Email provider

SPF setup for Amazon SES

SPF authorises IPs and includes for your envelope sender. Amazon SES gives you the include: you must add to your domain’s single SPF TXT.

Common mistake: Verifying domain without enabling DKIM — Easy DKIM CNAMEs must be present and verified.

Step by step

Step 1 AWS Console → SESVerified identities → your domain → DKIM → Easy DKIM.
Step 2 At Cloudflare, Route 53, or wherever your domain’s zone lives — not inside Amazon SES’s SPF editor if they don’t host DNS.
Step 3 Merge with your other senders into one v=spf1 line. Example baseline including Amazon SES:
v=spf1 include:amazonses.com ~all
Step 4 If you already have SPF, add include:... before ~all — never publish two SPF TXT records.
Step 5 TTL 300–3600s. Propagation: minutes to an hour depending on resolver.
Step 6 Run DNS Preflight — confirm SPF resolves and lookup count stays under 10. DMARC alignment: DMARC fixes.

DNS Preflight — verify SPF, DKIM, DMARC in one pass.

Open DNS Preflight →

DMARC alignment — fixes when reports show failures.

DMARC fix guides →

FAQ

What SPF include does Amazon SES need?

Use the include string on this page — merge into your single SPF TXT with other mail sources.

Can I have two SPF records?

No. Merge into one v=spf1 or receivers return PermError.

Where do I edit SPF?

At your DNS host (Route 53, Cloudflare, etc.) — not always inside the email product.

How do I know it worked?

DNS Preflight shows your SPF string and lookup count.

Why does DMARC still fail?

SPF alone doesn’t align if Return-Path is different — you need DKIM alignment or aligned SPF. See /fix/dmarc/.

← Amazon SES hub · All email providers