Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Authenticating Email with SPF in Amazon SES

Sender Policy Framework (SPF) provides a means for tracing an email message back to the system from which it was sent.

To be SPF-compliant, an email sender publishes one or more DNS records that establish the sending domain's identity. These DNS records are usually specified as TXT (text); they identify a set of hosts that are authorized to send email. After these DNS records are created and published, ISPs can authenticate a host by comparing its IP address with the set of IP addresses specified in the SPF record.


If you want to implement Domain-based Message Authentication, Reporting and Conformance (DMARC), you must enable DKIM. DMARC requires authentication via SPF and/or DKIM to verify your domain. SPF alone will not comply with DMARC because the "Mail From" domain of email sent through Amazon SES is (or a subdomain of that), which is different from your sending domain. Using DKIM enables DMARC to verify your sending domain. For information about how to set up DKIM with Amazon SES, see Authenticating Email with DKIM in Amazon SES.

For more information about SPF, go to and RFC 7208.

Domains with Preexisting SPF Records

If your "From" domain already has an SPF record, then you will need to add the following mechanism to it:


If you have an existing SPF record, then you must add this mechanism—otherwise, ISPs that examine "From:" headers might reject email that you send using Amazon SES.

Adding a New SPF Record

If your "From" domain does not have an SPF record, we recommend that you add one to ensure that ISPs do not reject your email. The following is an example TXT record that you can publish to enable SPF:

"v=spf1 -all"


If you use "-all" as shown in the example above, ISPs may block email from IP addresses that are not listed in your SPF record. You therefore must add a record for every IP address that you send email from. As a debugging aid, you can use "~all" instead. When you use "~all", ISPs will typically accept email from IP addresses that are not listed. However, they may flag it. To maximize deliverability, use "-all" and add a record for each IP address.