Skip to main content
Problem Solver

Amazon SES DMARC Failing? Here's Why, and the Fix

SES-specific DMARC troubleshooting, not a generic DMARC explainer. Covers exactly why SES's defaults fail alignment and the precise DNS fix.

Why Amazon SES Fails DMARC Out of the Box

If Amazon SES DMARC is failing for you, the cause is almost always alignment, not a broken SPF or DKIM record. DMARC does not check SPF or DKIM directly. It checks whether the domain in your visible From address aligns with the domain that actually passed SPF or DKIM. Amazon SES's defaults break both alignment paths at once, which is why DMARC failing on SES is so common even when SPF and DKIM individually look fine.

The SPF path fails by default. Every message you send through Amazon SES automatically uses a subdomain of amazonses.com as its MAIL FROM, or envelope/Return-Path, domain, unless you configure your own. SPF passes against that amazonses.com subdomain since Amazon SES is authorized to send from it, but SPF-based DMARC alignment requires the domain in your From address to match the MAIL FROM domain. amazonses.com never matches yourdomain.com, so alignment fails even though SPF itself technically passed.

The DKIM path fails by default too, for a similar reason. Amazon SES signs your outgoing mail with d=amazonses.com whenever the sending identity is verified only as an email address, or when you have not enabled Easy DKIM for your own verified domain. DKIM-based alignment needs the signing domain to match your From domain, and again, amazonses.com does not match yours.

Since DMARC only needs one of SPF or DKIM to align, most senders only need to fix one path. But SES's defaults fail both simultaneously, which is exactly why a fresh SES setup so often reports a full DMARC failure rather than a partial one.

Fix 1: Set Up a Custom MAIL FROM Domain (Fixes SPF Alignment)

This is the fix for the SPF path. A custom MAIL FROM domain has specific rules: it must be a subdomain of the same parent domain as your verified identity, and it must not be a subdomain you also use to send or receive regular mail.

Setup requires exactly two DNS records, published to the MAIL FROM subdomain's own DNS, not your root domain: one MX record, priority 10, pointing at feedback-smtp.{your-region}.amazonses.com, and one SPF TXT record authorizing Amazon SES to send from that subdomain.

Two things trip people up here. First, you must publish exactly one MX record. If the subdomain has more than one, the whole setup fails. Second, there is a Behavior on MX failure setting you choose during configuration: Use default MAIL FROM domain silently falls back to the broken amazonses.com default if your MX record is not detected, meaning DMARC keeps failing with no visible error, while Reject message hard-fails the send instead. If you want a configuration mistake to be loud instead of silent, pick reject.

DNS propagation for this can take up to 72 hours. The setup state moves from Pending to Success, or Failed, if the MX record is never detected in that window.

Fix 2: Enable Easy DKIM for Your Domain (Fixes DKIM Alignment)

This is the fix for the DKIM path. Enable Easy DKIM on your domain identity, not just an email-address identity, so Amazon SES signs outgoing mail with your own domain instead of amazonses.com. Whether your DMARC alignment mode is relaxed or strict is a setting in your own domain's DMARC record, the aspf and adkim tags, checked by the receiving mail server. It is not something Amazon SES sets or defaults to. What SES does control is which domain it signs with, and signing with your exact verified domain satisfies alignment under either mode, so this fix works regardless of which alignment mode your DMARC record specifies.

Verifying the Fix

Check your domain's actual DMARC alignment settings from the command line:

dig TXT _dmarc.yourdomain.com

Look for the v=DMARC1 record. If it includes aspf=r, or has no aspf tag at all, your domain uses relaxed SPF alignment. If it includes adkim=r, or has no adkim tag, that is relaxed DKIM alignment. A missing tag still means the default applies; it isn't the same as having no policy at all.

If you are just starting a DMARC rollout rather than fixing an existing failure, do it in phases: p=none to monitor only, then p=quarantine, then p=reject. Moving straight to reject before you have confirmed alignment is clean is how legitimate mail gets silently dropped instead of just flagged.

Related Resources

Your emails deserve the inbox.

7 days free. No card. Cancel anytime.

Start free trial
No card needed
7 days free
Cancel anytime

Keep reading

Related resources

Problem Solver

Cold Emails Landing in Spam? How to Fix It

Your cold emails are going to spam. Here is exactly why it happens and the step by step process to fix it and reach inbox consistently.

Problem Solver

Email Open Rates Dropping? How to Fix It

Diagnose and fix dropping email open rates. Covers deliverability issues, subject line problems, list quality, and sender reputation.

Problem Solver

Domain Blacklisted? How to Fix and Prevent

Your domain is on an email blacklist. Step by step instructions to check which lists, request removal, and prevent it from happening again.

Alternative

Instantly Alternative With Your Own Sending Infrastructure

Instantly uses shared sending pools. EmailQo routes through your own AWS SES. Own your reputation instead of sharing it with thousands of senders.

Alternative

Smartlead Alternative With Dedicated Sending Infrastructure

Smartlead shares your sending reputation with other users. EmailQo gives you your own AWS SES infrastructure. Dedicated sending from $19/mo.