---
title: "Setting Up SPF & DKIM for Amazon SES | AutoSPF"
description: "In today’s email-driven world, ensuring your messages reliably reach the inbox - and aren’t flagged as spam or spoofed - is mission-critical."
image: "https://autospf.com/og/blog/setting-up-spf-dkim-for-amazon-ses.png"
canonical: "https://autospf.com/blog/setting-up-spf-dkim-for-amazon-ses/"
---

Quick Answer

In today’s email-driven world, ensuring your messages reliably reach the inbox - and aren’t flagged as spam or spoofed - is mission-critical. Among the most powerful tools you can deploy are SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).

## Try Our Free DKIM Lookup

Auto-discover DKIM selectors for any domain.

[ Discover DKIM Selectors → ](/tools/dkim-lookup/) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fautospf.com%2Fblog%2Fsetting-up-spf-dkim-for-amazon-ses%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Setting%20Up%20SPF%20%26%20DKIM%20for%20Amazon%20SES&url=https%3A%2F%2Fautospf.com%2Fblog%2Fsetting-up-spf-dkim-for-amazon-ses%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fautospf.com%2Fblog%2Fsetting-up-spf-dkim-for-amazon-ses%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fautospf.com%2Fblog%2Fsetting-up-spf-dkim-for-amazon-ses%2F&title=Setting%20Up%20SPF%20%26%20DKIM%20for%20Amazon%20SES "Share on Reddit") [ ](mailto:?subject=Setting%20Up%20SPF%20%26%20DKIM%20for%20Amazon%20SES&body=Check out this article: https%3A%2F%2Fautospf.com%2Fblog%2Fsetting-up-spf-dkim-for-amazon-ses%2F "Share via Email") 

![Setting Up SPF](https://media.mailhop.org/autospf/images/2025/11/spf-checker-2496.jpg) 

In today’s email-driven world, ensuring your messages reliably reach the inbox - and aren’t flagged as spam or spoofed - is mission-critical. Among the most powerful tools you can deploy are SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). When you’re sending via Amazon SES, setting both up properly means your domain is authenticated, your reputation is protected, and your deliverability increases. In this guide, we’ll walk you through how to configure SPF & DKIM in Amazon SES (plus some best-practices), all under the byline of [AutoSPF](/).

_DKIM ([RFC 6376](https://datatracker.ietf.org/doc/html/rfc6376)) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail and mailing lists._

## Why SPF & DKIM matter

Before diving into configuration, let’s talk about _why_ this matters.

- SPF identifies which mail servers are permitted to send on behalf of your domain. Without that, recipients’ systems might treat your message as suspicious because the sending server isn’t authorized.
- DKIM applies a cryptographic signature to your outgoing mail; the recipient server uses your [public key](https://www.techtarget.com/searchsecurity/definition/public-key) (in DNS) to verify the message really came from your domain and hasn’t been tampered with in transit.
- Together, SPF + DKIM help satisfy major mailbox providers and ISPs that you’re a legitimate sender - which is important both for deliverability (landing in inbox, not spam) _and_ for alignment with policies like DMARC (Domain-based Message Authentication, Reporting & Conformance).
- If you’re using Amazon SES, you’re essentially outsourcing the “sending” infrastructure; you still want it to appear fully aligned with your domain so that recipients treat your messages as legitimate. Without proper SPF/DKIM, messages can fail alignment or be flagged.

In short: configuring SPF and DKIM isn’t optional if you care about deliverability, domain reputation and being in control of how your mail is authenticated. Let’s proceed with how to do this inside Amazon SES.

![Amazon SES console](https://media.mailhop.org/autospf/images/2025/11/spf-permerror-0445.jpg) 

## Pre-check: inside the Amazon SES console

Here’s what you should do first. Head into your Amazon SES console and go to Verified identities. Choose the domain (or email address) you are sending from.

Once there, check:

- _Is DKIM signing enabled or disabled for that identity?_
- What is your “MAIL FROM Domain” (i.e., the [Return-Path](https://emaillabs.io/en/what-is-return-path/) domain) set to? If it’s the default amazonses.com domain (or something similar), then SPF alignment is likely not achieved.

If DKIM is off or the MAIL FROM domain is not switched to a custom subdomain you own, you’ll want to fix that - because alignment and deliverability hinge on it.

## Step-by-step: Generating DKIM settings

Here’s how to set up DKIM in Amazon SES. As AutoSPF, I recommend following these steps carefully:

1. In the [Amazon SES](https://www.nops.io/glossary/what-is-aws-ses/) console, for your verified identity, choose Authentication (or similar section) to enable DKIM.
2. Amazon SES will present you with three CNAME records (in the typical case) that you must add to your domain’s DNS zone.
- Example names:  
   - gmgfp7ek4mfunuxtkne3aahp7yrwupgf.\_domainkey.yourdomain.com → value: gmgfp7ek4mfunuxtkne3aahp7yrwupgf.dkim.amazonses.com  
   - ssojnqlvhs6ma3jhsn26oirhev5tof5n.\_domainkey.yourdomain.com → value: ssojnqlvhs6ma3jhsn26oirhev5tof5n.dkim.amazonses.com  
   - e54qqjfkcwkturemparg5vwirbd5527d.\_domainkey.yourdomain.com → value: e54qqjfkcwkturemparg5vwirbd5527d.dkim.amazonses.com
- Important: If you’re using a DNS service like Cloudflare, ensure that proxy status for these CNAME records is set to _DNS only_. If they are proxied, the CNAME won’t resolve correctly and DKIM will fail.
1. Add the three CNAME entries in your DNS zone.
2. Back in Amazon SES, refresh or re-check the identity: once the records propagate (which can take up to 72 hours in some cases), you’ll see a “Successful” (green) banner indicating DKIM is configured.
3. _From this point, outgoing emails will be cryptographically signed using the DKIM key; recipients will check the DNS and verify the signature_.
![Email deliverability](https://media.mailhop.org/autospf/images/2025/11/spf-lookup-0225.jpg) 

By completing this step, you’ve ensured that your domain’s outgoing messages carry your DKIM signature and that the recipient system can validate it. Good!

## Step-by-step: Setting a custom MAIL FROM domain for SPF alignment

[SPF alignment](/blog/what-is-spf-alignment-understanding-email-security-protocols/) is a bit trickier than DKIM, because SPF by itself just authorizes sending servers - but to _align_ with the “From:” header in a domain sense you often need a custom MAIL FROM domain (Return-Path) that matches your sending domain. Here’s how to do it in Amazon SES (per AutoSPF’s guidance):

1. In the Amazon SES console, for your verified identity, find the Set MAIL FROM Domain or equivalent option.
2. Choose a subdomain of your domain. Example: mail.yourdomain.com (or similar). This will serve as your custom MAIL FROM domain, meaning the Return-Path address will be something like [something@mail.yourdomain.com](mailto:something@mail.yourdomain.com) rather than the default amazonses.com.
3. Amazon SES will provide two [DNS records](/blog/how-does-spf-flattening-simplify-dns-records/) to add to your DNS zone:
- One TXT record
- One MX record These records serve to delegate the custom MAIL FROM domain to Amazon SES’s infrastructure, and to allow SPF to validate the sender.
1. Add the provided TXT and MX records into your DNS zone exactly as instructed.
2. Back in Amazon SES, refresh and wait. Once Amazon SES detects the DNS records and confirms everything is set up properly, you’ll see a “Successful” notice.
3. Now when outgoing mail is sent, the Return-Path header will carry your custom MAIL FROM domain, which means you gain SPF alignment with your domain - improving authenticity and reducing the chance of being flagged as “unrelated domain” by recipient systems.

Why is this important? Because many mailbox providers check not just “did the SPF pass” but also “is the sending domain aligned with the From domain or related domain?” By using a custom MAIL FROM domain under your own domain, you show stronger domain-level alignment, which enhances your credibility.

## Multi-Region usage & other nuances

If your sending setup is straightforward (single region) then you’re mostly done after the above two steps. But often organizations use Amazon SES across multiple AWS Regions (for example, US East (N. Virginia) plus US West, etc.). In that scenario:

- _Ensure you repeat the DKIM and MAIL FROM domain setup in each region where you send from_. Your DKIM CNAMEs and MAIL FROM settings must be in place per region.
- Remember: A domain can only have _one_ DMARC record (if you use DMARC). If you already have a [DMARC record](https://dmarcreport.com/dmarc-record/), you don’t need to publish another just for Amazon SES. Instead, ensure that this sending domain is covered by your existing DMARC policy and reports.
- [DNS propagation](https://www.digicert.com/faq/dns/what-is-dns-propagation) delays still apply - if one region hasn’t yet validated, messages from that region may still show authentication failures until DNS changes are fully distributed.
![Common pitfalls](https://media.mailhop.org/autospf/images/2025/11/sender-policy-framework-office-365-5574.jpg) 

## Common pitfalls & best practices (AutoSPF’s tipbox)

Here are some “gotchas” and best-practice tips from AutoSPF to help you avoid surprises:

- Propagation delays: DNS changes (especially CNAME/MX/TXT) can take time. While Amazon SES may indicate “successful”, some recipient systems may still use cached DNS and treat messages as failing. Wait up to 72 hours before assuming everything works perfectly.
- Proxy DNS services: As mentioned earlier, if you use Cloudflare or similar and the [CNAME records](https://www.ibm.com/think/topics/cname) are set to “Proxied” rather than “DNS only”, the DKIM CNAMEs will not resolve as expected, and DKIM will fail. Always set them to DNS only.
- Return-Path vs From domains mismatch: If your From address is [user@yourdomain.com](mailto:user@yourdomain.com) but your MAIL FROM domain is something else (e.g., default amazonses.com), you may pass SPF but still fail alignment checks because the domain in the Return-Path doesn’t “match” your sending domain. That hurts deliverability.
- Multiple sending services/domains: If you have multiple ESPs ([Email Service Providers](https://www.activecampaign.com/glossary/email-service-provider)) or send from different domains/subdomains, make sure each one is properly set up with SPF/DKIM and is aligned under your broader domain strategy. Having fragmented authentication makes tracking harder.
- DMARC alignment: If you’ve deployed DMARC, remember that both SPF and DKIM need to align with the “From” domain (or a subdomain). Just passing SPF isn’t enough if the “From” domain doesn’t match the domain that passed SPF. DKIM helps with that because the signature domain can match the “From”.
- Tesla-style domain hygiene: Make sure the subdomain you choose for [MAIL FROM](https://docs.aws.amazon.com/ses/latest/dg/mail-from.html) isn’t used for other unrelated sending, to avoid reputation contamination. Choose something like bounce.yourdomain.com or mail.yourdomain.com and reserve it for the authenticated sending you control.
- Monitor bounce & complaint metrics: Even after you’ve done the technical steps, monitor your sending reputation, [bounce rates](https://www.optimizely.com/optimization-glossary/bounce-rate/), complaint rates, and whether inbox placement is good. Authentication helps a lot - but good sending practices matter too.
- Use dedicated domains for high-volume or critical sending: If you send high volume (newsletters, transactional mails, marketing) consider isolating domains (or subdomains) so that authentication and reputation issues in one stream don’t affect another.

## Summary & next steps

By now you should have a clear roadmap:

1. In Amazon SES, for your verified domain (or email address) check current DKIM and MAIL FROM domain settings.
2. Generate and add the three DKIM CNAME records to your DNS zone; monitor until Amazon SES shows “Successful”.
3. Set up a custom MAIL FROM domain (subdomain of your domain), add the TXT & MX records Amazon SES provides and wait until validation completes.
4. If you use multiple SES regions, repeat as needed.
5. Review your DNS, ensure the records are set to DNS only (no proxy), and monitor propagation delays.
6. Once everything is validated, your outgoing mail will have proper SPF alignment and [DKIM signatures](https://docs.mapp.com/docs/dkim-signature) under your domain - giving you stronger deliverability, better reputation, and better alignment with DMARC policies.
7. Continue monitoring your mail streams, maintain clean lists and sending practices, and ensure your domain remains trusted over time.
![Flagged as spam](https://media.mailhop.org/autospf/images/2025/11/how-to-create-spf-record-2910.jpg) 

## Why this is worth the effort

Some senders treat [SPF](/blog/what-is-spf-email-a-guide-to-sender-validation-technology/) & DKIM as “just technical setup”, but as AutoSPF I can tell you: when you execute these correctly, you gain long-term benefits:

- Lower likelihood of being flagged as spam or spoof-source.
- Better inbox placement (meaning more of your intended audience sees your mail).
- _Better alignment with DMARC which lets you build a strong domain brand and protect it from impersonation_.
- When using Amazon SES (a scalable, reliable sending platform), you don’t want to lose out due to authentication weak links - you want your infrastructure _and_ your domain to be aligned and trusted.
- Ultimately it pays off: recipients trust your domain; ISPs score you better; your email [ROI](https://www.investopedia.com/terms/r/returnoninvestment.asp) improves. If you skip or half-do this setup, you may send large volume but still suffer poor deliverability because receivers don’t trust your domain’s authenticity.

## Topics

[ DKIM ](/tags/dkim/)[ DMARC ](/tags/dmarc/)[ SPF ](/tags/spf/) 

![Vishal Lamba](https://media.mailhop.org/autospf/images/authors/vishal-lamba.jpg) 

[ Vishal Lamba ](/authors/vishal-lamba/) 

Content Specialist

Content Specialist at AutoSPF. Writes vendor-specific SPF configuration guides and troubleshooting walkthroughs.

[LinkedIn Profile →](https://www.linkedin.com/in/vishal-lamba/) 

## Ready to get started?

Try AutoSPF free — no credit card required.

[ Book a Demo ](/book-a-demo/) 

## Related Articles

[  Intermediate 5m  The 12.4 billion shield for your email communications: Why DMARC software is the unsung hero in the war against phishing actors!  Nov 19, 2025 ](/blog/12-4-billion-dmarc-software-shield-protecting-email-from-phishing-actors/)[  Intermediate 3m  3 points to consider before setting your SPF record to -all (HardFail)  May 22, 2025 ](/blog/3-points-to-consider-before-setting-your-spf-record-hardfail/)[  Intermediate 6m  550 From address violates UsernameCaseMapped Policy: Why does this happen, and how to fix it?  Feb 20, 2026 ](/blog/550-from-address-violates-usernamecasemapped-policy-common-causes-and-fixes/)[  Intermediate 6m  6 Best practices for maintaining an SPF record  Jun 5, 2025 ](/blog/6-best-practices-for-maintaining-an-spf-record/)

```json
{"@context":"https://schema.org","@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"AutoSPF","url":"https://autospf.com","description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","publisher":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Setting Up SPF & DKIM for Amazon SES","description":"In today’s email-driven world, ensuring your messages reliably reach the inbox - and aren’t flagged as spam or spoofed - is mission-critical.","url":"https://autospf.com/blog/setting-up-spf-dkim-for-amazon-ses/","datePublished":"2025-11-25T18:16:46.000Z","dateModified":"2026-04-18T02:36:41.000Z","dateCreated":"2025-11-25T18:16:46.000Z","author":{"@type":"Person","@id":"https://autospf.com/authors/vishal-lamba/#person","name":"Vishal Lamba","url":"https://autospf.com/authors/vishal-lamba/","jobTitle":"Content Specialist","description":"Vishal Lamba writes AutoSPF's how-to guides and vendor-specific configuration walkthroughs. His work focuses on step-by-step implementation guides for major email platforms (Google Workspace, Microsoft 365, SendGrid, Mimecast, Proofpoint, Brevo, and others), troubleshooting common SPF errors, and translating RFC-level specifications into practical deployment procedures for IT administrators.","image":"https://media.mailhop.org/autospf/images/authors/vishal-lamba.jpg","knowsAbout":["SPF Vendor Configuration","Email Platform Integrations","SPF Troubleshooting","Technical Documentation","Step-by-Step Guides"],"worksFor":{"@type":"Organization","name":"AutoSPF","url":"https://autospf.com"},"sameAs":["https://www.linkedin.com/in/vishal-lamba/"]},"publisher":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com","logo":{"@type":"ImageObject","url":"https://autospf.com/images/autospf-logo.png"},"description":"Automatic SPF flattening and email authentication management. Resolve SPF lookup limits, flatten SPF records, and maintain email deliverability across all your domains.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.wikidata.org/wiki/Q138897474","https://www.linkedin.com/company/autospf","https://x.com/autospf01","https://www.g2.com/products/autospf/reviews"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://autospf.com/contact-us/"},"knowsAbout":["SPF Record Flattening","Sender Policy Framework","Email Authentication","DNS Management","DMARC","DKIM"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://autospf.com/blog/setting-up-spf-dkim-for-amazon-ses/"},"articleSection":"intermediate","keywords":"DKIM, DMARC, SPF","wordCount":1729,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/autospf/images/2025/11/spf-checker-2496.jpg","caption":"Setting Up SPF","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://autospf.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://autospf.com/blog/"},{"@type":"ListItem","position":3,"name":"Intermediate","item":"https://autospf.com/intermediate/"},{"@type":"ListItem","position":4,"name":"Setting Up SPF & DKIM for Amazon SES","item":"https://autospf.com/blog/setting-up-spf-dkim-for-amazon-ses/"}]}
```