DMARC Alignment with Amazon SES: Setup and Troubleshooting
Step-by-step DMARC setup for Amazon SES, including Easy DKIM, custom MAIL FROM, and fixes for common alignment failures.
Amazon SES is cheap, fast, and rock-solid — until you turn on DMARC enforcement and discover that half your messages are failing. SES has more configuration knobs than friendlier ESPs, and if you don't turn the right ones, your mail authenticates fine on paper but fails DMARC alignment.
If you're seeing "amazon ses dmarc fail" or "aws ses dmarc fail" in your reports, this guide walks through the exact fixes.
Why SES Fails DMARC by Default
Out of the box, SES sends mail with two alignment problems:
- SPF alignment fails because the Return-Path uses an SES-owned domain like
amazonses.comorfeedback-smtp.us-east-1.amazonses.com. Your From address is[email protected], but SPF authenticates the SES domain — they don't match, so SPF alignment fails. - DKIM alignment fails if you're using SES's default "Easy DKIM" without verifying your domain, because SES signs with its own keys.
DMARC only needs one of SPF or DKIM to align, so fixing just one of these is enough. The cleanest fix is DKIM via verified domain identity.
The Fix: Easy DKIM with Domain Verification
This is the standard SES setup and what AWS itself recommends.
1. Verify Your Domain in SES
In the SES console, go to Verified identities and add your domain (not just an email address). SES generates three CNAME records that you add to DNS. Once these resolve, SES signs every outbound message with a DKIM signature where d=yourdomain.com.
2. Confirm DKIM Is Aligned
Send a test email to yourself and check the headers. You should see:
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com; s=...
If d= shows amazonses.com, the verification didn't take — recheck the CNAME records.
3. (Optional) Configure a Custom MAIL FROM Domain
For SPF alignment in addition to DKIM, set up a custom MAIL FROM domain in SES — typically bounce.yourdomain.com. SES gives you an MX and an SPF TXT record to publish. After this, SPF authenticates against your subdomain instead of amazonses.com, and SPF alignment passes.
You don't need this for DMARC compliance if DKIM alignment works, but it adds redundancy. If SPF or DKIM ever breaks, the other still keeps you passing.
4. Publish a DMARC Record
v=DMARC1; p=none; rua=mailto:[email protected];
Use our DMARC record generator to build it, then verify with the DMARC record checker.
Common SES Alignment Failures
| Failure Pattern | Root Cause | Fix |
|---|---|---|
| SPF fails, DKIM fails | Domain not verified in SES | Verify domain identity, publish DKIM CNAMEs |
| SPF fails, DKIM passes (but DMARC fails) | DKIM d= doesn't match From domain | Use the same domain for verification and From address |
| SPF passes (amazonses.com), DMARC fails | SPF authenticates SES, not your domain — no alignment | Set up custom MAIL FROM or rely on DKIM |
| Random failures from forwarded mail | Forwarder rewrites Return-Path, breaks SPF | Normal — DKIM should still pass |
| Failures only in one AWS region | DKIM verified in one region but sending from another | Verify the domain in every region you send from |
The last row catches a lot of teams. SES domain verification is per-region. If you verify in us-east-1 but a Lambda starts sending from eu-west-1, the second region uses unverified Easy DKIM and DMARC fails. Always verify in every region you'll use.
Cross-Account and Cross-Region Gotchas
SES gets messy at scale. A few things to watch:
- Sending Authorization. If Account A grants Account B permission to send as
yourdomain.com, Account B uses Account A's verified identity. Make sure A is verified properly. - Configuration Sets. Some teams use configuration sets to add custom headers — these can break DKIM if they modify signed headers post-signature. Don't change
From,Subject, orToafter DKIM signs. - Open and click tracking. SES's open/click tracking rewrites links and adds a tracking pixel before DKIM signs, so it's safe — but if you use a third-party tracker that modifies the body after SES sends, DKIM will break.
Troubleshooting Walkthrough
If your SES mail is failing DMARC despite correct setup:
- Pull the headers from a test message and read the
Authentication-Resultsline. - Check whether DKIM passed and what
d=value it used. - Run your domain through the DMARC record checker to confirm the record is published correctly.
- Look at aggregate reports — they'll show source IPs and which mechanism failed.
- Confirm the SES domain is verified in the specific region the failing message came from.
For deeper diagnostics, see why DMARC fails and how to fix it and the troubleshooting guide.
Moving SES Sending to Enforcement
Once aggregate reports show DKIM aligning consistently from SES, step up to quarantine and then reject. The full ramp is in the enforcement guide.
For SES-heavy senders, give yourself extra runway — SES users tend to have more diverse sending patterns (Lambda, EC2, third-party apps using SMTP credentials) and edge cases keep showing up for weeks after initial setup.
Keep an Eye on New SES Sources
The biggest SES-specific risk isn't initial setup — it's the new Lambda function or microservice that someone spins up six months later, configures with SES, and forgets to verify. Continuous monitoring spots these new senders the moment they appear in aggregate reports.
Catch new SES sources before they break compliance
Real-time alerts on new sending IPs, failing sources, and DMARC record changes — built for teams running on AWS.
Start Monitoring