How to set up SPF for Amazon SES

SPF (Sender Policy Framework, RFC 7208) authorizes specific servers to send mail for your domain. When you start sending through Amazon SES, you must publish a single SPF record at your domain apex that includes Amazon SES's sending infrastructure — otherwise the messages will fail SPF, your DMARC checks will fail, and your mail will land in spam or be rejected outright.

If you already publish SPF for another sender (Google Workspace for inbound, a marketing tool, your CRM), do not publish a second record. Merge the new include into the existing record. RFC 7208 §3 forbids multiple SPF records on the same name and receivers MUST return permerror when they see one.

Publish these DNS records

Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

• Amazon SES does not require a per-account SPF record like SendGrid does — `include:amazonses.com` covers all SES sending IPs across regions.
• If you sign up for Easy DKIM (recommended), SES also asks you to publish a custom MAIL FROM domain CNAME for SPF alignment. Do that — without it, SPF passes against `amazonses.com` rather than your brand domain, and DMARC won't align.

Where in Amazon SES

The SPF configuration lives in AWS Console → SES → Configuration → Verified identities → Create identity.

Verify the records

Once published, run the SPF Checker on your domain to verify the lookup chain expands cleanly and stays under the 10-DNS-lookup limit.

Common pitfalls

• SES new accounts start in sandbox mode (200/day, verified-recipients-only). Production access is a manual approval — apply early.
• SES regions are independent. A domain verified in `us-east-1` is not verified in `eu-west-1`. If you fail over regions, verify in both.
• The custom MAIL FROM domain step is optional in the SES UI but functionally required for DMARC alignment. Don't skip it.