What do I do if my Amazon SES emails fail DMARC validation for SPF alignment or DKIM alignment?

4 minute read
1

The emails that I send using Amazon Simple Email Service (Amazon SES) are failing Domain-based Message Authentication, Reporting and Conformance (DMARC) validation for Sender Policy Framework (SPF) alignment or DomainKeys Identified Mail (DKIM) alignment. How can I fix this?

Short description

DMARC is an email authentication protocol that uses SPF and DKIM to detect email spoofing. To comply with DMARC, your messages must be authenticated through either SPF or DKIM, or both.

For DMARC validation of SPF alignment or DKIM alignment, the key components in an email header are:

  • A From address that's displayed to the message recipient
  • A Mail From or Envelope From address that indicates where the message originated from
  • A d= domain in the DKIM signature

DMARC checks SPF alignment by matching the Mail From or Envelope From domain with the From domain. One of the following alignments must be met:

  • Strict alignment: The Mail From or Envelope From domain is the same as the From domain.
  • Relaxed alignment: The Mail From or Envelope From domain is a subdomain of the From domain.

DMARC checks DKIM alignment by matching the d= domain in the DKIM signature and the From domain. One of the following alignments must be met:

  • Strict alignment: The d= domain is the same as the From domain.
  • Relaxed alignment: The d= domain is a subdomain of the From domain.

Resolution

To pass DMARC validation, your emails must comply with either SPF authentication or DKIM authentication.

Use relaxed alignment for SPF or DKIM in your DMARC record

Using relaxed alignment for either SPF or DKIM can help your emails pass DMARC validation.

To determine your domain's DMARC alignment for SPF and DKIM, run the following command:

nslookup -type=TXT _dmarc.example.com

The command returns your DMARC record, similar to the following:

"v=DMARC1;p=quarantine;pct=25;rua=mailto:hello@example.com"

For SPF, if the record doesn't include an aspf string (as in the preceding example), or the record includes the string aspf=r, then your domain uses relaxed alignment. If the record includes the stringaspf=s, then your domain uses strict alignment.

For DKIM, if the record doesn't include an adkim string, or the record includes the string adkim=r, then your domain uses relaxed alignment. If the record includes the string adkim=s, then your domain uses strict alignment.

The change from strict alignment to relaxed alignment must be made by your system administrator.

Comply with DMARC through SPF

To get your SPF record, run the following command:

nslookup -type=TXT example.com

The command returns your SPF record, similar to the following:

"v=spf1 include:amazonses.com ~all"

To be sure that your messages are compliant with DMARC through SPF, check the following:

1.    Your messages must pass the SPF check. This means that your domain's SPF record must have "include:amazonses.com", which authorizes Amazon SES to send emails on behalf of your domain.

2.    The domain in the From address of the email header must align with the Mail From or Envelope From domain that the sending mail server specifies to the receiving mail server.

When you send emails using Amazon SES, the Mail From or Envelope From domain is amazonses.com by default, and your From domain is the domain that you verified. These values fail SPF alignment and DMARC validation.

To resolve this, you must set up a custom MAIL FROM domain so that the Mail From value is a subdomain of your verified domain. For example, if your verified domain (the From domain) is example.com, then you can set up the custom Mail From domain to be mail.example.com. These values pass SPF alignment and DMARC validation.

Note: With Amazon SES, you add the SPF record as part of your custom Mail From subdomain. For instructions, see Configuring the MAIL FROM domain.

Comply with DMARC through DKIM

When you use Easy DKIM in Amazon SES, you're given three CNAME records. To check the respective DKIM records, run the following command on each of the CNAMEs:

nslookup -type=CNAME example1._domainkey.example.com

The command returns the DKIM record:

example1.dkim.amazonses.com.

To be sure that your messages are compliant with DMARC through DKIM, check the following:

1.    The message must have a valid DKIM signature.

2.    The From address in the email header must align with the d= domain in the DKIM signature.

It's a best practice to set up Easy DKIM, because this feature allows you to meet both DMARC validation requirements through DKIM. You can also choose to manually sign your emails, but Amazon SES doesn't validate the DKIM signature that you construct.


AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago