When you first set up Amazon SES to send emails, you may find there is a "Via amazonses.com" warning for the email in the recipient's mailbox.

This warning means you haven't authorized Amazon SES to deliver emails for you, so the mailbox provider considers that sent from Amazon SES instead of your brand.

To authorize Amazon SES to send emails for you, you need to set up SPF and DKIM for Amazon SES. This is a process also known as email domain authentication.

Setting up SPF and DKIM for Amazon SES has 2 benefits:

  • your emails are more likely to reach the inbox;
  • the "Via amazonses.com" warning is removed, and your emails are perceived as coming from your brand, instead of Amazon SES. This boosts user engagement, as the user is more likely to open the email.

How to set up SPF and DKIM for Amazon SES:

  1. Set up SPF

    There are two possible scenarios here. One is that you use a subdomain.amazonses.com as the MAIL FROM domain to deliver the emails; the other is that you use your own domain to deliver them. These two scenarios are handled differently.

    In the first scenario where you use subdomain.amazonses.com as the MAIL FROM domain, since Amazon has already published an SPF record on amazonses.com, all emails sent via that domain pass the SPF check by default.

    Therefore, you don't need to set up anything in this scenario. It will just work.

    In the second scenario where you use your own domain as the MAIL FROM domain, you need to create a new SPF record or update your existing SPF record on that domain:

    • if you have no SPF record on your domain, simply publish the following SPF record on it:

      v=spf1 include:amazonses.com -all
    • if you already have an SPF record, simply insert include:amazonses.com right before the terminating mechanism in that record.

      For example, if your current SPF record looks like this:

      v=spf1 a -all

      update it to:

      v=spf1 a include:amazonses.com -all
  2. Set up DKIM

    Amazon SES provides two options to set up DKIM:

    • set up an identity (domain or email address) so that Amazon SES adds a DKIM signature to every message sent using that identity;
    • provide your own key pair for DKIM authentication.
  3. For more info, refer to: Authenticating Email with DKIM in Amazon SES.