Providers

Amazon SES SPF Setup

Amazon SES sends from AWS infrastructure and requires SPF authorization via include or dedicated MAIL FROM domain configuration.

Intermediate · 6 min read · Reviewed Jul 4, 2026

Quick answer

Amazon SES sends mail from AWS IP ranges that must be authorized in SPF through include:amazonses.com or a custom MAIL FROM domain aligned with your SPF record. Many setups use a subdomain MAIL FROM for bounce handling and SPF isolation. Combine SES SPF with DKIM signing via Easy DKIM or BYODKIM and monitor DMARC for alignment.

Beginner explanation

Amazon Simple Email Service powers transactional mail for countless applications. SES sends from AWS-owned IP pools, which means your domain must explicitly trust those senders in SPF.

SES encourages custom MAIL FROM domains so bounces align cleanly and SPF can live on a subdomain dedicated to application mail. That pattern keeps application sending separate from employee mailbox policies.

Developers often configure DKIM in SES while forgetting SPF DNS updates, especially when moving from sandbox to production regions.

Technical explanation

The common SPF macro is include:amazonses.com published on the domain used in the MAIL FROM address configured in SES. When you enable a custom MAIL FROM domain such as bounce.example.com, publish SPF on that subdomain rather than only at the apex.

SES supports Easy DKIM with CNAME records and BYODKIM for bring-your-own keys. SPF and DKIM should be validated together using SES sending tests and external inbox header analyzers.

Multi-region SES configurations may share authorization macros, but each verified identity still needs consistent DNS. Infrastructure-as-code pipelines should apply SPF updates alongside DKIM tokens when identities are created automatically.

Business impact

SES SPF misconfiguration breaks application notifications at scale. Password resets, shipping alerts, and billing events fail quietly while engineering metrics still show API success, creating costly blind spots.

Because SES often sends high volume quickly, authentication failures can also harm domain reputation used by marketing and support mail on the same domain.

Common mistakes

- Verifying SES DKIM while omitting include:amazonses.com on the MAIL FROM domain
- Using the apex SPF record for employee mail only while SES sends from an unauthenticated subdomain
- Copying SPF values from another AWS account's domain without matching MAIL FROM settings

How SPF Manager helps

SPF Manager detects amazonses.com includes and validates SPF on custom MAIL FROM subdomains common in SES architectures. It warns when application mail shares a crowded apex policy nearing lookup limits.

Guidance helps teams split employee and application authentication across subdomains without losing visibility.

Recommended next step

See how this applies to your domain before you change DNS.

Analyze my domain

Related articles

Providers

SendGrid SPF Setup

SendGrid requires SPF authorization through include:sendgrid.net or domain authentication on your bounce domain.

Beginner 5 min read

Providers

SPF Email Providers

Email providers publish SPF include hostnames or IP ranges that you must add to your domain policy to authorize their outbound mail.

Beginner 6 min read

Email Authentication

DKIM and SPF

DKIM cryptographically signs messages while SPF authorizes sending IPs; together they strengthen authentication under DMARC.

Intermediate 7 min read

Deliverability

SPF and Email Deliverability

Correct SPF improves deliverability by giving receivers a trusted signal that your mail comes from authorized infrastructure.

Beginner 7 min read