Amazon SES SPF Record: How to Set Up SPF for AWS Email
Configure SPF for Amazon SES. Covers default MAIL FROM behavior, custom MAIL FROM domains, and the correct SPF include for AWS email.
Last updated: 2026-04-25
Amazon Simple Email Service (SES) is one of the most popular platforms for sending transactional and marketing email at scale. If you use SES to send emails from your domain, getting SPF configured correctly is essential for deliverability. But SES handles SPF differently than most email providers, and the setup depends on whether you use a custom MAIL FROM domain.
For a comprehensive overview of SPF, see our complete SPF guide. This guide covers both scenarios and walks you through the configuration step by step.
How Amazon SES Handles SPF by Default
Here's what makes SES unique: by default, SES sends emails using its own MAIL FROM domain — specifically amazonses.com (Amazon SES documentation). The MAIL FROM domain (also called the envelope sender or return-path) is the domain that receiving servers check for SPF, not the "From" address that your recipients see in their inbox.
When SES uses amazonses.com as the MAIL FROM domain, SPF is already handled. Amazon publishes SPF records for amazonses.com, so every email sent through SES passes SPF automatically. You don't need to add anything to your domain's DNS.
So why would you change anything? Because passing SPF on amazonses.com doesn't help with DMARC alignment.
SPF pass is not the same as SPF alignment
DMARC requires that the domain in the SPF check (the MAIL FROM domain) aligns with your visible From domain. When SES uses amazonses.com as the MAIL FROM, SPF passes on Amazon's domain — not yours. This means SPF won't contribute to DMARC alignment. You'd need DKIM alignment instead, or you can set up a custom MAIL FROM domain to get both.
When You Need a Custom MAIL FROM Domain
A custom MAIL FROM domain lets you replace amazonses.com with your own domain (or subdomain) as the envelope sender. This means SPF checks happen against your domain, which allows SPF to align with DMARC.
You should set up a custom MAIL FROM domain if:
- You have a DMARC policy and want SPF alignment (not just DKIM)
- You want bounce notifications returned to your domain
- You want full control over your email authentication chain
- You're sending high volumes and want to build reputation on your own domain
You can skip it if:
- You don't have a DMARC policy yet
- You rely solely on DKIM for DMARC alignment
- You're just testing SES and aren't concerned about alignment
Setting Up a Custom MAIL FROM Domain
The process involves configuring a subdomain in the SES console and adding DNS records. Most people use a subdomain like mail.yourdomain.com or bounce.yourdomain.com rather than the root domain.
Choose your MAIL FROM subdomain
Pick a subdomain of your sending domain. For example, if you send from yourdomain.com, you might use mail.yourdomain.com. This subdomain should not be used for anything else — it exists solely for SES bounce handling and SPF.
Configure MAIL FROM in the SES console
Open the Amazon SES console, go to Identities, and select your verified domain. Under the Custom MAIL FROM domain section, click Edit and enter your chosen subdomain (e.g., mail.yourdomain.com). Choose what SES should do if the custom MAIL FROM fails — the default is to fall back to amazonses.com, which is the safer option.
Add the MX record
SES requires an MX record on your MAIL FROM subdomain so it can receive bounce notifications. Add this to your DNS (see our guides for Cloudflare, GoDaddy, or Namecheap):
Host: mail.yourdomain.com
Type: MX
Value: 10 feedback-smtp.us-east-1.amazonses.com
Replace us-east-1 with your SES region. Common regions include us-west-2, eu-west-1, and ap-southeast-1.
Add the SPF record
Create a TXT record on your MAIL FROM subdomain with this SPF record:
Host: mail.yourdomain.com
Type: TXT
Value: v=spf1 include:amazonses.com ~all
This tells receiving servers that Amazon SES is authorized to send email from your MAIL FROM subdomain (Amazon SES: SPF authentication).
Wait for DNS propagation
DNS changes typically propagate within 1-4 hours, though it can take up to 48 hours. SES will show the MAIL FROM status as "Pending" until it can verify your DNS records.
Verify the setup
Once SES shows the MAIL FROM domain as verified, send a test email and check the headers. The return-path should show your custom subdomain, and SPF should pass against it. Use the checker below to verify your DNS records are published correctly.
Adding SES to an Existing SPF Record
If you're also using SES to send from your root domain (not just the MAIL FROM subdomain), and you want to authorize SES in your main SPF record, add the include:amazonses.com mechanism.
For example, if your current SPF record is:
v=spf1 include:_spf.google.com ~all
Update it to:
v=spf1 include:_spf.google.com include:amazonses.com ~all
Watch your DNS lookup count
Each include adds DNS lookups toward the 10-lookup limit. If you're already using several services, adding SES could push you over. Check your current lookup count with the tool above, and read our guide on the SPF 10 DNS lookup limit if you're close. You may also want to explore SPF flattening to reduce your lookup count.
SES Region Considerations
Amazon SES operates in multiple AWS regions, and the MX record for your custom MAIL FROM domain must point to the correct regional endpoint. Here are the most common regions:
| AWS Region | MX Record Value |
|---|---|
| US East (N. Virginia) | feedback-smtp.us-east-1.amazonses.com |
| US West (Oregon) | feedback-smtp.us-west-2.amazonses.com |
| EU (Ireland) | feedback-smtp.eu-west-1.amazonses.com |
| EU (Frankfurt) | feedback-smtp.eu-central-1.amazonses.com |
| Asia Pacific (Sydney) | feedback-smtp.ap-southeast-2.amazonses.com |
| Asia Pacific (Singapore) | feedback-smtp.ap-southeast-1.amazonses.com |
If you send from multiple SES regions, you need to configure a custom MAIL FROM domain in each region. The SPF record (include:amazonses.com) is the same regardless of region — it covers all SES sending infrastructure globally.
Complete Your Email Authentication
SPF is just one layer of email authentication. For complete protection when using Amazon SES, you should also configure:
DKIM — SES supports Easy DKIM, which automatically signs your outgoing messages. This is configured in the SES console under your domain identity. SES generates three CNAME records you add to your DNS. Verify your DKIM with a DKIM checker.
DMARC — Once SPF and DKIM are both in place, a DMARC record tells receiving servers how to handle authentication failures. Start with a monitoring policy (p=none) and progress to enforcement once you're confident in your setup. Check your DMARC at DMARC Record Checker.
For a broader look at how SPF, DKIM, and DMARC work together, see our guide on SPF, DKIM, and DMARC explained.
If you're also sending through other services alongside SES, our guide on SPF for multiple ESPs covers how to combine them in a single record. And if you need help generating the right SPF syntax, SPF Creator can build it for you.
Monitor Your SPF Records
Email authentication isn't a set-and-forget task. DNS records can be accidentally modified, SES configurations can change, and new sending services get added over time. Continuous monitoring catches issues before they impact your deliverability.
References
- RFC 7208: Sender Policy Framework (SPF) — The current SPF specification
- Amazon SES: Authenticating Email with SPF — Official AWS SES SPF documentation
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring