How to Set Up DMARC for Amazon SES

Amazon Simple Email Service (SES) is a scalable cloud email service commonly used for transactional emails and bulk communications. SES uses Easy DKIM with three CNAME records for automatic key rotation, and SPF is configured via a custom MAIL FROM domain.

This guide walks you through configuring SPF, DKIM, and DMARC for Amazon SES so your emails are fully authenticated and your domain is protected from spoofing. Proper configuration ensures your messages reach the inbox and comply with the requirements of Gmail, Yahoo, and Microsoft Outlook.

SPF Configuration

SPF (Sender Policy Framework) authorizes Amazon SES's mail servers to send email on behalf of your domain. Add the following include directive to your existing SPF record:

v=spf1 include:amazonses.com ~all

If you already have an SPF record with other include directives, add include:amazonses.com before the ~all or -all mechanism. For example:

v=spf1 include:_spf.google.com include:amazonses.com ~all

Important: You can only have one SPF record per domain. If you have multiple sending services, combine all include directives into a single record. SPF also has a 10 DNS lookup limit - exceeding this will cause SPF to fail. Use our SPF Checker to verify your record stays within limits.

DKIM Configuration

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails, proving they were not altered in transit. For Amazon SES, the DKIM selector(s) used are: varies (three auto-generated CNAME records).

DKIM is configured by adding a TXT or CNAME record to your DNS at the selector subdomain (e.g., varies (three auto-generated CNAME records)._domainkey.yourdomain.com). The exact record value is generated by Amazon SES in their admin console or dashboard. Follow the provider-specific steps below to generate and publish your DKIM record.

After adding the DKIM record, use our DKIM Checker to verify the record is published correctly and the signature can be validated.

DMARC Record

Once SPF and DKIM are configured for Amazon SES, publish a DMARC record to tie everything together. Add the following TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; fo=1

Start with p=none to monitor authentication results without affecting mail delivery. The rua tag specifies where aggregate reports are sent, and fo=1 ensures you receive failure reports for any mechanism failure. After 2-4 weeks of monitoring, gradually move to p=quarantine and then p=reject for full protection.

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com; fo=1

Step-by-Step Setup

Follow these Amazon SES-specific steps to configure email authentication for your domain:

1. Sign in to the AWS Management Console and navigate to Amazon SES.
2. Go to Verified Identities and select your domain (or add a new one).
3. Under the Authentication tab, click 'Generate DKIM tokens' to enable Easy DKIM.
4. SES will provide three CNAME records for DKIM. Add all three to your DNS provider.
5. Configure a custom MAIL FROM domain under the MAIL FROM configuration tab (e.g., mail.yourdomain.com).
6. Add the MX record and SPF TXT record SES provides for your MAIL FROM subdomain.
7. Alternatively, add 'include:amazonses.com' to your root domain SPF record.
8. Wait for DNS propagation and verify the status shows 'Verified' in the SES console.
9. Publish your DMARC record at _dmarc.yourdomain.com with p=none to begin monitoring.

Verify Your Setup

After completing the configuration, use our free tools to verify that SPF, DKIM, and DMARC are all correctly configured for your domain:

• DMARC Checker - Validate your DMARC record syntax, policy, and reporting configuration.
• SPF Checker - Verify your SPF record includes all authorized senders and stays within the 10 DNS lookup limit.
• DKIM Checker - Confirm your DKIM public key is published correctly and can validate signatures.

If any of these checks fail, review the steps above and ensure all DNS records have fully propagated. DNS changes can take up to 48 hours, though most propagate within a few hours.

Continuous Monitoring with Inbox Insignia

Setting up DMARC is just the beginning. Email authentication requires ongoing monitoring to catch configuration drift, new sending sources, and authentication failures before they impact deliverability. Inbox Insignia provides automated DMARC monitoring, aggregate report parsing, and compliance scoring for all your domains.

to start monitoring your Amazon SES email authentication and receive alerts when your SPF, DKIM, or DMARC configuration needs attention.