SES setup is configuring a custom MAIL FROM domain. Without it, SES uses amazonses.com as the return-path, which breaks SPF alignment under DMARC. DKIM alignment works out of the box with Easy DKIM because SES signs messages using your domain. But SPF alignment requires that extra MAIL FROM configuration — a single MX record and TXT record on a subdomain like mail.yourdomain.com.

Additional Setup Notes

Easy DKIM vs. BYODKIM

Easy DKIM is the recommended approach for most organizations — SES handles key generation, rotation, and signing automatically. The three CNAME records delegate signing authority to AWS, and SES rotates keys on its own schedule without requiring DNS updates on your end. This is the path of least resistance for the Simple Email Service.

BYODKIM is useful when compliance requirements mandate that you control the private key, but it means you're responsible for key rotation yourself. BYODKIM also requires that you generate a 2048-bit RSA key pair, publish the public key as a TXT record, and provide the private key to SES through the API or console. If you ever need to rotate the key, you must coordinate the DNS update and the SES configuration update — there's no automatic rollover.

Custom MAIL FROM Domain Configuration

Custom MAIL FROM domain setup is a two-record process: an MX record pointing to feedback-smtp.<region>.amazonses.com and an SPF TXT record (v=spf1 include:amazonses.com ~all) on the MAIL FROM subdomain. Without this, every DMARC report will show SPF alignment failures.

The MAIL FROM subdomain should be a dedicated subdomain (e.g., mail.yourdomain.com or bounce.yourdomain.com) that you don't use for receiving email. AWS SES uses the MX record on this subdomain to handle bounces and complaints. If you use a subdomain that already has an MX record for inbound mail, the SES MX will conflict with it.

Multi-Region Considerations

SES operates per-region. If your application sends from multiple AWS regions (e.g., us-east-1 and eu-west-1), each region requires its own domain verification and Easy DKIM setup. The SPF include mechanism (amazonses.com) covers all regions, but DKIM verification is region-specific. You'll publish separate sets of three CNAME records for each region — the selectors are different per-region, so they don't conflict.

The custom MAIL FROM domain is also region-specific. The MX record must point to the correct regional feedback SMTP endpoint (e.g., feedback-smtp.us-east-1.amazonses.com). If you send from multiple regions, you'll need a separate MAIL FROM subdomain for each region, or use a single region for all outbound mail.

Sandbox Mode and Production Access

New AWS SES accounts start in sandbox mode, which restricts sending to verified addresses only. Production access requires a sending limit increase request through AWS Support. The review process typically takes 24-48 hours. Until you have production access, you cannot send to unverified recipients — this catches many development teams off guard when they try to test email flows in staging environments.

To request production access, navigate to the SES console, select "Account dashboard," and click "Request production access." AWS evaluates your use case, expected volume, bounce/complaint handling, and whether you've configured authentication properly. Having SPF, DKIM, and a custom MAIL FROM domain configured before requesting access improves your approval chances.

Troubleshooting

DMARC Alignment Failures Despite Valid SPF

The most common AWS SES issue in DMARC reports is SPF alignment failure — SPF passes (the check against amazonses.com succeeds) but alignment fails because the return-path domain doesn't match your From header domain. This always means the custom MAIL FROM domain is either not configured or not working.

To diagnose:

1. Send a test message and inspect the Return-Path header. If it shows something@amazonses.com instead of your domain, MAIL FROM is not configured.
2. Check the SES console under "Verified identities" — your domain should show a custom MAIL FROM domain with a "Verified" status.
3. Query the MX record on your MAIL FROM subdomain: dig MX mail.yourdomain.com. It should return the regional SES feedback endpoint.

Easy DKIM Showing "Pending" Status

After publishing the three CNAME records, SES periodically checks for DNS propagation. The status may show "Pending" for up to 72 hours, though it usually resolves within an hour. If it stays pending:

• Verify all three CNAME records are published exactly as shown in the SES console. Even a single missing record prevents verification.
• Check for DNS proxy interference — Cloudflare users must set CNAME records to DNS-only mode (grey cloud).
• Confirm there are no conflicting records at the same names. Stale DKIM records from a previous SES configuration or another provider can cause verification to fail.

Bounces Returning to amazonses.com

If bounce notifications are not reaching your configured SNS topic or email address, check that the MAIL FROM MX record is correctly configured. When SES cannot route bounces through your custom MAIL FROM domain, it falls back to amazonses.com — which means bounce handling works, but SPF alignment breaks. This silent fallback is an AWS SES behavior that catches many administrators by surprise.

SPF Record Placement for MAIL FROM Subdomain

A common mistake with the Simple Email Service is publishing the SPF record on the wrong domain. The SPF record v=spf1 include:amazonses.com ~all must be on the MAIL FROM subdomain (e.g., mail.yourdomain.com), not on the root domain. The root domain's SPF record should include amazonses.com only if SES sends with the root domain as the MAIL FROM — which it does by default when no custom MAIL FROM is configured. Once you configure a custom MAIL FROM, the root domain's SPF record doesn't need the SES include (though keeping it doesn't hurt).

If you're using AWS SES alongside other providers and approaching the 10-lookup limit, Managed SPF can flatten the nested lookups into direct IP references, keeping the budget under control.