Skip to main content
Amazon SES

Setting up SPF, DKIM, and DMARC in Amazon SES

By 17 September 2021January 24th, 2022No Comments

Although not mandatory in Amazon SES, email authentication is highly recommended and has many benefits. From security to deliverability, you can protect your brand from fraud and help your emails successfully reach the inbox.

In this post, we will run you through the types of authentication and process of authenticating your accounts – domains or single email addresses – in Amazon SES, so you can start sending emails with high deliverability.

What is email authentication

Email authentication is how email senders can verify that they are the owner of the account that they are sending from. If emails are not authenticated, ISPs (Internet Service Providers) cannot identify if the emails being sent are coming from spammers or genuine senders.

Most ISPs that forward email traffic check if emails being sent are authenticated and thus, legitimate. If they are not, it’s very likely that they will end up on the recipients’ spam folders. In some cases, ISPs refuse to forward email that is not authenticated. In summary, email authentication helps prevent messages your organization sends from being flagged as spam.

Amazon SES uses the SMTP (Simple Mail Transfer Protocol) to send email. But SMTP does not provide any authentication by itself. So, making sure your account is authenticated before start sending emails is a crucial step to ensure optimal deliverability of your emails with Amazon SES.

Email authentication protocols

There are 3 protocols that you should use to confirm ownership of domains and ensure optimal email deliverability.

SPF

SPF stands for Sender Policy Framework and works by strictly specifying the number of allowed domain IPs that can send emails from your domains. This helps preventing email spoofing (when spammers send emails from domains that they don’t own and make the message appear from someone or somewhere other than the actual source).

In practical terms, you add a record to your DNS specifying which computers can send emails from your domain.

DKIM

DKIM (Domain Keys Identified Mail) is another email authentication method and was created for the same goal as SPF. It allows ISPs to check that an email was indeed sent and authorized by the owner of that domain. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.

By setting DKIM on your DNS (Domain Name System) server, you are certifying email recipients (and ISPs) that it’s really you who is sending the emails that they receive. Think of it as a digital signature that is added to the headers of email messages. This signature can be validated against a cryptographic key you will add to your DNS records, to prove legitimacy of the emails.

DMARC

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol that uses SPF and DKIM to detect email spoofing. It specifies how your domain handles suspicious emails. To comply with DMARC, messages must be authenticated through either SPF or DKIM, or both.

Amazon SES domain verification

Here’s how you can authenticate domains in Amazon SES to be able to send emails from your owned domains.

1. Adding your domains to Amazon SES

First, log in to the Amazon SES console and select Configuration > Verified Identities. Identities can be either email addresses or domains. In this article, we will focus on verification of domains.

Under the “Identities” column, the unverified domains will have status ‘verification pending’.

Click on the domain you wish to authenticate (or click on “Create Identity” if you haven’t added any identity yet). Then, scroll down to the ‘Authentication’ tab.

Initially, your DKIM configuration will show the message “Pending“.

2. Setting up AWS SES DKIM

Under the session ‘View DNS records”, you will find all CNAME records that you have to add to your DNS records, so they match to the Amazon SES ones. Note that the detection of these records may take up to 72 hours (but it’s usually much quicker than that).

3. Setting up SPF in Amazon SES

When you send email through Amazon SES, the messages that you send pass an SPF check by default. Amazon SES specifies a MAIL FROM domain for each message that is a subdomain of amazonses.com, and the sending mail server for the message aligns with this domain.

amazon ses spf

To publish an SPF record, you have to add a new TXT record to the DNS configuration for your domain. The procedures for updating DNS records vary depending on which DNS or web hosting provider you use.

4. Complying with DMARC in Amazon SES

To set up DMARC, you also have to modify the DNS settings for your domain. Your domains’ records should include a TXT record that specifies the domain’s DMARC settings. You can set DMARC up, as well as ensure that you stay compliant with it, using Postmark. By creating an account, you can receive free weekly emails to help monitor DMARC compliance, here’s how:

  1. Go to https://dmarc.postmarkapp.com/ and create a free account
  2. Enter the email address where you would like to receive the reports
  3. Enter the subdomain you are using in the “Custom MAIL FROM” domain field in Amazon SES
  4. Add the TXT record provided to your domains’ DNS

AWS SES single email verification

Verifying a single email address in Amazon SES is a much simpler process than verifying an entire domain. All you need to do is:

  1. Go to Configuration > Verified Identities
  2. Select Create identity
  3. Select the option Email Address 
  4. Type the email address you want to verify and select Create identity

verify email address Amazon SES

If the new email address belongs to a domain that has been already verified within Amazon SES, it will immediately show up as ‘Verified‘. Otherwise, it will appear as ‘Unverified‘ in your list of identities.

To verify it, log in to the account and click on the verification link that Amazon SES will send to it.

After that, the status for that new email address should show ‘Verified‘.

Wrapping Up

Skipping the authentication step in your Amazon SES account set up can be disastrous for your email deliverability. We hope this article has helped you authenticate your emails and domains in Amazon SES! Ready to start sending emails out? Make sure you check out this Amazon SES best practices we put together for you!