How to Set Up/Modify SPF for Amazon SES
Sender Policy Framework (SPF) is a mechanism designed to help prevent email spoofing and phishing by validating the sending domain at the receiving server. Essentially, SPF identifies which outbound providers can send email on your company’s behalf. The following description addresses how to update a Domain Name Service (DNS) record to use SPF with your custom domain in Amazon SES.
To utilize a custom domain, the Amazon SES provider requires an SPF TXT record be added to the DNS record. This TXT record is then used by DNS to recognize email servers allowed to send messages on behalf of your custom/third-party domain. To determine whether a correspondence from the specified domain comes from an authorized messaging server, the recipient system relies on the implemented SPF TXT record. At that point, the message is either accepted, quarantined, or rejected by the email receiving system.
Amazon SES utilizes an include mechanism during the set-up process. For example, the following scenario is the most common and would pass SPF:
v=spf1 include:amazonses.com ~all
If you send email from IP 1.2.3.4 for the domain “yourcompany.com” and that domain’s SPF record includes amazonses.com and the IP address passes the SPF record, this mechanism will pass.
Note: To pass an SPF check, there are two setups with Amazon SES available. The first is to use the default MAIL FROM domain of Amazon SES, and to not publish an SPF record. This setup allows you to pass a check because by default, Amazon SES uses its own MAIL FROM domain to send your emails. The second setup to pass an SPD check involves configuring Amazon SES to utilize your own MAIL FROM domain, which requires you to publish an SPF record.
How to Set Up/Modify DKIM for Amazon SES
DomainKeys Identified Mail (DKIM) is a protocol that enables a company to take responsibility for sent messages that can be verified by mailbox providers. Basically, DKIM allows the outbound domain to digitally sign email to provide legitimacy for the receiver. Below is a guide on how to use DKIM with Amazon SES (Easy DKIM) to ensure that recipient email systems trust messages sent from your custom domain.
Designed to prevent spoofing attacks, DKIM works in tandem with SPF to attain DMARC compliancy. DKIM lets a company add a digital signature to emails in the message header, which allows recipient systems to use the signature as a validation point to determine if incoming mail is legitimate.
You can use the Amazon SES console to configure Easy DKIM settings and to enable/disable automatic DKIM signing for your email messages. To set up Easy DKIM, you must be able to edit your domain’s DNS records.
To implement Easy DKIM for the Amazon SES platform via a new domain, follow these steps:
-
Go to your verified domain list in Amazon SES console
-
Click Verify a New Domain
-
Enter your domain name, select Generate DKIM Settings, click Verify This Domain
-
Complete domain verification by updating your domain’s DNS settings with the TXT record information from the Domain Verification Record in the Verify a New Domain box
-
Set up DKIM by updating your domain’s DNS settings with the CNAME record information from box
-
Enable DKIM signing for your custom domain in Amazon SES; DKIM Verification Status for that domain will change from “in progress” to “success”
An example of enabling DKIM signing for your custom domain is as follows:
New-DkimSigningConfig -DomainName yourdomain.com -Enabled $true
As a user of this outbound email provider, Amazon SES customers are afforded DKIM signing because it supports this mechanism. By utilizing Amazon’s self-service portal, you can manually set up DKIM at your convenience via CNAME records mentioned above This Amazon SES product provides beneficial components (e.g., DKIM signing, self-service set up with CNAME records) that result in a streamlined process.