Setup Amazon SES SPF, DKIM, DMARC Records for Domain Authentication

October 27, 2024

How to Setup Amazon SES SPF, DKIM, and DMARC Records?

If you are managing your emails with Amazon SES and they are going to spam, this article is for you. It will guide you on how to setup Amazon SES SPF, DKIM, and DMARC records. With the help of Amazon SES DNS records, you can improve email deliverability and prevent email scams. When your email domain is authenticated, inbox providers like Google, Outlook, and Yahoo trust you as a legitimate sender, hence, allowing your emails to the customers' inboxes. SPF (Sender Policy Framework) specifies which servers are allowed to send emails on your behalf. DKIM (DomainKeys Identified Mail) makes sure that the email message has not been forged in its transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) checks the SPF and DKIM alignment and decides what to do with emails that fail the authentication check.

Configure Amazon SES Domain Authentication Records:

  1. Click the Hamburger menu icon in the top left corner.

  2. Go to Identities under Configurations.

  3. Hit the Create New Identity button.

  4. Select Identity type "Domain" and add your domain name.

  5. Check the box for "Use a custom MAIL FROM address" and add a subdomain in Mail From Domain.

  6. Check the box for "Use default Mail From domain" and "Enable" Publish DNS records to Route53.

  7. Click "Advanced DKIM Settings", select Easy DKIM, and "Enable" DKIM Signature.

  8. Finally, click Create Identity.

  9. On the next page, you will have the Amazon SES DKIM, SPF, and MX records.

Setup Amazon SES DKIM Record in the DNS Provider:

  1. Login to your DNS provider and open the domain.

  2. Go to the DNS tab and click Add Record.

  3. Select record type CNAME.

  4. Copy the hostname and paste it into the Name field.

  5. Copy the DKIM value and paste it into the Target field.

  6. Turn off the proxy and click Save.

Setup Amazon SES SPF Record:

  1. In the DNS dashboard, select type TXT.

  2. Copy the provided hostname and Amazon SES SPF record - and add them to the DNS dashboard.

  3. Hit the Save button to Save the SPF record.

What to do if there are multiple SPF records?

Due to the limitations of DNS providers, we can not add more than one SPF record for a single domain. If your domain has an existing SPF record, merge it with the Amazon SES SPF record to avoid conflicts.

  1. You can use DmarcDkim.com SPF merge tool to combine multiple SPF records.

  2. Add your domain name and Amazon SES SPF value.

  3. Click the Merge SPF Values button.

  4. This tool detects your existing SPF value and combines it with Amazon SPF value.

  5. Copy the merged value and edit your existing SPF record.

Setup Amazon SES MX Record:

  1. Select type MX in the DNS dashboard.

  2. Copy and paste the hostname and MX value to the dedicated fields.

  3. Select priority 10 and click Save.

Setup Amazon SES DMARC Record:

The DMARC value provided by Amazon SES is just for monitoring the emails and it doesn't block or reject emails coming from unauthorized sources. Hence, your emails are not fully scam-proof.

To generate an effective DMARC policy, you can use the DmarcDkim.com DMARC Check tool.

This tool helps you setup a strict policy that protects your domain against spoofing attacks and provides you insights into the email performance so you can identify the imposters trying to malign your domain name.

  1. Go to the DMARC Check Tool.

  2. Add your domain name and click Check.

  3. The tool analyzes your domain and provides an initial monitoring (p=none) value. Once it monitors the emails coming from unauthorized sources, it then guides you toward implementing a strict policy to block the imposters.

  4. Copy the TXT DMARC record and paste it into the DNS dashboard.

  5. Sign up for the tool to get actionable insights and DMARC reports.

After adding the Amazon SES SPF, DKIM, and DMARC records, wait up to 24 hours for the servers to verify the DNS records.

If the records do not get verified after 24 hours, there might be a misconfiguration in your DNS setup.

To troubleshoot the email authentication issues, hire a DmarcDkim.com expert.