Amazon SES SPF and DKIM setup

What you are setting up

Amazon SES sends your application's mail (receipts, password resets, notifications) from Amazon's infrastructure. The most important thing to understand up front: DKIM, not SPF, is what makes SES mail pass DMARC. SES signs with yourdomain through Easy DKIM, so the signature aligns. SPF, by default, does not align at all, which is why the usual advice to “add include:amazonses.comto your SPF record” often does nothing useful. Set up Easy DKIM first; treat SPF alignment as a separate, optional step.

Set up Easy DKIM (the records that matter)

In the SES console, go to Configuration > Identities > Create identity, choose Domain, and leave Easy DKIM enabled (RSA 2048-bit is the default). SES generates three CNAME records. You will find them on the identity's Authentication tab under Publish DNS records:

Type:  CNAME
Host:  <token1>._domainkey.yourdomain.com
Value: <token1>.dkim.amazonses.com

(plus two more, with token2 and token3)

Copy the values exactly as SES shows them. The target is usually <token>.dkim.amazonses.com, but in some AWS regions it is region-specific (for example <token>.dkim.eu-south-1.amazonses.com), so never assume the string. Once all three CNAMEs resolve, SES signs with d=yourdomain.com and your mail aligns on DKIM.

Prefer to hold your own key? BYODKIM (Bring Your Own DKIM) lets you generate the RSA key pair yourself and publish a single selector TXT record instead. Easy DKIM is simpler and rotates for you; BYODKIM gives you control of the private key.

Optional: align SPF with a custom MAIL FROM

By default, SES uses a subdomain of amazonses.com as the envelope (MAIL FROM) domain, so SPF authenticates Amazon, not you, and does not align. Aligned DKIM already carries DMARC, so this step is optional, but if you want SPF to align too (belt and suspenders, and better for some receivers), configure a custom MAIL FROM subdomain such as mail.yourdomain.com with exactly two records:

Type:  MX     (publish only ONE MX on this subdomain)
Host:  mail.yourdomain.com
Value: 10 feedback-smtp.<your-region>.amazonses.com

Type:  TXT
Host:  mail.yourdomain.com
Value: v=spf1 include:amazonses.com ~all

The feedback-smtp hostname is region-specific, and SES fills in the correct one for you. Publish only a single MX on that subdomain: if it has more than one, the custom MAIL FROM setup fails.

Add DMARC

Standard _dmarc TXT record. Start in monitor-only mode:

Type:  TXT
Host:  _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

One detail if you rely on the SPF path: SES uses relaxed alignment, so do not set a strict SPF policy (aspf=s) in your DMARC record, or the custom MAIL FROM subdomain stops counting as aligned. Build the record with our DMARC builder.

The Amazon SES gotchas

Your DNS host appended your domain to the record name.This is the number-one reason Easy DKIM stays stuck on “pending” for hours. Some hosts silently turn token._domainkey.yourdomain.com into token._domainkey.yourdomain.com.yourdomain.com. Enter the host exactly as SES gives it, and if your host auto-appends the domain, strip it from the end. Do not add an extra leading underscore either.

SES identities are per-region. A domain verified in one AWS region is not verified in another, the DKIM tokens differ per region, and so does the feedback-smtpendpoint. If you send from multiple regions, repeat the Easy DKIM setup in each and publish every region's CNAMEs.

Confirm it worked

• Check the DKIM records. Our DKIM checker confirms the three CNAMEs resolve and SES is publishing a key.
• Send a test and read the headers. Trigger a real send, open the message, and confirm d=yourdomain.com on the DKIM signature and dmarc=pass. The header analyzer reads it back plainly.
• Watch the reports. SES should appear as an aligned, passing source in your DMARC aggregate reports. In trustyourinbox it is a known sender, so an unsigned blast from a misconfigured region is easy to spot.