How to set up DMARC with Amazon SES (and why SPF alone won't align)
SES verifies your domain, signs your mail, and passes SPF out of the box — and your DMARC can still fail. Here's the SES-specific part nobody warns you about, and the full setup in plain English.
Check what your domain has today — free, no signupThe SES gotcha first: default SPF passes, but doesn't count
By default, SES sends your mail with a bounce address (the SMTP MAIL FROM) on amazonses.com, not on your domain. SPF checks that bounce domain — so the message gets spf=pass for amazonses.com. DMARC, however, only accepts an SPF pass when the checked domain aligns with your visible From address. Amazon's domain isn't yours, so that pass contributes nothing to DMARC.
This is normal and fixable, and it's why the setup below leads with DKIM: on SES, DKIM is what makes your DMARC pass. Aligned SPF is an optional upgrade via a custom MAIL FROM domain (step 3).
Step 1: verify your domain with Easy DKIM
- In the SES console, open Configuration > Verified identities and create (or select) your domain identity — verify the domain, not just an email address, or DKIM will sign for the wrong thing.
- Choose Easy DKIM. SES generates three CNAME records that look like:
<token1>._domainkey.yourdomain.com CNAME <token1>.dkim.amazonses.com
<token2>._domainkey.yourdomain.com CNAME <token2>.dkim.amazonses.com
<token3>._domainkey.yourdomain.com CNAME <token3>.dkim.amazonses.com
Publish all three in your DNS. The random tokens are your DKIM selectors; the CNAMEs point at keys Amazon hosts and rotates for you, which is why there are three. Once DNS propagates, the identity shows Verified and outgoing mail is signed with d=yourdomain.com — that's the aligned DKIM pass DMARC needs.
Step 2: publish the DMARC record
One TXT record at the _dmarc host:
Type: TXT
Host: _dmarc (_dmarc.yourdomain.com)
Value: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com
p=none changes nothing about delivery yet — it switches on the aggregate reports that show which sources pass and fail. Point rua at a mailbox you'll actually process, or at a monitoring service. You can assemble the record with our free DMARC generator.
Step 3 (recommended): custom MAIL FROM for aligned SPF
To make SPF align too — so DMARC has two independent ways to pass — give SES a bounce domain that's a subdomain of yours:
- In your verified identity, open Custom MAIL FROM domain and set a subdomain you don't otherwise use, e.g.
mail.yourdomain.com. - Publish the two records SES asks for on that subdomain: an MX record pointing at Amazon's feedback endpoint for your region (e.g.
feedback-smtp.us-east-1.amazonses.com— copy the exact host from the console), and a TXT record:
Host: mail.yourdomain.com
Value: v=spf1 include:amazonses.com ~all
Now SPF is checked against mail.yourdomain.com, which relaxed alignment treats as yours. Note the SPF record lives on the MAIL FROM subdomain — adding include:amazonses.com to your root domain's SPF does nothing for SES alignment (a common source of wasted DNS lookups).
Step 4: verify, monitor, then tighten
Send a test message to a Gmail address you control and open Show original: you want dkim=pass with header.d=yourdomain.com, dmarc=pass, and — if you did step 3 — spf=pass for your MAIL FROM subdomain. If no reports show up within 48 hours, see not receiving DMARC reports.
Then watch your reports for a few weeks. When every legitimate source passes aligned, move to p=quarantine, and finish at p=reject — the trade-offs at each level are covered in p=none vs quarantine vs reject.
Common SES-specific mistakes
- Verifying an email address instead of the domain. Address-only identities inherit Amazon's signature (
d=amazonses.com) — mail delivers, but it can never pass DMARC for your domain. - Expecting the default SPF pass to satisfy DMARC. It can't — wrong domain. Either rely on Easy DKIM or add the custom MAIL FROM.
- Publishing the three CNAMEs as TXT records (or only one of them). Easy DKIM needs all three, as CNAMEs, so Amazon can rotate keys under them.
- Forgetting your other senders. SES being clean doesn't cover your Google Workspace mailboxes or marketing platform — each needs its own alignment, which your aggregate reports will surface.
On a different provider? The same walkthrough exists for Google Workspace, Microsoft 365, Zoho Mail, and Mailgun.
Step 2 asks where to send reports — send them somewhere useful. Point rua at PlainDMARC and get a plain-English weekly verdict instead of zipped XML: which sources pass, which fail, and when you're ready to tighten the policy. There's an API too, if you'd rather script it.