Menu
Amazon Simple Email Service
Developer Guide

Complying with DMARC Using Amazon SES

Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to detect email spoofing. In order to comply with DMARC, messages must be authenticated through either SPF or DKIM, or both.

This topic contains information that will help you configure Amazon SES so that the emails you send comply with both SPF and DKIM. By complying with one of these authentication systems, your emails will comply with DMARC. For information about the DMARC specification, see http://www.dmarc.org.

Complying with DMARC through SPF

For an email to comply with DMARC based on SPF, both of the following conditions must be met:

  • The email must pass an SPF check.

  • The domain in the From address of the email header must align with the MAIL FROM domain that the sending mail server specifies to the receiving mail server. If the domain's DMARC policy for SPF specifies strict alignment, the From and MAIL FROM domains must match exactly. If the domain's DMARC policy for SPF specifies relaxed alignment, the MAIL FROM domain can be a subdomain of the domain in the From header.

To comply with these requirements, complete the following steps:

  • Set up a custom MAIL FROM domain by completing the procedures in Using a Custom MAIL FROM Domain with Amazon SES.

  • Ensure that your sending domain uses a relaxed policy for SPF. If you have not changed your domain's policy alignment, it will use a relaxed policy by default.

    Note

    You can determine your domain's DMARC alignment for SPF by typing the following command at the command line, replacing example.com with your domain:

    Copy
    nslookup -type=TXT _dmarc.example.com

    In the output of this command, under Non-authoritative answer, look for a record that begins with v=DMARC1. If this record includes the string aspf=r, or if the aspf string is not present at all, then your domain uses relaxed alignment for SPF. If the record includes the string aspf=s, then your domain uses strict alignment for SPF. Your system administrator will need to remove this tag from the DMARC TXT record in your domain's DNS configuration.

    Alternatively, you can use a web-based DMARC lookup tool, such as the DMARC Inspector from dmarcian.com, to determine your domain's policy alignment for SPF.

Complying with DMARC through DKIM

For an email to comply with DMARC based on DKIM, both of the following conditions must be met:

  • The message must have a valid DKIM signature.

  • The From address in the email header must align with the d= domain in the DKIM signature. If the domain's DMARC policy specifies strict alignment for DKIM, these domains must match exactly. If the domain's DMARC policy specifies relaxed alignment for DKIM, the d= domain can be a subdomain of the From domain.

To comply with these requirements, complete the following steps:

  • Set up Easy DKIM by completing the procedures in Easy DKIM in Amazon SES. When you use Easy DKIM, Amazon SES will automatically sign your emails.

    Note

    Rather than use Easy DKIM, you can also manually sign your messages. However, you must be very careful if you choose to do so, because Amazon SES does not validate the DKIM signature that you construct. For this reason, we highly recommend using Easy DKIM.

  • Ensure that your sending domain uses a relaxed policy for DKIM. If you have not changed your domain's policy alignment, it will use a relaxed policy by default.

    Note

    You can determine your domain's DMARC alignment for DKIM by typing the following command at the command line, replacing example.com with your domain:

    Copy
    nslookup -type=TXT _dmarc.example.com

    In the output of this command, under Non-authoritative answer, look for a record that begins with v=DMARC1. If this record includes the string adkim=r, or if the adkim string is not present at all, then your domain uses relaxed alignment for DKIM. If the record includes the string adkim=s, then your domain uses strict alignment for DKIM. Your system administrator will need to remove this tag from the DMARC TXT record in your domain's DNS configuration.

    Alternatively, you can use a web-based DMARC lookup tool, such as the DMARC Inspector from dmarcian.com, to determine your domain's policy alignment for DKIM.