Complying with DMARC authentication protocol in Amazon SES
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email authentication protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to detect email spoofing. In order to comply with DMARC, messages must be authenticated through either SPF or DKIM, or both.
This topic contains information that will help you configure Amazon SES so that the emails you
send comply with both SPF and DKIM. By complying with one of these authentication systems,
your emails will comply with DMARC. For information about the DMARC specification, see
http://www.dmarc.org
Setting up the DMARC policy on your domain
To set up DMARC, you have to modify the DNS settings for your domain. The DNS settings for your domain should include a TXT record that specifies the domain's DMARC settings. The procedures for adding TXT records to your DNS configuration depend on which DNS or hosting provider you use. If you use RouteĀ 53, see Working with Records in the Amazon RouteĀ 53 Developer Guide. If you use another provider, see the DNS configuration documentation for your provider.
The name of the TXT record you create should be
_dmarc., where
example.comexample.com
| Name | Type | Value |
|---|---|---|
_dmarc.example.com |
TXT |
"v=DMARC1;p=quarantine;pct=25;rua=mailto:dmarcreports@example.com" |
In plain language, this policy tells email providers to do the following:
-
Apply the DMARC policy to 25% of messages, of which any of these that fail authentication, send them to the Spam folder (you can also do nothing by using
p=none, or reject the messages outright by usingp=reject).-
pctis an optional DMARC tag that takes a plain-text integer between 0 and 100, inclusive (if this tag isn't used, all messages are subject to the DMARC policy).
-
-
Send reports about all emails that failed authentication in a digest (that is, a report that aggregates the data for a certain time period, rather than sending individual reports for each event). Email providers typically send these aggregated reports once per day, although these policies differ from provider to provider.
To learn more about configuring DMARC for your domain, see the Overview
For complete specifications of the DMARC system, see RFC 7489
Complying with DMARC through SPF
For an email to comply with DMARC based on SPF, both of the following conditions must be met:
-
The email must pass an SPF check.
-
The domain in the From address of the email header must align with the MAIL FROM domain that the sending mail server specifies to the receiving mail server. If the domain's DMARC policy for SPF specifies strict alignment, the From and MAIL FROM domains must match exactly. If the domain's DMARC policy for SPF specifies relaxed alignment, the MAIL FROM domain can be a subdomain of the domain in the From header.
To comply with these requirements, complete the following steps:
-
Set up a custom MAIL FROM domain by completing the procedures in Using a custom MAIL FROM domain.
-
Ensure that your sending domain uses a relaxed policy for SPF. If you haven't changed your domain's policy alignment, it uses a relaxed policy by default.
Note
You can determine your domain's DMARC alignment for SPF by typing the following command at the command line, replacing
example.comnslookup -type=TXT _dmarc.example.comIn the output of this command, under Non-authoritative answer, look for a record that begins with
v=DMARC1. If this record includes the stringaspf=r, or if theaspfstring is not present at all, then your domain uses relaxed alignment for SPF. If the record includes the stringaspf=s, then your domain uses strict alignment for SPF. Your system administrator will need to remove this tag from the DMARC TXT record in your domain's DNS configuration.Alternatively, you can use a web-based DMARC lookup tool, such as the DMARC Inspector
from the dmarcian website or the DMARC Check tool from the Proofpoint website, to determine your domain's policy alignment for SPF.
Complying with DMARC through DKIM
For an email to comply with DMARC based on DKIM, both of the following conditions must be met:
-
The message must have a valid DKIM signature.
-
The From address in the email header must align with the domain in the DKIM signature. If the domain's DMARC policy specifies strict alignment for DKIM, these domains must match exactly. If the domain's DMARC policy specifies relaxed alignment for DKIM, the domain can be a subdomain of the From domain.
To comply with these requirements, complete the following steps:
-
Set up Easy DKIM by completing the procedures in Easy DKIM in Amazon SES. When you use Easy DKIM, Amazon SES automatically signs your emails.
Note
Rather than use Easy DKIM, you can also manually sign your messages. However, use caution if you choose to do so, because Amazon SES does not validate the DKIM signature that you construct. For this reason, we highly recommend using Easy DKIM.
-
Ensure that your sending domain uses a relaxed policy for DKIM. If you haven't changed your domain's policy alignment, it uses a relaxed policy by default.
Note
You can determine your domain's DMARC alignment for DKIM by typing the following command at the command line, replacing
example.comnslookup -type=TXT _dmarc.example.comIn the output of this command, under Non-authoritative answer, look for a record that begins with
v=DMARC1. If this record includes the stringadkim=r, or if theadkimstring is not present at all, then your domain uses relaxed alignment for DKIM. If the record includes the stringadkim=s, then your domain uses strict alignment for DKIM. Your system administrator will need to remove this tag from the DMARC TXT record in your domain's DNS configuration.Alternatively, you can use a web-based DMARC lookup tool, such as the DMARC Inspector
from the dmarcian website or the DMARC Check tool from the Proofpoint website, to determine your domain's policy alignment for DKIM.
