Using a Custom MAIL FROM Domain with Amazon SES
When an email is sent, it has two addresses that indicate its source: a "From" address provided by the email header, and a MAIL FROM address (sometimes called the envelope sender, envelope from, bounce address, or Return Path) that the sending mail server specifies to the receiving mail server to indicate the source of the message. When recipients view an email in their inbox, they see the email's "From" address. In contrast, the MAIL FROM address, which is used by mail servers to return bounce messages and other error notifications, is typically only viewable by recipients if they inspect the email's headers in the raw message source. Amazon SES sets the MAIL FROM domain to a default value unless you choose to use your own.
Why Use a Custom MAIL FROM Domain?
By default, messages that you send through Amazon SES use amazonses.com (or a subdomain of that) as the MAIL FROM domain. Sender Policy Framework (SPF) authentication successfully validates these messages because the default MAIL FROM domain matches the sending mail server, Amazon SES. Although this level of authentication is enough for many senders, you might want to set the MAIL FROM domain to a domain that you own to enable your emails to authenticate with Domain-based Message Authentication, Reporting and Conformance (DMARC) through SPF, which requires an additional check for SPF domain alignment. DMARC enables a sender's domain to indicate, using a DNS record, that its emails are protected by SPF, DomainKeys Identified Mail (DKIM), or both.
There are two ways to achieve DMARC validation: using SPF and using DKIM. Unless you use your own MAIL FROM domain, you cannot achieve DMARC validation using SPF because that validation requires the domain in the "From" address to match the MAIL FROM domain. By using your own MAIL FROM domain, you have the flexibility to use SPF, DKIM, or both to achieve DMARC validation. For more information, see Authenticating Email with SPF.
Choosing a MAIL FROM Domain
If you choose to use your own MAIL FROM domain with Amazon SES, your MAIL FROM domain must comply with the following requirements:
The MAIL FROM domain must be a subdomain of the verified identity (email address or domain) from which you will send your emails. For example, bounce.example.com is a valid MAIL FROM domain for the firstname.lastname@example.org email address or example.com domain.
You must not use the MAIL FROM domain in a "From" address ("From", "Return Path", or "Source") unless you ensure that your setup is such that email feedback forwarding will never forward feedback to the MAIL FROM domain. This is to prevent feedback loops that would cause you to not receive feedback. If you must use the MAIL FROM domain in a "From" address, either disable email feedback forwarding and receive your bounces through Amazon SNS notifications, or ensure that your MAIL FROM domain is not the destination for the feedback. To determine the destination of email forwarding feedback, see Email Feedback Forwarding Destination.
The MAIL FROM domain must not be a domain that you use to receive emails.
To set the MAIL FROM domain for a verified identity, you configure the verified identity using the Amazon SES console or API and publish an MX record (and optionally, an SPF record) to your MAIL FROM domain's DNS server. If at any point you want to return to using the default Amazon SES MAIL FROM domain, you can remove your MAIL FROM domain from the verified identity's settings. These procedures are described in the following sections:
For a description of custom MAIL FROM domain setup states, see MAIL FROM Domain Setup States.