Sending mail with AWS SES and Route53 (DKIM, SPF, and DMARC)

Table of Contents


I’m in the process of migrating our newsletter / mailing list from Mailchimp to EmailOctopus. That’ll be a different post, this post is about setting up SES and DNS so that we can send mail from our AWS account that is:

  • DKIM signed & verified
  • SPF verified
  • Valid DMARC

In short, this setup should give you pretty good deliverability results as long as you’re not sending spam from a bad domain.


  • I’m not a DKIM/SPF/DMARC/EMAIL expert. This guide is only to share what works for me. There are no guarantees this will work with your set up.
  • I use Route53 for my DNS so these instructions will assume the same.
  • I use a custom domain, Route53, and Mailgun for email forwarding. Adding this SES stuff doesn’t affect it all if done correctly.


First we’ll need to log in to the AWS dashboard and navigate to the SES dash.

Verify a New Domain

  • Click on the Verify a New Domain button.
  • Enter your domain name (
  • Tick Generate DKIM Settings
  • Click Verify This Domain


Generate DKIM DNS Entries

  • Now you should see the following screen with all of the DKIM DNS entries listed (NOTE, your values will be different from the screenshot). DKIM DNS Entries

  • Click on Use Route 53

Apply Record Sets

  • Now you should see the following screen with the DKIM entries again. DKIM Record Sets

  • Make sure Domain Verification Record is TICKED
  • Make sure DKIM Record Set is TICKED
  • Make sure Email Receiving Record is NOT TICKED
    • We’ll be doing this step next, but we don’t want the MX record applied to the naked/root domain, we need to apply it to a new subdomain.
  • Make sure Hosted Zones is TICKED
  • Click Create Record Sets
    • NOTE This step will modify your Route53 DNS settings, make sure you know what you’re doing, don’t hold me responsible if something breaks, etc.

Verification Emails

  • You should now be redirected to the SES dash and your domain should be listed as PENDING. Verification Status

  • Once Amazon has completed verifying your domain they’ll send you an email notifiying you of the success. In my experience this only takes about a minute or two. Verification Success

  • Once Amazon has completed the domain / DNS settings they’ll verify the DKIM settings as well. In my experience this take less than a minute once your site has been verified. DKIM Verification Success


Now it’s time to set up our Custom MAIL FROM Domain. Essentially, this allows SES to mark our emails as “coming from” our domain rather than from Amazon. From the SES dash:

  • Click on your domain
  • Click on Set MAIL FROM Domain Set MAIL FROM Domain

  • Create a new subdomain to use as your MAIL FROM domain. I’m using newsletter.mydomain in this example.
    • I chose to use AWS SES endpoint if another MX record isn’t found.
    • Click Set MAIL FROM Domain Create MAIL FROM Domain
  • Click Publish Records Using Route 53
    • Publish Route53 Records
  • Make sure MX Record is TICKED
  • Make sure SPF Record is TICKED
  • Make sure Hosted Zones is TICKED
  • Click Create Record Sets
    • NOTE This step will modify your Route53 DNS settings, make sure you know what you’re doing, don’t hold me responsible if something breaks, etc. Create Route53 Recordsets
  • Once Amazon is able to verify the DNS settings they will send you an email telling you that it has been successfully verified. Custom MAIL FROM verification


Ok, confession time. I’ve never done a lot of research into DMARC before and this project is no different. I skimmed the official docs as well as AWS docs and have a working solution. If anyone knows of better configs or known issues, I’m all ears.

UPDATE Thanks to user inopinatus on Hacker News for suggesting as a DMARC aggregator to prevent annoyingly noisy DMARC status reports being emailed to you daily from multiple ISPs.

  • Go to to create your free account
    • Enter any email address to receive your DMARC status reports
    • Enter your new subdomain in the Send reports about this domain field. Our example would be DMARC
  • Now you should see a screen similar to this: DMARC
  • Leave this tab/window/screen open and navigate to your AWS dashboard in another tab/window/screen.

  • Go to your AWS dash and navigate to the Route 53 dash
  • Go to Hosted Zones and click on your domain
  • Click Create Record Set DMARC
    • Name:
    • Type: TXT - Text
    • TTL: 300/default is fine
  • Click Create


  • Now you can return to the SES Dash and check the status of your domain final verification
    • status Should be verified
    • DKIM Settings Generated should be yes
    • DKIM Verification Status should be verified
    • DKIM Signing should be enabled
    • MAIL FROM Domain should be
  • Verify DMARC settings

That’s it for now. I’ll go over integrating EmailOctopus in the next post.