A - E
F - L
M - S
T - Z

Amazon SES

Supports SPF Supports DKIM


How to Set Up/Modify SPF for Amazon SES

Sender Policy Framework (SPF) is a mechanism designed to help prevent email spoofing and phishing by validating the sending domain at the receiving server. Essentially, SPF identifies which outbound providers can send email on your company’s behalf. The following description addresses how to update a Domain Name Service (DNS) record to use SPF with your custom domain in Amazon SES.

To utilize a custom domain, the Amazon SES provider requires an SPF TXT record be added to the DNS record. This TXT record is then used by DNS to recognize email servers allowed to send messages on behalf of your custom/third-party domain. To determine whether a correspondence from the specified domain comes from an authorized messaging server, the recipient system relies on the implemented SPF TXT record. At that point, the message is either accepted, quarantined, or rejected by the email receiving system.

Amazon SES utilizes an include mechanism during the set-up process. For example, the following scenario is the most common and would pass SPF:

v=spf1 ~all

If you send email from IP for the domain “” and that domain’s SPF record includes and the IP address passes the SPF record, this mechanism will pass.

Note: To pass an SPF check, there are two setups with Amazon SES available. The first is to use the default MAIL FROM domain of Amazon SES, and to not publish an SPF record. This setup allows you to pass a check because by default, Amazon SES uses its own MAIL FROM domain to send your emails. The second setup to pass an SPD check involves configuring Amazon SES to utilize your own MAIL FROM domain, which requires you to publish an SPF record.

How to Set Up/Modify DKIM for Amazon SES

DomainKeys Identified Mail (DKIM) is a protocol that enables a company to take responsibility for sent messages that can be verified by mailbox providers. Basically, DKIM allows the outbound domain to digitally sign email to provide legitimacy for the receiver. Below is a guide on how to use DKIM with Amazon SES (Easy DKIM) to ensure that recipient email systems trust messages sent from your custom domain.

Designed to prevent spoofing attacks, DKIM works in tandem with SPF to attain DMARC compliancy. DKIM lets a company add a digital signature to emails in the message header, which allows recipient systems to use the signature as a validation point to determine if incoming mail is legitimate.

You can use the Amazon SES console to configure Easy DKIM settings and to enable/disable automatic DKIM signing for your email messages. To set up Easy DKIM, you must be able to edit your domain’s DNS records.

To implement Easy DKIM for the Amazon SES platform via a new domain, follow these steps:

  • Go to your verified domain list in Amazon SES console

  • Click Verify a New Domain

  • Enter your domain name, select Generate DKIM Settings, click Verify This Domain

  • Complete domain verification by updating your domain’s DNS settings with the TXT record information from the Domain Verification Record in the Verify a New Domain box

  • Set up DKIM by updating your domain’s DNS settings with the CNAME record information from box

  • Enable DKIM signing for your custom domain in Amazon SES; DKIM Verification Status for that domain will change from “in progress” to “success”

An example of enabling DKIM signing for your custom domain is as follows:

New-DkimSigningConfig -DomainName -Enabled $true

As a user of this outbound email provider, Amazon SES customers are afforded DKIM signing because it supports this mechanism. By utilizing Amazon’s self-service portal, you can manually set up DKIM at your convenience via CNAME records mentioned above This Amazon SES product provides beneficial components (e.g., DKIM signing, self-service set up with CNAME records) that result in a streamlined process.

DKIM/SPF Setup Highlights

The below sections highlight notable characteristics of setting up DKIM and SPF for this provider as well as highlighting advanced settings if offered by this Outbound Email Source.


SPF Include Tag Required

This outbound email provider uses an include mechanism to add this provider's IP space to your SPF. To get fully set up with SPF for this provider, you will need to take the provided “include” domain and add it to your SPF record. An example of an SPF record without an include tag is compared to one with the tag added below (the include tags added are denoted in bold).


Initial SPF Record:

HOST TEXT v=spf1 ~all


SPF record include added:

HOST TEXT v=spf1 ~all



Supports DKIM Signing

Yes, this outbound email provider supports DKIM signing.

DKIM Setup via CNAME

This specific email provider relies on a CNAME record (or multiple records) for DKIM set up. Below is an example a typical  CNAME Record for setting up DKIM. The HOST section will typically contain a unique name followed by the domain name you are creating the record for (In the below "s1.domainkey" is the unique name followed by the domain of "". The ADDRESS section will outline where mail receivers should look for a DKIM record for the domain. Both of these values are typically auto generated when you setup DKIM via an outbound email source.



DKIM Setup Process: Self-Service Dashboard

This email provider offers a self-service dashboard where DKIM records will be setup for the account. To get DKIM setup for this provider you will login to your account at this provider and proceed to the DKIM setup area.