How to Set Up DMARC for Amazon SES

Overview

This guide walks you through setting up email authentication for domains that send through Amazon Simple Email Service (SES). By the end, you’ll have configured DKIM, SPF, and DMARC records that authenticate your transactional and marketing emails.

Amazon SES requires domain verification before sending. During verification, you’ll set up Easy DKIM. For full DMARC compliance with both SPF and DKIM alignment, you’ll also configure a custom MAIL FROM domain.

What You’ll Configure

Protocol	Purpose	Amazon SES Method
DKIM	Adds cryptographic signature to verify message integrity	Easy DKIM (3 CNAME records)
SPF	Authorizes SES to send email for your domain	Custom MAIL FROM domain (TXT + MX records)
DMARC	Tells receivers how to handle authentication failures	TXT record (you configure this)

DMARC Alignment Options

DMARC requires either SPF or DKIM to pass and align with your From address:

• DKIM alignment (recommended): The DKIM signature domain matches your From domain. Easy DKIM handles this automatically.
• SPF alignment: The MAIL FROM (Return-Path) domain matches your From domain. Requires a custom MAIL FROM subdomain.

You need at least one. For maximum deliverability, configure both.

Prerequisites

Before you begin, make sure you have:

• AWS account with access to the SES console
• IAM permissions for SES domain management (or admin access)
• DNS access to create CNAME, TXT, and MX records
• A domain you own that you’ll use for sending
• About 45 minutes for setup, plus up to 72 hours for DNS propagation

Regional Considerations

Amazon SES operates in multiple AWS regions. You must configure authentication in each region where you send email. Common regions include:

• US East (N. Virginia) - us-east-1
• US West (Oregon) - us-west-2
• EU (Ireland) - eu-west-1
• EU (Frankfurt) - eu-central-1

Step 1: Verify Your Domain in Amazon SES

1. Open the Amazon SES console
2. Ensure you’re in the correct AWS region
3. In the left navigation, click Verified identities
4. Click Create identity
5. Select Domain as the identity type
6. Enter your domain (e.g., example.com)
7. Under Advanced DKIM settings, keep Easy DKIM selected
8. Set DKIM signing key length to 2048-bit (recommended)
9. Keep Enabled checked for DKIM signatures
10. Click Create identity

SES generates your DNS records for DKIM verification.

Step 2: Add Easy DKIM Records (3 CNAME Records)

Amazon SES provides three CNAME records for Easy DKIM. Add all three to your DNS.

Understanding the Records

You’ll receive records similar to these:

Type	Name	Value
CNAME	abc123._domainkey.example.com	abc123.dkim.amazonses.com
CNAME	def456._domainkey.example.com	def456.dkim.amazonses.com
CNAME	ghi789._domainkey.example.com	ghi789.dkim.amazonses.com

The random strings (abc123, def456, etc.) are unique to your domain. Always use the exact values from your SES console.

Adding Records to Common DNS Providers

Cloudflare:

1. Go to your domain → DNS → Records
2. Click Add record
3. Select CNAME as the type
4. For Name, enter just the subdomain portion (e.g., abc123._domainkey)
5. For Target, enter the full value from SES
6. Important: Turn OFF the orange proxy cloud (DNS only)
7. Click Save
8. Repeat for all three CNAME records

AWS Route 53: If your domain is hosted in Route 53, SES can publish records automatically:

1. During identity creation, check Publish DNS records to Route 53
2. Select the hosted zone
3. SES adds the records for you

For manual Route 53 setup:

1. Go to Route 53 → Hosted zones → your domain
2. Click Create record
3. Enter the record name (subdomain portion only)
4. Select CNAME
5. Enter the value from SES
6. Click Create records
7. Repeat for all three records

GoDaddy:

1. Go to My Products → your domain → DNS
2. Click Add under Records
3. Select CNAME
4. Enter the Name (subdomain portion)
5. Enter the Value from SES
6. TTL: 1 hour
7. Click Save
8. Repeat for all three records

Verify DKIM Status

1. Return to the SES console → Verified identities
2. Click on your domain
3. In the Authentication tab, check DKIM status
4. Status will change from “Pending” to “Verified” once DNS propagates

This can take 15 minutes to 72 hours. Most domains verify within a few hours.

Step 3: Configure Custom MAIL FROM Domain

A custom MAIL FROM domain is required for SPF alignment. Without it, the Return-Path uses amazonses.com, which won’t align with your From address.

Create the MAIL FROM Subdomain

1. In the SES console, go to Verified identities
2. Click on your verified domain
3. Go to the Custom MAIL FROM domain section
4. Click Edit
5. Check Use a custom MAIL FROM domain
6. Enter a subdomain (e.g., mail.example.com or bounce.example.com)
   • This must be a subdomain of your verified domain
   • Don’t use a subdomain you’re already using for other purposes
7. For Behavior on MX failure, select:
   • Use default MAIL FROM domain (recommended) - falls back to amazonses.com if misconfigured
   • Reject message - rejects email if custom MAIL FROM isn’t working
8. Click Save changes

SES generates MX and SPF records for your MAIL FROM subdomain.

Add MAIL FROM DNS Records

Add both records to your DNS:

MX Record:

Type	Name	Value	Priority
MX	mail.example.com	feedback-smtp.us-east-1.amazonses.com	10

The MX value varies by region:

• US East: feedback-smtp.us-east-1.amazonses.com
• US West: feedback-smtp.us-west-2.amazonses.com
• EU Ireland: feedback-smtp.eu-west-1.amazonses.com
• EU Frankfurt: feedback-smtp.eu-central-1.amazonses.com

SPF Record (TXT):

Type	Name	Value
TXT	mail.example.com	v=spf1 include:amazonses.com ~all

Verify MAIL FROM Status

1. Return to your domain in the SES console
2. Check the Custom MAIL FROM domain section
3. Status should change to “Verified” after DNS propagation

Step 4: Set Up DMARC

With DKIM and SPF configured, add your DMARC policy.

Create Your DMARC Record

Add a TXT record to your domain’s DNS:

Type	Name	Value
TXT	_dmarc.example.com	v=DMARC1; p=none; rua=mailto:[email protected]

Replace [email protected] with an address where you want to receive DMARC aggregate reports.

DMARC Policy Progression

Start with monitoring and progress to enforcement:

Week 1-2: Monitoring only

v=DMARC1; p=none; rua=mailto:[email protected]

Week 3-4: Quarantine test (25%)

v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]

Week 5-6: Full quarantine

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]

Week 7+: Full enforcement

v=DMARC1; p=reject; rua=mailto:[email protected]

Step 5: Move Out of Sandbox (Production Access)

New SES accounts start in sandbox mode, which limits sending to verified addresses only. To send to any recipient:

1. Go to SES console → Account dashboard
2. Click Request production access
3. Fill out the request form:
   • Mail type (transactional, marketing, or both)
   • Website URL
   • Use case description
   • How you handle bounces and complaints
4. Submit the request

AWS typically responds within 24 hours. Approval moves your account to production with higher sending limits.

Multi-Region Setup

If you send from multiple AWS regions, repeat the configuration in each region:

1. Switch to the target region in the AWS console
2. Create and verify the domain identity
3. Add the new region’s DKIM CNAME records (they’ll be different)
4. Add MX record for that region’s MAIL FROM subdomain

You can use the same MAIL FROM subdomain across regions by adding multiple MX records with different priorities, or use region-specific subdomains (e.g., mail-us.example.com, mail-eu.example.com).

Verifying Your Configuration

After setup, verify everything is working:

Check DKIM

Query your DKIM records:

dig cname abc123._domainkey.example.com

Should return the amazonses.com DKIM server.

Check SPF on MAIL FROM Subdomain

dig txt mail.example.com

Should return your SPF record with include:amazonses.com.

Check DMARC

dig txt _dmarc.example.com

Should return your DMARC policy.

Check SES Console Status

In the SES console, your domain should show:

• Identity status: Verified
• DKIM configuration: Successful
• Custom MAIL FROM domain: Verified (if configured)

Send a Test Email

Use the SES console or SDK to send a test:

1. Go to Verified identities → your domain
2. Click Send test email
3. Choose a scenario (e.g., “Custom”)
4. Enter a recipient email you can access
5. Send the test
6. Check email headers for:
   • spf=pass
   • dkim=pass
   • dmarc=pass

Troubleshooting

DKIM status stuck on “Pending”

• DNS propagation can take up to 72 hours
• Verify CNAME records are published correctly with dig cname
• Check for typos in record names or values
• Ensure you’re not proxying the records (Cloudflare)

Custom MAIL FROM not verifying

• Verify both MX and TXT records are published
• Check the MX record points to the correct regional endpoint
• Ensure the subdomain isn’t used for other purposes
• Some DNS providers require the subdomain portion only in the Name field

Emails show “via amazonses.com”

• Custom MAIL FROM domain isn’t configured or verified
• Check MAIL FROM status in the SES console
• Verify MX record is correct for your region

SPF alignment failing in DMARC reports

• Custom MAIL FROM domain is required for SPF alignment
• Verify the MAIL FROM subdomain matches your sending domain
• Check that SPF record on the MAIL FROM subdomain includes amazonses.com

DKIM alignment failing

• Ensure all three DKIM CNAME records are published
• Verify DKIM status shows “Successful” in SES console
• Check that you’re sending from the verified domain (exact match)

“Email address is not verified” error

• You’re still in sandbox mode
• Either verify the recipient address or request production access
• Check that the From address uses your verified domain

Rate limiting or throttling

• Check your sending quota in the SES console
• Request a limit increase if needed
• Implement exponential backoff in your application

Advanced: Bring Your Own DKIM Keys

For organizations that need to manage their own DKIM keys:

1. During identity creation, select Provide your own DKIM authentication token
2. Generate a 2048-bit RSA key pair
3. Provide the public key to SES
4. Publish the DKIM record with your public key
5. Configure your application to sign with the private key

This is typically only needed for compliance requirements that mandate key control.

What’s Next

Once your Amazon SES authentication is complete:

1. Monitor DMARC reports to verify authentication is working across all sending patterns
2. Progress DMARC policy from p=none to p=reject over 4-8 weeks
3. Set up bounce and complaint handling with SES notifications (SNS topics)
4. Configure dedicated IPs if you have high volume (optional, additional cost)
5. Authenticate other sending sources if you use multiple email services

---

Need help monitoring your DMARC reports or troubleshooting SES authentication? Verkh provides guided remediation and identifies which senders need attention. Start free