How to Set Up DMARC for Amazon SES and AWS

Amazon SES is one of the most popular services for sending transactional and marketing email at scale. But out of the box, SES has a configuration that causes DMARC failures for most users: the default MAIL FROM domain is amazonses.com, which breaks SPF alignment with your domain. If you are seeing DMARC failures on SES-sent email, this is almost certainly the reason.

This guide walks you through configuring Amazon SES so that your email passes DMARC, including setting up a custom MAIL FROM domain, enabling DKIM, and adding the DMARC record itself. If you are building email infrastructure with SES, our DMARC for developers guide covers programmatic authentication patterns.

Why SES Fails DMARC by Default

To understand the fix, you need to understand the problem. When SES sends an email on your behalf, two domains are involved:

The "From" domain is what the recipient sees — your domain, like yourcompany.com. This is the domain DMARC evaluates.

The MAIL FROM (envelope sender) domain is used for the SPF check. By default, SES sets this to amazonses.com. SPF passes because Amazon's servers are authorized to send for amazonses.com, but SPF alignment fails because amazonses.com does not match yourcompany.com.

If you have not enabled DKIM either, both SPF alignment and DKIM alignment fail, which means DMARC fails entirely. Even with a p=none policy, these failures show up in your DMARC reports and signal to mail providers that your email is not properly authenticated. For background on how SPF, DKIM, and DMARC interact, read SPF vs DKIM vs DMARC.

Setting Up a Custom MAIL FROM Domain

A custom MAIL FROM domain replaces amazonses.com with a subdomain of your own domain for the envelope sender. This makes SPF alignment pass because the MAIL FROM domain now matches your "From" domain.

Enabling Easy DKIM in SES

Easy DKIM is Amazon's built-in DKIM signing feature. When enabled, SES signs every outgoing email with a DKIM signature tied to your domain. This gives you DKIM alignment for DMARC.

Adding Your DMARC Record

With SPF and DKIM configured for SES, you can now add your DMARC record.

If You Use Route 53

If your domain's DNS is hosted in AWS Route 53, adding the record is simple. Go to Route 53 > Hosted zones, click on your domain, and create a new record. Set the record name to _dmarc, the type to TXT, and the value to your DMARC record string. For a monitoring-only start:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourcompany.com; pct=100;

Set the TTL to 3600 (one hour) and save.

If You Use Another DNS Provider

Add a TXT record at your DNS provider with the name _dmarc and your DMARC record string as the value. For provider-specific instructions, see our guides for GoDaddy, Namecheap, or Cloudflare.

After saving, verify the record at dmarcrecordchecker.com.

Common SES DMARC Failure Causes

Default MAIL FROM Domain (amazonses.com)

This is the number one cause of SES DMARC failures. If you have not set up a custom MAIL FROM domain, the envelope sender is amazonses.com, which will never align with your domain for SPF. Fix this by following the custom MAIL FROM setup steps above.

Easy DKIM Not Enabled or Not Verified

If the CNAME records for Easy DKIM are not published or have not been verified by SES, outgoing emails will not carry a DKIM signature for your domain. Check the DKIM status in your SES identity settings. If it shows "Pending" or "Failed," verify the CNAME records are correctly added at your DNS provider.

Sending from Multiple AWS Regions

If you send email from SES in multiple AWS regions, each region needs its own configuration. The custom MAIL FROM domain and Easy DKIM need to be set up in every region where you send email. A common oversight is configuring everything in us-east-1 but forgetting about eu-west-1.

SPF Record for the Wrong Domain

Remember: the SPF record for your custom MAIL FROM domain goes on the subdomain (like mail.yourcompany.com), not your root domain. Your root domain's SPF record authorizes your regular email services. The MAIL FROM subdomain's SPF record specifically authorizes SES.

Monitoring SES Sending Reputation Alongside DMARC

Amazon SES has its own reputation dashboard that tracks bounces, complaints, and sending metrics. DMARC monitoring is a separate but complementary layer. While SES tells you about delivery problems from Amazon's perspective, DMARC reports tell you what receiving mail servers see.

Use both together. If your SES reputation dashboard shows increasing bounce rates, check your DMARC reports to see if authentication failures are contributing. If your DMARC reports show failures from IPs you do not recognize, someone may be spoofing your domain — which is exactly what DMARC is designed to catch.

After running at p=none for two to three weeks with clean reports from SES, move to p=quarantine; pct=25; and gradually tighten. For the full enforcement progression, see our DMARC policy levels guide.

Monitor Your DMARC Record

You've created your DMARC record — now make sure it keeps working. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.