How Do I Set Up SPF and DKIM for Amazon SES?

Quick Takeaways

• Enable DKIM by adding three CNAME records.
• Set a custom MAIL FROM subdomain for SPF alignment.
• Add the provided TXT and MX records to your DNS.
• Use “DNS Only” mode in Cloudflare to avoid proxying.
• Verify success in the Amazon SES console (green check).
• Repeat the process for each AWS region you use.
• Monitor authentication status with Palisade’s tools.

Setting up SPF and DKIM in Amazon SES ensures your emails pass DMARC alignment and reduces spam.

What is SPF and why does Amazon SES need it?

SPF (Sender Policy Framework) is a DNS TXT record that lists the servers authorized to send email for your domain. Amazon SES uses SPF to prove that its IP addresses are permitted to send on your behalf, helping receiving servers trust your messages. Without a proper SPF record, emails from SES may fail DMARC alignment and land in spam folders. Adding the correct SPF entry ensures higher deliverability and protects against spoofing. Check your SPF alignment with Palisade.

How does DKIM protect my Amazon SES emails?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each outgoing email, allowing receivers to verify that the content wasn’t altered in transit. Amazon SES generates a public‑key pair and provides CNAME records you publish in DNS. When a recipient validates the signature, it confirms the email truly originated from your domain. This boosts trust and improves inbox placement. Test your DKIM setup with Palisade.

Where can I find my Amazon SES domain settings?

Log in to the AWS Management Console, navigate to Amazon SES, and select “Configuration > Verified identities.” Here you’ll see a list of domains and their authentication status. Look for DKIM signing status and the “MAIL FROM” domain field. This page shows whether SPF and DKIM are currently active or need configuration. Use it as your starting point before making DNS changes.

How do I generate DKIM CNAME records in Amazon SES?

In the SES console, click on a verified domain and choose the “Authentication” tab. Amazon SES will display three unique CNAME records for DKIM. Copy each Name and Value exactly as shown. These records point to Amazon’s DKIM service and must be added to your DNS zone unchanged.

What DNS entries do I add for DKIM in Cloudflare?

For each of the three CNAME records, create a new DNS entry in Cloudflare:

• Type: CNAME
• Name: the long string ending with ._domainkey.yourdomain.com
• Target: the corresponding .dkim.amazonses.com value
• Proxy status: set to “DNS Only” (disable the orange cloud)

Repeat this for all three records, then wait up to 72 hours for propagation.

How do I set a custom MAIL FROM domain for SPF alignment?

From the “Verified identities” list, select your domain and click “Set MAIL FROM domain.” Choose a subdomain you control (e.g., mail.yourdomain.com) and save. Amazon SES will then provide a TXT record for SPF and an MX record for bounce handling. Adding these records ties the Return‑Path to your brand domain, allowing SPF alignment.

Which TXT and MX records are required for the MAIL FROM domain?

After you specify the subdomain, SES shows two DNS entries:

• TXT record: contains the SPF value v=spf1 include:amazonses.com -all
• MX record: points to feedback-smtp..amazonses.com

Enter both in Cloudflare (or your DNS provider) using “DNS Only” mode. Once saved, refresh the SES console to see a green “Successful” banner.

How long does DNS propagation take for SPF/DKIM records?

Most DNS changes propagate within minutes, but full global propagation can take up to 72 hours. You can use Palisade’s DNS lookup tool to check whether your records are visible worldwide. Until the records are fully propagated, the SES console may still show “Pending.”

Do I need to repeat the setup for each AWS region?

Yes. Amazon SES is region‑specific, so SPF/DKIM settings must be configured in every region where you send mail (e.g., US‑East‑1 and US‑East‑2). Each region will generate its own set of CNAME, TXT, and MX records. Skipping a region can cause authentication failures for emails sent from that location.

How can I verify that SPF and DKIM are correctly configured?

Return to the SES console and look for green checkmarks next to DKIM and “MAIL FROM domain.” You can also send a test email to a Gmail or Outlook address and view the full email headers. Look for “spf=pass” and “dkim=pass” results. Finally, run a DMARC report through Palisade to confirm alignment.

What tools can I use to test my email authentication?

Palisade offers an Email Security Score that scans SPF, DKIM, and DMARC for any domain. Additionally, free services like MXToolbox and Google’s Message Header Analyzer provide quick checks. Regularly monitoring these scores helps catch misconfigurations before they affect deliverability.

How does Palisade help monitor SPF/DKIM compliance?

Palisade continuously checks your DNS records, alerts you to failures, and provides a visual dashboard of authentication health. The platform also offers step‑by‑step remediation guidance, so you can fix issues fast. By integrating Palisade, you maintain a strong email reputation and reduce the risk of spoofing attacks.

Frequently Asked Questions

Can I use a subdomain for DKIM?

Yes. Amazon SES creates DKIM records for the exact domain you verify, but you can also verify a subdomain and publish its CNAMEs. This is useful for separating marketing and transactional traffic.

What if I already have an existing SPF record?

Append include:amazonses.com to your existing SPF string before the -all qualifier. Ensure you stay under the 10‑lookup limit for SPF.

Do I need to update my DNS provider if I switch from Cloudflare?

Yes. The same CNAME, TXT, and MX records must be added to the new provider’s DNS zone. The values themselves do not change.

Will enabling DKIM affect email sending speed?

No. DKIM signing is performed by Amazon SES servers and adds only a few milliseconds to the send process.

How often should I review my SPF/DKIM settings?

Review whenever you add a new sending service, change DNS providers, or notice deliverability issues. A quarterly audit using Palisade’s dashboard is a good practice.