Amazon SES DMARC Failing? Here's Why, and the Fix
SES-specific DMARC troubleshooting, not a generic DMARC explainer. Covers exactly why SES's defaults fail alignment and the precise DNS fix.
Why Amazon SES Fails DMARC Out of the Box
If Amazon SES DMARC is failing for you, the cause is almost always alignment, not a broken SPF or DKIM record. DMARC does not check SPF or DKIM directly. It checks whether the domain in your visible From address aligns with the domain that actually passed SPF or DKIM. Amazon SES's defaults break both alignment paths at once, which is why DMARC failing on SES is so common even when SPF and DKIM individually look fine.
The SPF path fails by default. Every message you send through Amazon SES automatically uses a subdomain of amazonses.com as its MAIL FROM, or envelope/Return-Path, domain, unless you configure your own. SPF passes against that amazonses.com subdomain since Amazon SES is authorized to send from it, but SPF-based DMARC alignment requires the domain in your From address to match the MAIL FROM domain. amazonses.com never matches yourdomain.com, so alignment fails even though SPF itself technically passed.
The DKIM path fails by default too, for a similar reason. Amazon SES signs your outgoing mail with d=amazonses.com whenever the sending identity is verified only as an email address, or when you have not enabled Easy DKIM for your own verified domain. DKIM-based alignment needs the signing domain to match your From domain, and again, amazonses.com does not match yours.
Since DMARC only needs one of SPF or DKIM to align, most senders only need to fix one path. But SES's defaults fail both simultaneously, which is exactly why a fresh SES setup so often reports a full DMARC failure rather than a partial one.
Fix 1: Set Up a Custom MAIL FROM Domain (Fixes SPF Alignment)
This is the fix for the SPF path. A custom MAIL FROM domain has specific rules: it must be a subdomain of the same parent domain as your verified identity, and it must not be a subdomain you also use to send or receive regular mail.
Setup requires exactly two DNS records, published to the MAIL FROM subdomain's own DNS, not your root domain: one MX record, priority 10, pointing at feedback-smtp.{your-region}.amazonses.com, and one SPF TXT record authorizing Amazon SES to send from that subdomain.
Two things trip people up here. First, you must publish exactly one MX record. If the subdomain has more than one, the whole setup fails. Second, there is a Behavior on MX failure setting you choose during configuration: Use default MAIL FROM domain silently falls back to the broken amazonses.com default if your MX record is not detected, meaning DMARC keeps failing with no visible error, while Reject message hard-fails the send instead. If you want a configuration mistake to be loud instead of silent, pick reject.
DNS propagation for this can take up to 72 hours. The setup state moves from Pending to Success, or Failed, if the MX record is never detected in that window.
Fix 2: Enable Easy DKIM for Your Domain (Fixes DKIM Alignment)
This is the fix for the DKIM path. Enable Easy DKIM on your domain identity, not just an email-address identity, so Amazon SES signs outgoing mail with your own domain instead of amazonses.com. Whether your DMARC alignment mode is relaxed or strict is a setting in your own domain's DMARC record, the aspf and adkim tags, checked by the receiving mail server. It is not something Amazon SES sets or defaults to. What SES does control is which domain it signs with, and signing with your exact verified domain satisfies alignment under either mode, so this fix works regardless of which alignment mode your DMARC record specifies.
Verifying the Fix
Check your domain's actual DMARC alignment settings from the command line:
dig TXT _dmarc.yourdomain.com
Look for the v=DMARC1 record. If it includes aspf=r, or has no aspf tag at all, your domain uses relaxed SPF alignment. If it includes adkim=r, or has no adkim tag, that is relaxed DKIM alignment. A missing tag still means the default applies; it isn't the same as having no policy at all.
If you are just starting a DMARC rollout rather than fixing an existing failure, do it in phases: p=none to monitor only, then p=quarantine, then p=reject. Moving straight to reject before you have confirmed alignment is clean is how legitimate mail gets silently dropped instead of just flagged.
Related Resources
Keep reading
Related resources
Cold Emails Landing in Spam? How to Fix It
Problem SolverEmail Open Rates Dropping? How to Fix It
Problem SolverDomain Blacklisted? How to Fix and Prevent
AlternativeInstantly Alternative With Your Own Sending Infrastructure
AlternativeSmartlead Alternative With Dedicated Sending Infrastructure