dkim

Amazon SES SPF, DKIM & DMARC Setup: The Complete DNS Configuration

Amazon SES passes SPF by default but does not align it for DMARC until you configure a custom MAIL FROM subdomain. This guide walks through Easy DKIM's three CNAME records, domain identity verification, the SPF TXT and MX records that fix DMARC alignment, and how to verify the whole stream in the checker before you enforce a reject policy.

Jul 3, 20267 min read

Amazon SES will happily send mail that passes SPF and DKIM on day one, yet still fails DMARC. The reason is alignment: SES signs DKIM with your domain (which aligns), but the SPF check runs against Amazon's own amazonses.com envelope domain, so it never aligns with your visible From address until you set a custom MAIL FROM subdomain. This guide covers the full DNS configuration - Easy DKIM's three CNAMEs, the MAIL FROM SPF TXT and MX records, and how to confirm end-to-end alignment before you enforce a policy.

Reads public DNS only. Nothing is stored unless you save the domain to an account.

Verified identity vs. sending identity

Before SES sends anything, you create a verified identity in the SES console. You can verify a single email address or a whole domain. Verify the domain. A domain identity lets you send from any address at that domain and is the only path that unlocks Easy DKIM signing with your own domain, which is what DMARC needs.

When you add a domain identity, SES asks how you want to handle DKIM. Choose Easy DKIM (the default). SES generates a 2048-bit key pair, keeps the private key, and hands you three public keys to publish as CNAME records. Once those resolve, SES marks the identity verified and starts signing every message automatically. There is nothing to rotate by hand day to day - SES manages the key material behind those CNAMEs.

Verification is not the same as reputation. A verified identity means SES trusts you own the domain. It says nothing about whether your mail lands in the inbox. That is what SPF, DKIM, and DMARC authentication decide, and it is why getting the DNS right matters even after the console shows a green checkmark.

Easy DKIM: the three-CNAME flow

SES Easy DKIM does not give you one long TXT record like some providers. It gives you three CNAME records, each pointing a selector host at Amazon's signing infrastructure. They look like this:

token1._domainkey.example.com CNAME token1.dkim.amazonses.com
token2._domainkey.example.com CNAME token2.dkim.amazonses.com
token3._domainkey.example.com CNAME token3.dkim.amazonses.com

Each token is a unique string SES assigns to your identity. Publish all three exactly as shown. The three-key design is what lets Amazon rotate the underlying keys without you ever touching DNS again: the CNAME points at Amazon, so the real public key lives on their side.

A few things trip people up here. If your DNS provider automatically appends the domain name, do not paste the fully qualified name twice or you will end up with token1._domainkey.example.com.example.com. And because these are CNAMEs, the host must not carry any other record at the same name. If DKIM shows as failing later, this is the first place to look. For the difference between this approach and a raw key, see DKIM CNAME vs TXT record.

DKIM aligns for DMARC automatically with SES, because the signature's d= tag is your own domain. That is the half of the puzzle SES gets right out of the box.

Why SES passes SPF but does not align it

Here is the buried detail that costs people a passing DMARC report. By default, SES uses its own subdomain as the envelope sender (the Return-Path / MAIL FROM), something like bounces+...@amazonses.com. The receiving server runs SPF against that envelope domain, checks Amazon's published record, and SPF passes.

The problem is DMARC does not care that SPF passed. DMARC cares whether the domain that passed SPF matches the domain in the visible From header. With the default setup, SPF authenticated amazonses.com while your From address is you@example.com. Those do not share an organizational domain, so SPF alignment fails. Your mail can still pass DMARC on the strength of aligned DKIM alone, but you are running on one engine instead of two, and a single forwarding hop that breaks DKIM will drop you below the DMARC line. To understand why both checks matter, read SPF, DKIM and DMARC explained.

Fix SPF alignment with a custom MAIL FROM subdomain

The fix is to tell SES to use a subdomain of your own domain as the MAIL FROM. In the SES console, open your domain identity, go to the custom MAIL FROM setting, and enter a subdomain such as mail.example.com. SES then asks you to publish two DNS records on that subdomain.

First, an MX record so bounces come back correctly. The target is region-specific:

mail.example.com. MX 10 feedback-smtp.us-east-1.amazonses.com

Swap us-east-1 for whatever region your SES account sends from. Second, an SPF TXT record on the same subdomain:

mail.example.com. TXT "v=spf1 include:amazonses.com ~all"

Now the envelope sender becomes mail.example.com. SPF authenticates that subdomain, and because DMARC uses relaxed alignment by default, the organizational domain of mail.example.com (which is example.com) matches the organizational domain of your From address. SPF is now aligned. You are sending on both DKIM and SPF, which is exactly what you want before turning on enforcement.

Note that this SPF record goes on the MAIL FROM subdomain, not necessarily on your root domain. If your root example.com also sends mail through other services, keep its own SPF record separate and correct.

Do not set aspf=s - strict alignment breaks the SES stream

When you write your DMARC record, you may be tempted to lock alignment down to strict. Do not do it for an SES-only-style setup. Here is why.

Strict SPF alignment (aspf=s) requires the MAIL FROM domain to match the From domain exactly, character for character. Your MAIL FROM is mail.example.com and your From is example.com. Under relaxed alignment those are treated as the same organization and SPF aligns. Under strict, mail.example.com does not equal example.com, so SPF alignment fails and you are back to relying on DKIM alone. A publisher who sets aspf=s thinking it is "more secure" quietly breaks the SPF half of their own SES stream.

Leave alignment relaxed, which is the DMARC default. A safe starting record:

_dmarc.example.com. TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"

Start at p=none so you can watch aggregate reports without affecting delivery, confirm both SES and any other senders are aligned, then move to quarantine and reject. The mechanics of that ramp are covered in moving DMARC from none to reject, and the relaxed-vs-strict tradeoff in full in DMARC relaxed vs strict alignment.

Verify the whole chain end to end

Publishing records is not the same as passing. Confirm the actual result before you enforce anything. Send a test message from SES to an address you control and read the Authentication-Results header - you want spf=pass with the domain being your MAIL FROM subdomain, dkim=pass with d=example.com, and dmarc=pass.

Then run your domain through the checker at the top of this page. It resolves your SES DKIM CNAMEs, your MAIL FROM SPF and MX records, and your DMARC policy, and grades the result. If SPF shows as passing but unaligned, your MAIL FROM subdomain is not configured. If DKIM fails, recheck those three CNAMEs for a duplicated domain suffix. Fix, re-scan, and only tighten your DMARC policy once every record reads clean.

Frequently asked questions

Does Amazon SES pass DMARC without a custom MAIL FROM?

It can pass on DKIM alignment alone, because SES signs with your domain. But SPF will authenticate amazonses.com rather than your domain, so SPF alignment fails. Set a custom MAIL FROM subdomain to align both mechanisms and give yourself redundancy against forwarding that strips DKIM.

Why does SES use three CNAME records instead of one TXT record?

Easy DKIM points three selector hostnames at Amazon's signing service via CNAME. Because the real public key lives on Amazon's side, they can rotate keys without you ever editing DNS again. Publish all three exactly as the console shows them.

What MX record does the SES custom MAIL FROM need?

An MX on the MAIL FROM subdomain pointing at feedback-smtp.<region>.amazonses.com with priority 10, for example 10 feedback-smtp.us-east-1.amazonses.com. Match the region to where your SES account sends. This routes bounce and complaint feedback correctly.

Can I use aspf=s strict alignment with SES?

No, not with a subdomain MAIL FROM. Strict SPF alignment demands the MAIL FROM domain equal the From domain exactly, but SES uses a subdomain like mail.example.com. Keep alignment relaxed so the organizational domains match and SPF stays aligned.

Check your own domain

Run a free scan and get your grade with the exact records to fix.

Scan a domain

Related guides

Amazon SES SPF, DKIM & DMARC Setup Guide