AmazonSES SPF and DKIM Setup

    If you are using AmazonSES, you should set up SPF and DKIM to ensure your emails are sent from your domain. This informative post will demonstrate the configuration steps for process Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures on your AmazonSES to ensure it passes the DMARC alignment check.

    SPF records allow receiving servers to check whether an email with the specified source domain was actually sent from a server authorized by the owner of this domain. DKIM adds a digital signature to each message. This allows the receiving server to check if the message has been sent from an authorized sender, faked or changed upon delivery.

    The process of setting up the SPF and DKIM Records

    First, let’s observe the current settings in our AmazonSES portal and evaluate the steps needed to be taken in order to achieve SPF & DKIM Authentication.

    AmazonSES portal

    As seen in the above screenshot, our current settings are:

    • DKIM Signing: n/a or Off – This states that customized DKIM Signature is not in place for AmazonsSES. This will invalidate and mark DKIM as Fail.
    • MAIL FROM Domain: amazonses.com – This states that the Return-Path domain being used is amazonses.com, and not our customized domain. This will invalidate and mark DKIM as Fail.

    In order to fix this, we need to:

    Generate DKIM Settings

    First, you need to click on your domain name, where it redirects you to your Sender Details page:

    AmazonSES Sender Details page

    On that page, you’ll need to click on DKIM -> Generate DKIM Settings

    AmazonSES Generate DKIM Settings

    AmazonSES will provide 3 CNAME Records for DKIM Settings. Next step is to implement these CNAME Records in our DNS Zone (In our case, Cloudflare).

    1st Record:

    Type: CNAME
    Host/Name: 6povzqxjf5aoyxx3nmg6n424mhlywwef._domainkey.easydmarc.me
    Value/Target: 6povzqxjf5aoyxx3nmg6n424mhlywwef.dkim.amazonses.com

    amazonSES CNAME Records for DKIM Settings

    2nd Record:

    Type: CNAME
    Host/Name: jyrf7vx3nvqndaj76x5jwltmfezjg2dn._domainkey.easydmarc.me
    Value/Target: jyrf7vx3nvqndaj76x5jwltmfezjg2dn.dkim.amazonses.com

    amazonSES CNAME Records for DKIM Settings

    3rd Record:

    Type:CNAME
    Host/Name: w6i5npku5lckyx3gbzcq3x3rmpwped6p._domainkey.easydmarc.me
    Value/Target: w6i5npku5lckyx3gbzcq3x3rmpwped6p.dkim.amazonses.com

    amazonSES CNAME Records for DKIM Settings

    After adding all the CNAME Records, make sure to Refresh your AWS portal. If everything is set up correctly, the green “Enabled” & “Verified” banners will show up.

    “Enabled” & “Verified” banners amazonSES

    Setting MAIL FROM Domain

    Setting a customized MAIL FROM Domain will let you achieve SPF Alignment and Pass results. From your Sender Details page, you need to click on “Set MAIL FROM Domain”, and choose any given subdomain name for the setup process. In this example, we are using “notifications.easydmarc.me”:

    Mail from domain amazonSES

    set "mail from" domain amazonSES

    After clicking on “Set MAIL FROM Domain”, AmazonSES will provide you with 2 Records that needs to be implemented in your DNS (In this example, we’ll be using Cloudflare):

     CNAME set mail from domain amazonSES

    1st Record:

    Type: MX
    Host/Name: notifications.easydmarc.me
    Value/Target: feedback-smtp.us-east-1.amazonses.com
    Priority: 10

    CNAME set mail domain from amazonSES

    2nd Record:

    Type: TXT
    Host/Name: notifications.easydmarc.me
    Value/Target: v=spf1 include:amazonses.com ~all

    CNAME set mail domain from amazonSES

    After adding all the required TXT & MX Records, make sure to Refresh your AWS portal. If everything is set up correctly, the green “Verified” banner will show up.

    mail from domain verified amazonSES

    Congrats, this is how the AmazonSES SPF and DKIM setup is done!

    Additional Steps
    MAIL FROM Domain setup under “Email Addresses” section

    Apart from the “Domains” under “Identity Management”, there’s also the “Email Addresses” section:

    mail from domain amazonSES verified

    Unlike DKIM Signature, AmazonSES will not automatically inherit MAIL FROM Domain from your “Domains” section. In order to fix this, you need to manually update MAIL FROM Domain with the same subdomain added under “Domains” section.

    For that, simply click on your email address, and add the same subdomain name as you’ve added under your “Domains” section. In our case, it’s notifications.easydmarc.me:

    manually update MAIL FROM Domain amazonSES

    Click on “Set MAIL FROM Domain”, and that’s it! There are no additional implementations in your DNS.
    Make sure to achieve this step with every single email address you have in your AmazonSES portal.

    Using AWS in Different Regions

    If you are using multiple AWS Regions, you have to perform the SPF & DKIM Authentication setup process for each Region. For example, if you use US East (N. Virginia) and US East (Ohio) Regions for AmazonSES, then you have to set Authentication on each region independently.

    For more 3rd party configuration steps:

    Learn about SPF, DKIM, DMARC, Subscribe to our newsletter.

    Subscribe

      We're glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.