01
Introduction
Amazon SES (Simple Email Service) is AWS's transactional email platform. DMARC alignment requires domain identity setup plus Easy DKIM. This article covers the AWS-specific implementation.
02
How to set up SES for DMARC
- AWS Console → SES → Identities → Create identity → Domain.
- Enter your domain.
- Enable DKIM (Easy DKIM). AWS generates three CNAMEs.
- Publish CNAMEs in DNS.
- Verify in SES; status becomes "Verified."
03
SPF setup
Add Amazon SES SPF include:
“text v=spf1 include:amazonses.com -all “
Combine with other includes carefully (lookup budget).
04
Step-by-step approach
- Create SES domain identity.
- Enable Easy DKIM, publish CNAMEs.
- Send a test message.
- Verify DKIM signing in headers.
- Watch aggregate reports for alignment.
05
Best practices
- Use Easy DKIM. Easier than BYO keys.
- Plan for dedicated IPs if high volume.
- Pair with SES Reputation Dashboard.
- Monitor bounce and complaint rates.
- Document the configuration.
06
Recommended next step
For SES users, enable Easy DKIM if not already. Required for DMARC alignment.
07
FAQ
Does SES sign with the customer domain by default?
No — Easy DKIM must be configured.
What about sandbox mode?
SES starts in sandbox; request production access before scaling.
Can I use BYO DKIM keys with SES?
Yes — for advanced setups. Easy DKIM is simpler for most.
Does SES support BIMI?
Yes, once DMARC is at enforcement.
How does SES handle SPF for high-volume sending?
Use dedicated IPs and properly configured SPF.
08
Final thoughts
SES + DMARC is a clean AWS-native setup. Easy DKIM handles most cases; document for governance.