If you are using AmazonSES, you should set up SPF and DKIM to ensure your emails are sent from your domain. This informative post will demonstrate the configuration steps for process Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) Signatures on your AmazonSES to ensure it passes the DMARC alignment check.
SPF records allow receiving servers to check whether an email with the specified source domain was actually sent from a server authorized by the owner of this domain. DKIM adds a digital signature to each message. This allows the receiving server to check if the message has been sent from an authorized sender, faked or changed upon delivery.
The process of setting up the SPF and DKIM Records
First, let’s observe the current settings in our AmazonSES portal and evaluate the steps needed to be taken in order to achieve SPF & DKIM Authentication.
As seen in the above screenshot, our current settings are:
- DKIM Signing: n/a or Off – This states that customized DKIM Signature is not in place for AmazonsSES. This will invalidate and mark DKIM as Fail.
- MAIL FROM Domain: amazonses.com – This states that the Return-Path domain being used is amazonses.com, and not our customized domain. This will invalidate and mark DKIM as Fail.
In order to fix this, we need to:
Generate DKIM Settings
First, you need to click on your domain name, where it redirects you to your Sender Details page:
On that page, you’ll need to click on DKIM -> Generate DKIM Settings
AmazonSES will provide 3 CNAME Records for DKIM Settings. Next step is to implement these CNAME Records in our DNS Zone (In our case, Cloudflare).
1st Record:
Type: CNAME
Host/Name: 6povzqxjf5aoyxx3nmg6n424mhlywwef._domainkey.easydmarc.me
Value/Target: 6povzqxjf5aoyxx3nmg6n424mhlywwef.dkim.amazonses.com
2nd Record:
Type: CNAME
Host/Name: jyrf7vx3nvqndaj76x5jwltmfezjg2dn._domainkey.easydmarc.me
Value/Target: jyrf7vx3nvqndaj76x5jwltmfezjg2dn.dkim.amazonses.com
3rd Record:
Type:CNAME
Host/Name: w6i5npku5lckyx3gbzcq3x3rmpwped6p._domainkey.easydmarc.me
Value/Target: w6i5npku5lckyx3gbzcq3x3rmpwped6p.dkim.amazonses.com
After adding all the CNAME Records, make sure to Refresh your AWS portal. If everything is set up correctly, the green “Enabled” & “Verified” banners will show up.
Setting MAIL FROM Domain
Setting a customized MAIL FROM Domain will let you achieve SPF Alignment and Pass results. From your Sender Details page, you need to click on “Set MAIL FROM Domain”, and choose any given subdomain name for the setup process. In this example, we are using “notifications.easydmarc.me”:
After clicking on “Set MAIL FROM Domain”, AmazonSES will provide you with 2 Records that needs to be implemented in your DNS (In this example, we’ll be using Cloudflare):
1st Record:
Type: MX
Host/Name: notifications.easydmarc.me
Value/Target: feedback-smtp.us-east-1.amazonses.com
Priority: 10
2nd Record:
Type: TXT
Host/Name: notifications.easydmarc.me
Value/Target: v=spf1 include:amazonses.com ~all
After adding all the required TXT & MX Records, make sure to Refresh your AWS portal. If everything is set up correctly, the green “Verified” banner will show up.
Congrats, this is how the AmazonSES SPF and DKIM setup is done!
Additional Steps
MAIL FROM Domain setup under “Email Addresses” section
Apart from the “Domains” under “Identity Management”, there’s also the “Email Addresses” section:
Unlike DKIM Signature, AmazonSES will not automatically inherit MAIL FROM Domain from your “Domains” section. In order to fix this, you need to manually update MAIL FROM Domain with the same subdomain added under “Domains” section.
For that, simply click on your email address, and add the same subdomain name as you’ve added under your “Domains” section. In our case, it’s notifications.easydmarc.me:
Click on “Set MAIL FROM Domain”, and that’s it! There are no additional implementations in your DNS.
Make sure to achieve this step with every single email address you have in your AmazonSES portal.
Using AWS in Different Regions
If you are using multiple AWS Regions, you have to perform the SPF & DKIM Authentication setup process for each Region. For example, if you use US East (N. Virginia) and US East (Ohio) Regions for AmazonSES, then you have to set Authentication on each region independently.
For more 3rd party configuration steps:
- Step by Step Guide: Zendesk SPF and DKIM Configuration
- Shopify SPF Configuration: Step by Step
- Microsoft 365 SPF and DKIM Configuration: step by step
- Salesforce SPF & DKIM Authentication
- SPF, DKIM, DMARC Setup Guide for Google Workspace (Formerly G Suite)
- DMARC, SPF & DKIM Implementation Guide for HostGator
- DMARC, SPF & DKIM Implementation Guide for DreamHost