Fix guide

How to Fix DMARC Alignment for Amazon SES

SES mail fails DMARC until Easy DKIM’s three CNAMEs land — SES signs as Amazon until then. Add a custom MAIL FROM if you want bounce-path SPF too.

Why SES fights DMARC

SES signs as Amazon until Easy DKIM proves you own the keys. Skip custom MAIL FROM and your bounce path still says amazonses.com — SPF won’t align. Brush up on DMARC / DKIM if the words feel fuzzy.

Exact DNS records

Easy DKIM (tokens from SES console):

[token1]._domainkey.yourdomain.com → CNAME → [token1].dkim.amazonses.com [token2]._domainkey.yourdomain.com → CNAME → [token2].dkim.amazonses.com [token3]._domainkey.yourdomain.com → CNAME → [token3].dkim.amazonses.com

Custom MAIL FROM (optional, replace region):

mail.yourdomain.com → MX → 10 feedback-smtp.[region].amazonses.com mail.yourdomain.com → TXT → "v=spf1 include:amazonses.com ~all"

Step-by-step fix

Step 1 AWS Console → SES → Verified identities → your domain
Step 2 Click Assign a MAIL FROM domain (optional but recommended for SPF alignment)
Step 3 Enable Easy DKIM and select RSA 2048-bit
Step 4 Copy all CNAME records from the SES console
Step 5 Add CNAMEs to your DNS provider
Step 6 Wait for SES to show DKIM status as Successful
Step 7 Run DNS Preflight — note that SES DKIM tokens are account-specific and cannot be auto-verified externally

Verify alignment and DNS in your browser

Open DNS Preflight →
Related glossary: DMARC · DMARC alignment · DKIM · SPF record

FAQ

Why can't DNS Preflight verify my SES DKIM?

We can’t prove your AWS-only tokens — trust the SES console for green checks on your account.

Do I need a custom MAIL FROM domain for SES?

Strongly yes if you want SPF alignment — bounce path stays @amazonses.com until you add MAIL FROM.

What region should I use for the MAIL FROM MX record?

Match your SES region — us-east-1 pairs with feedback-smtp.us-east-1.amazonses.com.

How do I know if SES Easy DKIM is working?

SES console → Verified identities → your domain → DKIM shows Successful when all three CNAMEs verify.

Does SES work with DMARC p=reject?

Yes, after DKIM aligns — creep policy from none → quarantine → reject while you watch reports.

← All DMARC fix guides

Open DNS Preflight and re-check your zone →