How to Set Up SPF for Amazon SES?
SPF records allow emails to be sent from authorized servers only. This helps to prevent email spoofing and improve email deliverability.
Steps to validate a New Domain for Amazon SES
- Go to your verified domain list by using the Amazon SES console’s navigation or by following these steps:
- Sign in to the Amazon SES interface after logging into the AWS Management Console.
- Select Domains from the Identity Management section of the navigation pane.
- Select Validate a New Domain.
- Enter the domain name in the Verify a New Domain dialog box.
Pointers:
- Enter example.com as your domain if your domain is www.example.com. You don’t need the “www.” part, and if you do, the domain verification process won’t work.
- Select Generate DKIM Settings to configure DKIM signing for this domain. See Authenticating Email using DKIM in Amazon SES for more on DKIM signature.
- Select This Domain’s Verification.
- A Domain Verification Record Set with a Name, a Type, and a Value can be found in the Verify a New Domain dialog box. (You can get this information after closing the dialog box by selecting the domain name.)
- Add a TXT record with the indicated Name and Value to your domain’s DNS server to complete domain verification. See Amazon SES Domain Verification TXT Records for details on Amazon SES TXT records as well as general instructions on how to add a TXT record to a DNS server. more specifically.
- You can delete the _amazonses from the Name if your DNS provider prevents underscores in record names.
- You can optionally prefix the Value with amazonses to make it simpler for you to recognize this record within the DNS settings for your domain:
- Some DNS service providers add the domain name as an automated suffix to DNS record names. You can add a period to the end of the domain name in the DNS record to prevent domain name duplication. This shows that the record name is fully qualified and that an additional domain name need not be added by the DNS provider.
- The TXT record described in the “Domain Verification Record Set” table should be added to your DNS.
- The domain’s status in the Amazon SES console changes from “waiting verification” to “confirmed” once verification is finished, and you get an email from Amazon SES informing you of this.
- Now, any address in the confirmed domain may send emails using Amazon SES. Check the box next to the verified domain, then select Send a Test Email to send a test email.
- A domain verification failure email from Amazon SES will be sent to you if the DNS settings are not updated properly, and the domain’s status will read “failed” on the Domains page. If this occurs, follow the instructions on the Common Domain Verification Problems troubleshooting page. Choose the retry link next to the unsuccessful status message after making sure your TXT was formed properly to restart the domain verification procedure.
Steps to set up the MAIL FROM domain
- Login in to access the Amazon SES console.
- Select Domains from the Identity Management section of the navigation pane.
- Verify that the parent domain of the MAIL FROM domain is validated in the list of domains. Verify the domain if it hasn’t already by following the instructions at Verifying Domains in Amazon SES. If not, pick a domain and move on to the next step.
- Select Set MAIL FROM Domain from the MAIL FROM Domain menu.
- Do the following on the Set MAIL FROM Domain window:
- Enter the subdomain you want to use as the MAIL FROM domain in the MAIL FROM domain field.
- For Behavior if MX record not found, choose one of the following options:
- Amazon SES will utilize region.amazonses.com as the MAIL FROM address if the MX record for the custom MAIL FROM domain is not properly configured. Depending on the AWS Region you utilize for Amazon SES, the subdomain changes.
- Deny message – Amazon SES will issue a MailFromDomainNotVerified error if the MX record for the custom MAIL FROM domain is incorrectly configured. You won’t be able to send emails from this domain, so try again later.
- Select Set MAIL FROM Domain. The MX and SPF records that you must add to your domain’s DNS setup are displayed in a new window. The formats used by these records are listed in the following table below.
Name | Type | Value |
subdomain.domain.com | MX | 10 feedback-smtp.region.amazonses.com |
subdomain.domain.com | TXT | v=spf1 include:amazonses.com -all |
- Subdomain.domain.com should be replaced with your MAIL FROM subdomain in the preceding records, and region should be replaced with the name of the AWS Region where you want to verify the MAIL FROM domain (such as us-west-2, us-east-1, or eu-west-1).
- Take note of these numbers before moving on to the next action. Do not generate a new SPF TXT record if subdomain.domain.com already has one. Simply amend the old one with “include:amazonses.com”.
6. To the DNS server of the unique MAIL FROM domain, publish an MX record.
Key:
You must publish precisely one MX record to the DNS server of your MAIL FROM domain in order to correctly configure a custom MAIL FROM domain with Amazon SES. The customized MAIL FROM setup with Amazon SES will not work if the MAIL FROM domain has multiple MX records.
You get an email alerting you that your custom MAIL FROM domain was successfully set up after Amazon SES recognizes that the records are present. Before Amazon SES notices the MX record, there could be a 72-hour delay depending on your DNS provider.
With Skysnag, you can easily manage Amazon SES’ SPF records without having to go to your DNS. This allows Amazon SES’ SPF record to propagate instantly, and autonomously always pass SPF alignment.
Sign up for a free trial today to see how it works for your domain.
You can use Skysnag’s free SPF Checker to check the health of your SPF record here
Check your domain's DMARC security compliance
Enforce DMARC, SPF and DKIM in days - not months
Skysnag helps busy engineers enforce DMARC, responds to any misconfigurations for SPF or DKIM which increases email deliverability, and eliminates email spoofing and identity impersonation.