Setting Up Amazon SES Email Authentication

Complete guide to configuring SPF, DKIM, and DMARC for Amazon SES transactional emails.

Setting Up Amazon SES Email Authentication

Amazon SES (Simple Email Service) is AWS's transactional email service. This guide covers setting up SPF, DKIM, and DMARC for Amazon SES.

Prerequisites

  • AWS account with SES access
  • Domain verified in Amazon SES
  • Access to your domain's DNS settings (Route 53 or external)
  • MailSentinel account for DMARC monitoring

Overview

Amazon SES requires:

  1. SPF - Authorize Amazon SES to send emails
  2. DKIM - Sign emails with Amazon SES keys
  3. DMARC - Monitor and enforce authentication

Step 1: Verify Domain in Amazon SES

  1. Log in to AWS Console
  2. Navigate to Amazon SES
  3. Go to Verified identitiesCreate identity
  4. Select Domain
  5. Enter your domain (e.g., example.com)
  6. Choose verification method:
    • DNS verification (recommended)
    • Email verification (for testing)

Step 2: Configure SPF for Amazon SES

Get Amazon SES SPF Include

Amazon SES provides this SPF include:

include:amazonses.com

Build Your SPF Record

If Amazon SES is your only email service:

v=spf1 include:amazonses.com -all

If you use other services (Google Workspace, etc.):

v=spf1 include:_spf.google.com include:amazonses.com -all

Important: Only ONE SPF record per domain. Merge all includes into a single record.

Add SPF Record to DNS

If using Route 53:

  1. Go to Route 53 → Hosted zones
  2. Select your domain
  3. Create TXT record:
    • Name: (blank for root domain)
    • Value: Your complete SPF record
    • TTL: 3600

If using external DNS:

  • Add TXT record at your DNS provider
  • Host: @ or leave blank
  • Value: Your complete SPF record
  • TTL: 3600

Verify SPF Setup

  1. In SES console, check domain verification status
  2. Use MailSentinel to verify SPF record
  3. Use MXToolbox SPF checker

Step 3: Configure DKIM for Amazon SES

Enable DKIM in SES

  1. In SES console, go to Verified identities
  2. Select your domain
  3. Go to DKIM tab
  4. Click Edit
  5. Select Easy DKIM
  6. Choose CNAME record type (recommended) or TXT

Get DKIM Records from SES

SES provides DKIM records like:

For CNAME records (recommended):

Host: xyz123._domainkey
Type: CNAME
Value: xyz123.dkim.amazonses.com

Host: abc456._domainkey
Type: CNAME
Value: abc456.dkim.amazonses.com

Host: def789._domainkey
Type: CNAME
Value: def789.dkim.amazonses.com

For TXT records (alternative):

Host: xyz123._domainkey
Type: TXT
Value: p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

Add DKIM Records to DNS

If using Route 53:

  1. Go to Route 53 → Hosted zones

  2. Select your domain

  3. For each DKIM record:

    • Create CNAME record
    • Name: xyz123._domainkey (use SES-provided name)
    • Value: xyz123.dkim.amazonses.com (use SES-provided value)
    • TTL: 3600

  4. Repeat for all 3 DKIM records

If using external DNS:

  1. Add CNAME records at your DNS provider
  2. Host: xyz123._domainkey (from SES)
  3. Value: xyz123.dkim.amazonses.com (from SES)
  4. TTL: 3600
  5. Repeat for all 3 records

Verify DKIM Setup

In SES Console:

  • DKIM status should show "Verified"
  • May take 15-60 minutes to verify
  • All 3 records must be published

Manual Verification:

  1. Send test email through SES
  2. Check email headers
  3. Look for DKIM-Signature header
  4. Verify signature is valid

Step 4: Configure DMARC for Amazon SES

Get Your MailSentinel Report Address

  1. Log in to MailSentinel
  2. Add your domain
  3. Go to SettingsDMARC Configuration
  4. Copy report address: your-org-id@reports.mailsentinel.io

Create DMARC Record

Starting with monitoring:

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

After monitoring (quarantine):

v=DMARC1; p=quarantine; rua=mailto:your-org-id@reports.mailsentinel.io; adkim=r; aspf=r

Full protection:

v=DMARC1; p=reject; rua=mailto:your-org-id@reports.mailsentinel.io; ruf=mailto:your-org-id@forensic.mailsentinel.io; adkim=r; aspf=r

Add DMARC Record to DNS

If using Route 53:

  1. Go to Route 53 → Hosted zones
  2. Select your domain
  3. Create TXT record:
    • Name: _dmarc
    • Value: Your complete DMARC record
    • TTL: 3600

If using external DNS:

  • Add TXT record at your DNS provider
  • Host: _dmarc
  • Value: Your complete DMARC record
  • TTL: 3600

Verify DMARC Setup

  1. Use MailSentinel to check DNS
  2. Verify DMARC record is detected
  3. Wait 24-48 hours for first reports
  4. Monitor in MailSentinel dashboard

Amazon SES-Specific Considerations

SES Configuration Sets

For Advanced Tracking:

  • Use configuration sets for event tracking
  • Doesn't affect SPF/DKIM/DMARC
  • Useful for monitoring

SES Sending Limits

Sandbox Mode:

  • Limited to 200 emails/day
  • Can only send to verified emails
  • Request production access for higher limits

Production Mode:

  • Higher sending limits
  • Can send to any email
  • Requires request approval

SES IP Addresses

Shared IP Pools:

  • SES uses shared IP pools by default
  • Don't add individual IPs to SPF
  • Use include:amazonses.com instead

Dedicated IPs:

  • Available for higher volume
  • May need to add IPs to SPF
  • Check SES documentation for IP ranges

SES Regions

Multi-Region Setup:

  • SES available in multiple AWS regions
  • SPF/DKIM/DMARC work across regions
  • No additional configuration needed

Common Amazon SES Configurations

SES Only

SPF:

v=spf1 include:amazonses.com -all

DKIM: Configure in SES console (3 CNAME records)

DMARC:

v=DMARC1; p=none; rua=mailto:your-org-id@reports.mailsentinel.io

SES + Google Workspace

SPF:

v=spf1 include:_spf.google.com include:amazonses.com -all

DKIM: Configure both Google Workspace and SES DKIM

DMARC: Same as above, covers both services

SES + Multiple Services

SPF:

v=spf1 include:_spf.google.com include:amazonses.com include:sendgrid.net -all

DKIM: Configure for each service

DMARC: Single DMARC policy covers all

Troubleshooting Amazon SES Issues

Issue 1: SPF Not Working

Symptoms:

  • Emails failing SPF check
  • SES shows authentication errors

Solutions:

  1. Verify SPF record includes include:amazonses.com
  2. Check only one SPF record exists
  3. Verify DNS propagation (wait 15-60 minutes)
  4. Use SPF checker to validate

Issue 2: DKIM Not Signing

Symptoms:

  • No DKIM signature in headers
  • SES shows DKIM not verified

Solutions:

  1. Verify all 3 DKIM CNAME records are published
  2. Check selectors match SES's expectation
  3. Wait for DNS propagation
  4. Verify domain is verified in SES
  5. Check for typos in DNS records

Issue 3: DMARC Failures

Symptoms:

  • DMARC reports show failures
  • Emails going to spam

Solutions:

  1. Verify SPF alignment
  2. Verify DKIM alignment
  3. Check From: domain matches verified domain
  4. Review DMARC reports for details
  5. Fix underlying SPF/DKIM issues

Issue 4: Domain Not Verifying

Symptoms:

  • SES shows domain not verified
  • DNS records not detected

Solutions:

  1. Wait 15-60 minutes for DNS propagation
  2. Verify DNS records are at correct location
  3. Check for typos in records
  4. Ensure nameservers are correct
  5. Try removing and re-adding domain

Best Practices for Amazon SES

1. Use Dedicated Subdomain

For Transactional Email:

  • Use subdomain like mail.example.com or notify.example.com
  • Isolates reputation
  • Easier to manage

SPF for Subdomain:

mail.example.com  TXT  "v=spf1 include:amazonses.com -all"

2. Monitor Authentication

Key Metrics:

  • SPF pass rate (target: 95%+)
  • DKIM pass rate (target: 95%+)
  • DMARC pass rate (target: 95%+)
  • Bounce rate (target: <5%)
  • Complaint rate (target: <0.1%)

3. Use SES Configuration Sets

Benefits:

  • Track email events
  • Monitor bounces and complaints
  • Set up CloudWatch alarms
  • Better visibility

4. Regular Audits

Quarterly Reviews:

  • Check SPF includes still needed
  • Verify DKIM keys are valid
  • Review DMARC reports
  • Update records as needed

5. Use MailSentinel for Monitoring

Benefits:

  • Centralized DMARC monitoring
  • Alerts for authentication failures
  • Detailed reporting
  • Progress tracking

Amazon SES API Integration

Sending Emails via API

Authentication:

  • SES API uses same domain authentication
  • SPF/DKIM/DMARC apply to API emails
  • No additional configuration needed

SDK Usage

Example (Node.js):

const AWS = require('aws-sdk');
const ses = new AWS.SES({ region: 'us-east-1' });
 
const params = {
  Source: 'noreply@example.com',
  Destination: { ToAddresses: ['user@example.com'] },
  Message: {
    Subject: { Data: 'Test Email' },
    Body: { Text: { Data: 'Hello from SES!' } }
  }
};
 
ses.sendEmail(params).promise();

Next Steps

After setting up Amazon SES authentication:

  1. Monitor DMARC Reports - Track authentication status
  2. Set Up Alerts - Get notified of issues
  3. Review Best Practices - Optimize deliverability
  4. Troubleshoot Issues - Fix any problems

Additional Resources