Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)

Authenticating Email with SPF in Amazon SES

Sender Policy Framework (SPF) provides a means for tracing an email message back to the system from which it was sent.

To be SPF-compliant, an email sender publishes one or more DNS records that establish the sending domain's identity. These DNS records are usually specified as TXT (text); they identify a set of hosts that are authorized to send email. After these DNS records are created and published, ISPs can authenticate a host by comparing its IP address with the set of IP addresses specified in the SPF record.

Amazon SES sends your emails from a "Mail-From" domain that Amazon SES owns. You therefore do not need to make any changes to your DNS records for your emails to pass SPF authentication. For more information, see SPF and Amazon SES on the Amazon SES blog.


If you want to implement Domain-based Message Authentication, Reporting and Conformance (DMARC), you must enable DKIM. DMARC requires authentication via SPF and/or DKIM to verify your domain. SPF alone will not comply with DMARC because the "Mail From" domain of email sent through Amazon SES is (or a subdomain of that), which is different from your sending domain. Using DKIM enables DMARC to verify your sending domain. For information about how to set up DKIM with Amazon SES, see Authenticating Email with DKIM in Amazon SES.

For more information about SPF, go to and RFC 7208.