Skip to content
English
Go to warmy.io
  • There are no suggestions because the search field is empty.

Amazon SES - SPF & DKIM Configuration

This guide explains how to configure SPF and DKIM in Amazon SES to pass DMARC alignment, improve security, and reduce spam. 

SPF: Supported

DKIM: Supported

For that please head to Configuration > Verified identities.

1-Apr-03-2026-09-34-00-8198-AM

Creating an Identity & Mail From Domain in Amazon SES

If you haven’t created an identity yet, you’ll need to do that first.
If the identity is already set up, you can skip this step and proceed directly to publishing the DNS records.

Amazon SES is a subdomain-capable sending source, which means the SPF record should be configured at the subdomain level, not on the root domain.

During the identity setup process, you must also define a custom Mail From domain (Return-Path domain).

Example:

Mail From domain: mail.laglasswork.com

Important Guidelines:

  • The Mail From domain must be a subdomain, not the root domain.
  • It should be unique and not previously used with any other email service provider.
  • This helps ensure proper SPF alignment and avoids authentication conflicts.
    2-Apr-03-2026-09-35-12-7616-AM

    3-Apr-03-2026-09-35-35-3644-AM

    Once all the required (underlined) options are enabled, as shown in the screenshot above, click on the “Create Identity” button to complete the setup.

Amazon SES – DKIM Record Configuration

To retrieve the DKIM records, click on the “Publish DNS Records” dropdown.

4-Apr-03-2026-09-37-16-6046-AM
Amazon SES provides three CNAME records for DKIM configuration.  The next step is to add these CNAME records to your DNS zone.

Amazon SES – SPF Record Configuration
Custom Mail From Domain

Setting a custom MAIL FROM domain allows you to achieve proper SPF alignment and ensure SPF passes.

From the Identities page click on the “Publish DNS Records” under the Custom Mail From domain

Amazon SES will provide you with one TXT record and one MX record which you need to add to your DNS zone. The records should be published on that specific subdomain that you created when creating the identity.

5-Apr-03-2026-09-39-21-5547-AM

Go ahead and add these records to your DNS zone.

Amazon SES also provides you with a DMARC record, but if you already have an existing DMARC record, then there is no need to publish that record, as each domain MUST have only one DMARC record.
6-Apr-03-2026-09-40-38-3354-AM

Once all the necessary records are published, give a little time for them to get fully propagated and come back to the Identities page, and if you have published the records correctly then you’ll see green check mark next to the records showing that the configuration was Successful.

7-Apr-03-2026-09-40-53-6533-AM

You can test the emails with our Email Deliverability Test tool.

Need help? Schedule a call with us 👨🏻‍💻