Fix guide

How to Fix DMARC Alignment for Amazon SES

Amazon SES DMARC alignment requires Easy DKIM setup — three CNAME records that allow SES to sign email with your domain. Without these, SES signs with Amazon's domain, failing DMARC alignment. Optionally, a custom MAIL FROM domain enables SPF alignment too.

Why alignment fails

Without Easy DKIM and (optionally) a custom MAIL FROM, SES may not align with your From: domain. See DMARC and DKIM in the glossary.

Exact DNS records

Easy DKIM (tokens from SES console):

[token1]._domainkey.yourdomain.com → CNAME → [token1].dkim.amazonses.com [token2]._domainkey.yourdomain.com → CNAME → [token2].dkim.amazonses.com [token3]._domainkey.yourdomain.com → CNAME → [token3].dkim.amazonses.com

Custom MAIL FROM (optional, replace region):

mail.yourdomain.com → MX → 10 feedback-smtp.[region].amazonses.com mail.yourdomain.com → TXT → "v=spf1 include:amazonses.com ~all"

Step-by-step fix

Step 1 AWS Console → SES → Verified identities → your domain

Step 2 Click Assign a MAIL FROM domain (optional but recommended for SPF alignment)

Step 3 Enable Easy DKIM and select RSA 2048-bit

Step 4 Copy all CNAME records from the SES console

Step 5 Add CNAMEs to your DNS provider

Step 6 Wait for SES to show DKIM status as Successful

Step 7 Run DNS Preflight — note that SES DKIM tokens are account-specific and cannot be auto-verified externally

Verify alignment and DNS in your browser

Open DNS Preflight →

Related glossary: DMARC · DMARC alignment · DKIM · SPF record

FAQ

Why can't DNS Preflight verify my SES DKIM?

SES uses account-specific DKIM tokens that are unique to your AWS account. External DNS lookups cannot confirm alignment — verify in the SES console directly.

Do I need a custom MAIL FROM domain for SES?

Not required but recommended. Without it, SES uses amazonses.com as the Return-Path, which fails SPF alignment. A custom MAIL FROM enables full SPF + DKIM alignment.

What region should I use for the MAIL FROM MX record?

Use the region where your SES sending is configured — e.g. us-east-1 becomes feedback-smtp.us-east-1.amazonses.com.

How do I know if SES Easy DKIM is working?

AWS SES console → Verified identities → your domain → DKIM tab shows Successful when all 3 CNAMEs are verified.

Does SES work with DMARC p=reject?

Yes, once Easy DKIM is configured and DKIM alignment passes. Test with p=quarantine first and monitor aggregate reports.

← All DMARC fix guides

Run checks on domainpreflight.dev →