Complying with DMARC Using Amazon SES
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to detect email spoofing. An email can comply with DMARC through SPF or through DKIM. For maximum deliverability, it is a best practice to set up your email-sending to comply with both methods.
This topic describes what to do to enable emails that you send with Amazon SES to comply with DMARC. For information about the DMARC specification, see http://www.dmarc.org.
DMARC Compliance through SPF
For an email to comply with DMARC based on SPF, the DMARC specification requires that both of the following conditions are met:
The email must pass an SPF check. For information about SPF checks, see http://www.openspf.org.
The domain in the "From" address of the email header must align with the MAIL FROM domain that the sending mail server specifies to the receiving mail server to indicate the source of the message. If the DMARC policy specifies strict alignment, the "From" and MAIL FROM domains must match exactly. With relaxed alignment, the MAIL FROM domain can be a subdomain of the "From" domain.
To comply with both DMARC SPF requirements with Amazon SES, you must publish an SPF record and use relaxed alignment in your DMARC policy (relaxed alignment is the default).
DMARC Compliance through DKIM
For an email to comply with DMARC based on DKIM, the DMARC specification requires that both of the following conditions are met:
The message must have a valid DKIM signature.
The d= domain in the DKIM signature must align with the domain in the "From" address of the email header. If the DMARC policy specifies strict alignment, these domains must match exactly. With relaxed alignment, the d= domain can be a subdomain of the "From" domain.
To comply with both DMARC DKIM requirements with Amazon SES, you simply need to set up Easy DKIM so that Amazon SES signs your emails automatically. You can also manually DKIM-sign your messages. Regardless of how you DKIM-sign your messages, you will comply with DMARC if you use relaxed alignment (which is the default) in your DMARC policy. If you want to require that the "From" domain exactly matches the d= domain, then you must specifically apply strict alignment in your DMARC policy.