What do I do when my Amazon SES emails fail DMARC validation for SPF alignment or DKIM alignment?

Short description

For both SPF and DKIM alignment, you must meet either the strict alignment or relaxed alignment.

To check for SPF alignment, DMARC matches the Mail From or Envelope From domain with the From domain. Strict alignment is when the Mail From or Envelope From domain is the same as the From domain. Relaxed alignment is when the Mail From or Envelope From domain is a subdomain of the From domain.

To check for DKIM alignment, DMARC matches the d= domain in the DKIM signature with the From domain. Strict alignment is when the d= domain is the same as the From domain. Relaxed alignment is when the d= domain is a subdomain of the From domain.

Resolution

Use relaxed alignment for SPF or DKIM in your DMARC record

To help your emails pass DMARC validation, use relaxed alignment.

To determine your domain's DMARC alignment for SPF and DKIM, run the following command:

nslookup -type=TXT _dmarc.example.com

The command returns your DMARC record, similar to the following:

"v=DMARC1;p=quarantine;pct=25;rua=mailto:hello@example.com"

For SPF authentication, if the record doesn't include an aspf tag or includes the aspf=r string, then your domain uses relaxed alignment. The preceding example doesn't include an aspf tag, so the example domain uses relaxed alignment. If the record includes the aspf=s string, then your domain uses strict alignment.

For DKIM, if the record doesn't include an adkim tag or includes the string adkim=r, then your domain uses relaxed alignment. If the record includes the adkim=s string, then your domain uses strict alignment.

Only your system administrator can change from strict alignment to relaxed alignment.

Comply with DMARC through SPF authentication

To make sure that your messages comply with DMARC through SPF authentication, verify the following configurations:

• Your MAIL FROM domain's SPF record must contain include:amazonses.com.
• The MAIL FROM domain that the sending mail server specifies to the receiving mail server matches the FROM address in the email header.

When you use Amazon SES to send emails, the MAIL FROM domain is a subdomain of amazonses.com by default. Your From domain is the domain that you send the email from. If the MAIL FROM domain doesn't match the From domain, then SPF alignment fails for DMARC validation.

To resolve this issue, you must set up a custom MAIL FROM domain on the verified identity that you send emails from. Custom MAIL FROM domains are always subdomains of the parent domain. For example, if your verified domain (the From domain) is example.com, then you can set up the custom MAIL FROM domain to be mail.example.com.

SPF authentication checks the MAIL FROM domain, so add the SPF record on your custom MAIL FROM subdomain in Amazon SES. Because custom MAIL FROM domains are subdomains, your subdomains must use a relaxed policy for SPF (aspr=r).

Comply with DMARC through DKIM authentication

To make sure that your messages comply with DMARC through DKIM authentication, verify the following configurations:

• The message has a valid DKIM signature and passes the DKIM check.
• The From address in the email header matches the d= domain in the DKIM signature.

When you use Easy DKIM in Amazon SES, you get three CNAME records. To check their DKIM records, run the following command on each of the CNAME records:

nslookup -type=CNAME example1._domainkey.example.com

Note: Replace example1._domainkey.example.com with the name of your CNAME record.

The command returns the DKIM record:

example1.dkim.amazonses.com.

It's a best practice to use Easy DKIM because you can meet both DMARC validation requirements through DKIM. You can also choose to manually sign your emails, but Amazon SES doesn't validate the DKIM signature.