A Step-by-Step Guide to Setting Up SPF, DKIM, and DMARC for Amazon SES
by
Reading Time: 5 min
Key Takeaways
- Authenticating your domain with SPF, DKIM, and DMARC in Amazon SES prevents spoofing and improves email deliverability.
- Amazon SES automatically provides CNAME, TXT, and MX records for DKIM and SPF configuration.
- Proper DNS record setup and propagation are essential for successful verification in Amazon SES.
- PowerDMARC tools validate and monitor SPF, DKIM, and DMARC setup accuracy.
Setting up SPF, DKIM, and DMARC for Amazon SES ensures your emails are authenticated, secure, and delivered successfully to intended mailboxes.
But what do these acronyms mean? SPF (Sender Policy Framework) authorizes mail servers permitted to send emails for your domain. DKIM (DomainKeys Identified Mail) adds a digital signature to verify email integrity. DMARC (Domain-based Message Authentication, Reporting & Conformance) defines how recipient servers handle unauthenticated emails and reports delivery results.
Together, these protocols protect your brand from spoofing, phishing, and deliverability issues while improving your sender reputation. Follow this step-by-step guide to configure SPF, DKIM, and DMARC in Amazon SES to maximize your inbox placement and trust.
How to Configure SPF, DKIM, and DMARC in Amazon SES
Step 1: Configure Amazon SES DKIM Record
First, verify your sending domain with Amazon SES, which also sets up DKIM.
1. Go to your Amazon SES dashboard.
2. From the menu on the left part of the screen, go to Configurations > Identities.
3. In the Identity list, select the domain you’d like to configure.
4. SES will automatically generate 3 CNAME records for the verification and DKIM setup steps.
5. Log in to your DNS provider; in this case, it’s Amazon Lightsail DNS
6. In your domain’s DNS management section, create 3 new records. For each of these:
- Set the record type to CNAME
- Copy the Record Name and the Value from the SES dashboard. Paste them into the relevant fields, as shown below ↓
- Quick Tip: If the CNAME record name from SES is _domainkey.yourdomain.com, you may only need to enter _domainkey in the name/host field.
After you add all 3 CNAME records, go back to your SES dashboard. It can take some time for DNS changes to propagate. But as soon as they do, the status will show “successful.”
Step 2: Set Up SPF Record with a Custom MAIL FROM Domain
Next is SPF. The easiest way to implement this in SES is by using a custom “MAIL FROM” domain.
1. In your SES domain settings, click Edit.
2. Find the “Custom MAIL FROM domain” section and tick the box for “Use a custom MAIL FROM domain”
3. Enter a subdomain you want to use.
4. Click Save Changes.
5. SES will generate 2 new DNS records: one MX record and one TXT record. The TXT record has the necessary SPF details.
6. Go back to your DNS provider and add both of these records.
- For the MX record: Set the type to MX, paste the name/host provided, and enter the value/target.
- For the TXT record: Set the type to TXT, paste the name/host, and enter the SPF value provided by SES.
Once these records are propagated, SES will show that your Custom MAIL FROM domain setup is successful.
Step 3: Create a DMARC Record for Amazon SES
Last but not least, set up DMARC.
1. In your DNS provider, create a new TXT record.
2. For the Host or Name of the record, enter _dmarc
3. For the Value, paste your DMARC policy.
Don’t forget to put your actual email address instead of [email protected]
4. Save the TXT record, and your DMARC policy is live!
Step 4: Validate and Monitor with PowerDMARC
For your peace of mind, after DNS propagation, use PowerDMARC’s SPF, DKIM, and DMARC checker tools for instant and accurate validation.
1. First, sign up with PowerDMARC.
2. On the sidebar on the left, navigate to Dashboard > Analysis Tools > PowerToolbox > Lookup Tools.
3. First, let’s check your DKIM record. Click on DKIM Record Lookup.
4. Enter your domain in the field and click Lookup DKIM.
5. Now, time to check the SPF record. Click on SPF Record Lookup.
6. Enter your domain and click on Lookup.
7. Now, let’s check your DMARC record. In the Lookup Tools, click on DMARC Record checker.
8. As a last step, enter your domain in the field and click Lookup.
Congratulations, you’re all set!
When you accurately configure SPF, DKIM, and DMARC for Amazon SES, you can:
- Safeguard your domain against phishing and spoofing attacks.
- Boost email deliverability and enhance trust and reputation among recipients.
- Obtain visibility and useful insights into who is sending emails on behalf of your domain.
If you run into any difficulties during setup or need expert guidance, our team is here to help.
Contact us or sign up for a demo with PowerDMARC to see how we can simplify your authentication process, strengthen your email security, and help you achieve flawless deliverability.
Domain & Email Security Expert at PowerDMARC
Yunes is an Operations Team Lead at PowerDMARC with expert knowledge in email authentication and security. Yunes is a Microsoft-certified Azure Administrator Associate with certifications in CompTIA A+ and many more.
Latest posts by Yunes Tarada (see all)
- A Step-by-Step Guide to Setting Up SPF, DKIM, and DMARC for Amazon SES - November 4, 2025
- Mailgun SPF, DKIM, DMARC Setup Guide - November 4, 2025
- SOA Expire Value Out of Recommended Range: What It Means and How to Fix It - October 29, 2025
