Learning to Configure SPF for Amazon SES

The most common mistake we see during DMARC setup is jumping straight to p=reject without monitoring first, says Vasile Diaconu, Operations Lead at DuoCircle. Start at p=none, analyze your reports for at least a full quarter - you need to catch monthly, quarterly, and annual email senders that only fire periodically. Then fix any legitimate senders that fail before enforcing. We walk every customer through this sequence.

Per RFC 7208, SPF evaluation is capped at 10 DNS mechanism lookups and 2 void lookups per check - exceeding either limit produces a PermError that fails authentication for every message from the domain. DMARC Report

Learning to Configure SPF for Amazon SES

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-13417">
						<source src="https://media.mailhop.org/dmarcreport/images/2024/06/Learning-To-Configure-Spf-For-Amazon-Ses.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H1M47S">1:47</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-13417" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-13417" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-13417" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-13417" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/learning-to-configure-spf-for-amazon-ses/&t=Learning to Configure SPF for Amazon SES" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/learning-to-configure-spf-for-amazon-ses/&url=Learning to Configure SPF for Amazon SES" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2024/06/Learning-To-Configure-Spf-For-Amazon-Ses.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/learning-to-configure-spf-for-amazon-ses/" class="input-link input-link-13417" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-13417" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

						<input type="text" value='<blockquote class="wp-embedded-content" data-secret="NLqW71Y3TH"><a href="https://dmarcreport.com/blog/podcast/learning-to-configure-spf-for-amazon-ses/">Learning to Configure SPF for Amazon SES</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://dmarcreport.com/blog/podcast/learning-to-configure-spf-for-amazon-ses/embed/#?secret=NLqW71Y3TH" width="500" height="350" title=""Learning to Configure SPF for Amazon SES" - DMARC Report" data-secret="NLqW71Y3TH" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script>

/*! This file is auto-generated / !function(d,l){“use strict”;l.querySelector&&d.addEventListener&&“undefined”!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll(‘iframe[data-secret=”‘+t.secret+’”]’),o=l.querySelectorAll(‘blockquote[data-secret=”‘+t.secret+’”]’),c=new RegExp(“^https?:$”,“i”),i=0;i<o.length;i++)o[i].style.display=“none”;for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(“style”),“height”===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):“link”===t.message&&(r=new URL(s.getAttribute(“src”)),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(“message”,d.wp.receiveEmbedMessage,!1),l.addEventListener(“DOMContentLoaded”,function(){for(var e,t,s=l.querySelectorAll(“iframe.wp-embedded-content”),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(“data-secret”))||(t=Math.random().toString(36).substring(2,12),e.src+=”#?secret=“+t,e.setAttribute(“data-secret”,t)),e.contentWindow.postMessage({message:“ready”,secret:t},"")},!1)))}(window,document); //# sourceURL=https://dmarcreport.com/wp-includes/js/wp-embed.min.js ’ title=“Embed Code” class=“input-embed input-embed-13417” readonly/>

					<button class="copy-embed copy-embed-13417" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

If you send emails from Amazon SES and see the ‘Via amazonses.com’ warning, then you need to set up SPF and DKIM. This warning basically indicates that the mailbox provider perceived that your emails were sent from Amazon SES and not your brand.

This blog guides you on setting SPF for **Amazon SES so that there are no compliance issues and your business stays protected from the growing phishing and spoofing attacks.

However, please bear in mind that if you send emails from subdomain.amazonses.com, there is no need to set up SPF. In this case, Amazon takes care of email authentication using SPF and DKIM. If you want to set up DMARC for your domain, please contact with DMARCReport.com.

Step 1: Domain Verification With Amazon SES

It’s a simple 6-step process. Here’s what you need to do-

• Log in to the AWS Management Console.

• Go to the Amazon SES interface.

• In the navigation panel, select ‘Domains’ under ‘Identity Management.’

• Click ‘Verify a New Domain.’

• Enter your domain name and click ‘Verify this Domain.’

• Add the provided TXT record to your DNS configuration to verify the domain.

Step 2: DNS Record Configuration

After you are done verifying your domain , add an SPF record to your domain’s DNS settings. Follow these steps and get this done-

• Log in to your DNS provider’s management console.

• Go to the DNS management section.

• Add a new TXT record with:

• type: TXT

• Name: @ (or your domain name, depending on the DNS provider)

• Value: “v=spf1 include:amazonses.com ~all”

Step 3: Confirmation of the SPF Record

Check your domain’s **DNS settings to ensure your SPF record has no configurational and syntactical errors.

• Use an SPF lookup tool like MXToolbox.

• Enter your domain name.

• Check the SPF record to ensure it includes ‘include.com.’

Step 4: Test Sending Emails

Finally, **test sending emails from your domain using Amazon SES. Send a test email from an application or the SES console. Then, check the email headers of the received email for ‘Received-SPF: pass’ to ensure that SPF passes.

How Do You Configure up the MAIL FROM Domain?

• Go to your Amazon SES console and select ‘Domains’ under ‘Identity Management.’

• Confirm that the parent domain of the MAIL FROM domain is in the list of validated domains.

• Select the MAIL FROM domain.

• In the ‘Set MAIL FROM Domain’ window, enter the subdomain you want to use.

• A new window will display the SPF and MX records for your domain’s DNS setup.

The following table demonstrates the format of these records-

**NameTypeValue subdomain.domain.com

mx

10 feedback-smtp.region.amazonses.com

subdomain.domain.com

txt

v=spf1 include:amazonses.com -all

• Lastly, publish an **MX record in the DNS server of the unique MAIL FROM domain.

Final Words

SPF ensures that only authorized people send emails as representatives of your brand. This minimizes the chances for threat actors to exploit your email-sending domain to send **fraudulent emails posing as one of your representatives.

If you use Amazon SES to send marketing, notification, and transactional emails, then the above guide will surely help you. However, we know how this process can be a bit complex to understand. So, if you feel like having a helping hand by your side, reach out to us!