Skip to main content
Source Guide: Amazon SES

Source Guide: Amazon SES

Technical Guidance

This guide describes the process for configuring Amazon SES to send DMARC-compliant email. You will need to configure this source, and others that send on your behalf, before advancing your DMARC policies to a more restrictive state, e.g., quarantine and/or reject.

To bring this source into DMARC compliance, you will need access to the Amazon SES administrative account and the domain’s DNS management console.

From time to time, these instructions change with very little advance notice. Please always refer to documentation hosted by Amazon SES for the most complete and accurate information.

General information
Amazon Simple Email Service (SES) is an email service that enables developers to send mail from within any application. Common use cases are for transactional emails, marketing emails, and bulk email. The service is likely to be managed by development teams. Amazon SES supports DMARC compliance through DKIM and SPF alignment.

DKIM
The following steps outline how to set up EasyDKIM, where Amazon SES manages DKIM signing for your domain. To configure DKIM:

  • Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.
  • In the navigation pane, under Configuration, choose Verified identities.
  • In the list of identities, choose an identity where the Identity type is Domain. Note: If you need to create or verify a domain, see Creating a domain identity.
  • Under the Authentication tab, in the DomainKeys Identified Mail (DKIM) container, choose Edit.
  • In the Advanced DKIM settings container, choose the Easy DKIM button in the Identity type field.
This is a screenshot of Amazon SES Verify Domain screen
  • In the DKIM signing key length field, choose either RSA_2048_BIT or RSA_1024_BIT. (We recommend 2048 BIT.).
  • In the DKIM signatures field, check the Enabled box.
  • Choose Save changes.
  • Now that you’ve configured your domain identity with Easy DKIM, you must complete the verification process with your DNS provider. Proceed to Verifying a DKIM domain identity with your DNS provider and follow the DNS authentication procedures for Easy DKIM.

Reference: Amazon’s DKIM directions

SPF (optional)
Amazon SES requires the use of a dedicated subdomain to achieve SPF alignment. You also need to publish an MX record so that your domain can receive the bounce and complaint notifications that email providers send you.

To configure SPF:

  • Open the Amazon SES console at https://console.aws.amazon.com/ses/.
  • In the left navigation pane, under Configuration, choose Verified identities.
  • In the list of identities, choose the identity you want to configure where the Identity type is Domain and Status is Verified.
  • At the bottom of the screen in the Custom MAIL FROM domain pane, choose Edit.
  • In the General details pane, do the following:
    • Select the Use a custom MAIL FROM domain checkbox.
    • For MAIL FROM domain, enter the subdomain that you want to use as the MAIL FROM domain.
    • For Behavior on MX failure, choose one of the following options:
      • Use default MAIL FROM domain – If the custom MAIL FROM domain’s MX record is not set up correctly, Amazon SES uses a subdomain of amazonses.com. The subdomain varies based on the AWS Region that you use Amazon SES in.
      • Reject message – If the custom MAIL FROM domain’s MX record is not set up correctly, Amazon SES returns a MailFromDomainNotVerified error. Emails that you attempt to send from this domain are automatically rejected.
  • Choose Save changes, and you’ll be returned to the previous screen.
Screenshot of Amazon SES custom from domain pane
  • Publish the MX and SPF (type TXT) records to the DNS server of the custom MAIL FROM domain:
    • In the Custom MAIL FROM domain pane, the Publish DNS records table now displays the MX and SPF (type TXT) records that you have to publish (add) to your domain’s DNS configuration.
Screenshot of Amazon SES custom from domain pane - results pane

Reference: Amazon’s SPF directions


If you have a dmarcian account, it may take a few days to see these changes reflected in the dmarcian platform. You can look in the Detail Viewer (shown below) to check SPF and DKIM alignment required for DMARC.

dmarcian detail viewer screenshot for source guides

With a team of email security experts and a mission of making email and the internet more trustworthy through domain security, dmarcian is here to help assess an organization’s domain catalog and implement and manage DMARC for the long haul.


Want to continue the conversation? Head over to the dmarcian Forum.