AmazonSES SPF and DKIM Setup | EasyDMARC

AmazonSES SPF and DKIM Setup

4 Min Read
AmazonSES SPF and DKIM Setup 1

If you are using AmazonSES, you should set up SPF and DKIM to ensure your emails are sent from your domain. This informative post will demonstrate the configuration steps for process Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures on your AmazonSES to ensure it passes the DMARC alignment check.

SPF records allow receiving servers to check whether an email with the specified source domain was actually sent from a server authorized by the owner of this domain. DKIM adds a digital signature to each message. This allows the receiving server to check if the message has been sent from an authorized sender, faked or changed upon delivery.

The process of setting up the SPF and DKIM Records

First, let’s observe the current settings in our AmazonSES portal and evaluate the steps needed to be taken in order to achieve SPF & DKIM Authentication.

AmazonSES portal

As seen in the above screenshot, our current settings are:

  • DKIM Signing: n/a or Off – This states that customized DKIM Signature is not in place for AmazonsSES. This will invalidate and mark DKIM as Fail.
  • MAIL FROM Domain: amazonses.com – This states that the Return-Path domain being used is amazonses.com, and not our customized domain. This will invalidate and mark DKIM as Fail.

In order to fix this, we need to:

Generate DKIM Settings

First, you need to click on your domain name, where it redirects you to your Sender Details page:

AmazonSES Sender Details page

On that page, you’ll need to click on DKIM -> Generate DKIM Settings

AmazonSES Generate DKIM Settings

AmazonSES will provide 3 CNAME Records for DKIM Settings. Next step is to implement these CNAME Records in our DNS Zone (In our case, Cloudflare).

1st Record:

Type: CNAME
Host/Name: 6povzqxjf5aoyxx3nmg6n424mhlywwef._domainkey.easydmarc.me
Value/Target: 6povzqxjf5aoyxx3nmg6n424mhlywwef.dkim.amazonses.com

amazonSES CNAME Records for DKIM Settings

2nd Record:

Type: CNAME
Host/Name: jyrf7vx3nvqndaj76x5jwltmfezjg2dn._domainkey.easydmarc.me
Value/Target: jyrf7vx3nvqndaj76x5jwltmfezjg2dn.dkim.amazonses.com

amazonSES CNAME Records for DKIM Settings

3rd Record:

Type:CNAME
Host/Name: w6i5npku5lckyx3gbzcq3x3rmpwped6p._domainkey.easydmarc.me
Value/Target: w6i5npku5lckyx3gbzcq3x3rmpwped6p.dkim.amazonses.com

amazonSES CNAME Records for DKIM Settings

After adding all the CNAME Records, make sure to Refresh your AWS portal. If everything is set up correctly, the green “Enabled” & “Verified” banners will show up.

“Enabled” & “Verified” banners amazonSES

Setting MAIL FROM Domain

Setting a customized MAIL FROM Domain will let you achieve SPF Alignment and Pass results. From your Sender Details page, you need to click on “Set MAIL FROM Domain”, and choose any given subdomain name for the setup process. In this example, we are using “notifications.easydmarc.me”:

Mail from domain amazonSES

set

After clicking on “Set MAIL FROM Domain”, AmazonSES will provide you with 2 Records that needs to be implemented in your DNS (In this example, we’ll be using Cloudflare):

 CNAME set mail from domain amazonSES

1st Record:

Type: MX
Host/Name: notifications.easydmarc.me
Value/Target: feedback-smtp.us-east-1.amazonses.com
Priority: 10

CNAME set mail domain from amazonSES

2nd Record:

Type: TXT
Host/Name: notifications.easydmarc.me
Value/Target: v=spf1 include:amazonses.com ~all

CNAME set mail domain from amazonSES

After adding all the required TXT & MX Records, make sure to Refresh your AWS portal. If everything is set up correctly, the green “Verified” banner will show up.

mail from domain verified amazonSES

Congrats, this is how the AmazonSES SPF and DKIM setup is done!

Additional Steps
MAIL FROM Domain setup under “Email Addresses” section

Apart from the “Domains” under “Identity Management”, there’s also the “Email Addresses” section:

mail from domain amazonSES verified

Unlike DKIM Signature, AmazonSES will not automatically inherit MAIL FROM Domain from your “Domains” section. In order to fix this, you need to manually update MAIL FROM Domain with the same subdomain added under “Domains” section.

For that, simply click on your email address, and add the same subdomain name as you’ve added under your “Domains” section. In our case, it’s notifications.easydmarc.me:

manually update MAIL FROM Domain amazonSES

Click on “Set MAIL FROM Domain”, and that’s it! There are no additional implementations in your DNS.
Make sure to achieve this step with every single email address you have in your AmazonSES portal.

Using AWS in Different Regions

If you are using multiple AWS Regions, you have to perform the SPF & DKIM Authentication setup process for each Region. For example, if you use US East (N. Virginia) and US East (Ohio) Regions for AmazonSES, then you have to set Authentication on each region independently.

For more 3rd party configuration steps: