DMARC (RFC 7489) tells receiving mail servers what to do when a message claiming to be from your domain fails SPF or DKIM. You publish exactly one DMARC record at `_dmarc.<your-domain>`, regardless of which ESP you use — DMARC is a domain-level policy, not a per-sender configuration. Amazon SES doesn't run DMARC for you, but their SPF + DKIM setup is what makes your DMARC checks pass.
Start every domain at `p=none` with a `rua` (aggregate report) address pointing somewhere you actually read. Watch the reports for two to four weeks to confirm 100% of legitimate mail is aligned, then progress to `p=quarantine` and finally `p=reject`. Skipping the monitoring step is the single most common way founders accidentally block their own mail.
Publish these DNS records
Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.
- Type
TXT- Host
_dmarc- Value
v=DMARC1; p=none; rua=mailto:[email protected]
- SES respects the From: header for DMARC alignment when Easy DKIM and a custom MAIL FROM domain are both configured.
- If you skip the custom MAIL FROM step, your SPF check will pass against `amazonses.com` and DMARC will fail SPF alignment. The fix is the MAIL FROM CNAME, not changing DMARC.
Where in Amazon SES
The DMARC configuration lives in AWS Console → SES → Configuration → Verified identities → Create identity.
Verify the records
Once published, run the DMARC Checker on your apex domain to confirm the record parses, reporting URIs are valid, and the policy is what you intended.
dig +short TXT _dmarc.your-domain.comCommon pitfalls
- SES new accounts start in sandbox mode (200/day, verified-recipients-only). Production access is a manual approval — apply early.
- SES regions are independent. A domain verified in `us-east-1` is not verified in `eu-west-1`. If you fail over regions, verify in both.
- The custom MAIL FROM domain step is optional in the SES UI but functionally required for DMARC alignment. Don't skip it.