Amazon SES: Complete Guide to DNS Configuration and Email Authentication
By CaptainDNS
Published on January 20, 2026
- Amazon SES offers email sending at $0.10/1000 emails with 7 EU regions for GDPR compliance.
- Easy DKIM generates 3 CNAMEs that serve both as domain verification and DKIM signing (auto-rotation every 90 days).
- Custom MAIL FROM is essential for SPF DMARC alignment; without it, SPF authenticates with
amazonses.com. - For
p=reject, combine Easy DKIM + Custom MAIL FROM + relaxed alignment (adkim=r,aspf=r).
Why Amazon SES Deserves Your Attention
Amazon SES has processed over one trillion emails per year since its launch in 2011. With pricing at $0.10 per 1,000 emails (no volume tiers), it's the most cost-effective option for transactional and marketing email sending.
What makes the difference:
- API v2 (September 2019): messages up to 40 MB, native unsubscribe management, custom headers without using Raw email
- 7 EU regions: Frankfurt, Ireland, London, Paris, Stockholm, Milan, Zurich - GDPR DPA included automatically
- Virtual Deliverability Manager: reputation dashboard and automated recommendations
This guide focuses on DNS configuration and authentication. The goal: optimal deliverability compatible with p=reject.
SES Sending Architecture and Authentication Flow
When you send via SES:
- Your application calls the v2 API or uses SMTP
- SES signs the message with your DKIM key (domain
d=captaindns.com) - The receiving server verifies SPF (sending IP), DKIM (signature), then DMARC (alignment)
Complete DNS Configuration
Easy DKIM: The Recommended Method
Easy DKIM generates 3 CNAME records that serve two purposes:
- Domain ownership verification (no need for
_amazonsesTXT record) - DKIM signing with automatic rotation every 90 days
{token1}._domainkey.captaindns.com CNAME {token1}.dkim.amazonses.com
{token2}._domainkey.captaindns.com CNAME {token2}.dkim.amazonses.com
{token3}._domainkey.captaindns.com CNAME {token3}.dkim.amazonses.com
Key size: RSA 2048-bit by default (recommended). Rotation automatically manages the active/passive/pending roles between the 3 CNAMEs.
Custom MAIL FROM: The Critical Element for DMARC
Without Custom MAIL FROM, the SMTP envelope uses amazonses.com as the MAIL FROM domain. Result: SPF authenticates with amazonses.com, not your domain, and SPF DMARC alignment fails.
Required records (example for mail.captaindns.com):
| Type | Name | Value | Priority |
|---|---|---|---|
| MX | mail.captaindns.com | feedback-smtp.eu-west-1.amazonses.com | 10 |
| TXT | mail.captaindns.com | "v=spf1 include:amazonses.com ~all" | - |
Constraints:
- Custom MAIL FROM must be a subdomain of the verified domain
- Only one MX record (multiple = failure)
- This subdomain should not receive other emails
SPF on Root Domain: Optional but Recommended
If you use Easy DKIM + Custom MAIL FROM, SPF on the root domain is not required for DMARC (DKIM is sufficient). However, AWS recommends configuring it:
captaindns.com TXT "v=spf1 include:amazonses.com ~all"
DMARC Alignment: Configuration for p=reject
What Works (and What Breaks)
DKIM Alignment (primary method):
| Configuration | Aligned? | DMARC via DKIM? |
|---|---|---|
| Verified email only (no DKIM domain) | No | No |
| Domain with Easy DKIM enabled | Yes | Yes |
| Domain with BYODKIM | Yes | Yes |
SPF Alignment:
| Configuration | Aligned? | DMARC via SPF? |
|---|---|---|
Default MAIL FROM (amazonses.com) | No | No |
| Custom MAIL FROM + aspf=r (relaxed) | Yes | Yes |
| Custom MAIL FROM + aspf=s (strict) | No | No (subdomain mismatch) |
Recommended DMARC Record
_dmarc.captaindns.com TXT "v=DMARC1;p=reject;adkim=r;aspf=r;rua=mailto:dmarc@captaindns.com"
Key points:
adkim=randaspf=r: relaxed alignment (allows subdomains)- Progress from
p=none→p=quarantine→p=reject - Monitor
ruareports before tightening
DNS Summary Table
| Type | Host/Name | Value | Required |
|---|---|---|---|
| CNAME | {token1}._domainkey.captaindns.com | {token1}.dkim.amazonses.com | Yes (Easy DKIM) |
| CNAME | {token2}._domainkey.captaindns.com | {token2}.dkim.amazonses.com | Yes (Easy DKIM) |
| CNAME | {token3}._domainkey.captaindns.com | {token3}.dkim.amazonses.com | Yes (Easy DKIM) |
| MX | mail.captaindns.com | feedback-smtp.{region}.amazonses.com | Yes (Custom MAIL FROM) |
| TXT | mail.captaindns.com | "v=spf1 include:amazonses.com ~all" | Yes (Custom MAIL FROM) |
| TXT | _dmarc.captaindns.com | "v=DMARC1;p=reject;adkim=r;aspf=r;..." | Recommended |
| CNAME | track.captaindns.com | r.{region}.awstrack.me | Optional (tracking) |
Sending Methods: API v2 vs SMTP
API v2 (Recommended)
Endpoint: https://email.{region}.amazonaws.com
aws sesv2 send-email \
--from-email-address "sender@captaindns.com" \
--destination '{"ToAddresses":["recipient@captaindns.com"]}' \
--content '{
"Simple": {
"Subject": {"Data": "Test"},
"Body": {"Html": {"Data": "<h1>Hello</h1>"}}
}
}' \
--configuration-set-name "my-config-set"
v2 Advantages:
- Messages up to 40 MB (vs 10 MB in v1)
- Native custom headers (List-Unsubscribe without Raw email)
ListManagementOptionsfor list management
SMTP Interface
Endpoint: email-smtp.{region}.amazonaws.com
| Port | Protocol | Recommendation |
|---|---|---|
| 25 | STARTTLS | Often blocked by ISPs |
| 465 | Implicit TLS | Alternative |
| 587 | STARTTLS | Recommended |
| 2587 | STARTTLS | Alternative to 587 |
Available X-SES-* headers:
X-SES-CONFIGURATION-SET: associate a configuration setX-SES-MESSAGE-TAGS: add tags (key=value)
Quotas and Limits to Know
| Quota | Sandbox | Production |
|---|---|---|
| Emails/24h | 200 | ~50,000-100,000 (initial) |
| Sending rate | 1/sec | ~14-50/sec (initial) |
| Recipients/message | 50 | 50 |
| Message size (API v2) | 40 MB | 40 MB |
Getting out of sandbox: via SES Console or AWS CLI, ~24h delay if request is complete.
Reputation Thresholds: The Critical Numbers
| Metric | Warning | Maximum | Action |
|---|---|---|---|
| Bounce Rate | 5% | 10% | Account review |
| Complaint Rate | 0.1% | 0.2% | Account review |
Best practices:
- Enable the account-level suppression list (auto-suppresses hard bounces)
- Configure CloudWatch alerts on
Reputation.BounceRateandReputation.ComplaintRate - Soft bounces: SES automatically retries for 12h
2025 Pricing
| Component | Price |
|---|---|
| Emails sent | $0.10 / 1,000 |
| Outbound data (attachments) | $0.12 / GB (first GB free) |
| Standard dedicated IP | $24.95 / month / IP |
| Managed Dedicated IPs | $15/month + $0.08-0.02/1000 based on volume |
| Virtual Deliverability Manager | $0.07 / 1,000 emails |
Free tier (new accounts): 3,000 emails/month for 12 months.
Action Plan: 6-Step Configuration
- Create a domain identity in the SES console (EU region of your choice)
- Configure Easy DKIM: publish the 3 CNAMEs provided by SES
- Wait for verification: up to 72h for DNS propagation
- Configure Custom MAIL FROM: create the subdomain with MX and SPF TXT
- Publish the DMARC record: start with
p=none, monitor reports - Exit sandbox: submit the production access request
FAQ
Is Custom MAIL FROM configuration mandatory?
For SPF DMARC alignment, yes. Without Custom MAIL FROM, SPF authenticates with amazonses.com, which breaks alignment. If you rely solely on DKIM for DMARC (which works), Custom MAIL FROM is still recommended for defense in depth.
Which EU region should I choose for GDPR?
All 7 EU regions (Frankfurt, Ireland, London, Paris, Stockholm, Milan, Zurich) are GDPR compliant with DPA included automatically. Choose based on latency and SMTP availability (Milan and Zurich don't have SMTP endpoints).
Are all 3 Easy DKIM CNAMEs active simultaneously?
No. Only one CNAME is active (resolves with a public key p=...) at any given time. The other two are in rotation (passive/pending). SES automatically manages rotation every ~90 days.
How do I test the configuration before sending in production?
In sandbox, send to verified addresses. Use aws sesv2 send-email with a configuration set configured to publish events to SNS or CloudWatch. Verify the received DKIM and SPF headers.
Glossary
-
Easy DKIM: SES method that automatically generates and manages DKIM keys via 3 CNAME records, with automatic rotation.
-
Custom MAIL FROM: Subdomain configured to replace the default MAIL FROM domain (
amazonses.com), required for SPF DMARC alignment. -
BYODKIM: Bring Your Own DKIM - option to use your own DKIM keys instead of SES-generated ones (1 single TXT record).
-
Configuration Set: Set of SES rules for tracking, event notifications, and TLS policies.
-
Sandbox: Initial mode of SES accounts limiting sending to 200 emails/day to verified addresses only.
-
Virtual Deliverability Manager (VDM): Paid SES feature offering a metrics dashboard and automated deliverability recommendations.
