Increasing Email Deliverability When Using Amazon SES

Increasing Email Deliverability When Using Amazon SES

Amazon Simple Email Service (SES) is one of the first AWS services I started using. It allows you to send automated emails without maintaining your email servers. It is scalable, easy to use with AWS SDKs and cost-effective.

However, you need to do more than verifying your domain on Amazon SES for your emails not to end in your users’ spam folder. In this blog post, I will discuss how you can increase the deliverability of your emails by setting DKIM and SPF authentications on Amazon SES.

What affect email deliverability?

You want your users to receive your emails in their inboxes, not spam folders, right? Email deliverability is the general term used for denoting the precentage of your emails that arrive your recipients’ inbox folders instead of spam or junk folders. To succeed, there are technical and usage related issues that need to be considered when sending emails.

To give an example to usage, you should not send your users emails they are not interested in. Otherwise, most probably, they will make a complaint by marking it as spam and the reputation of your domain will suffer. Also, you should not send an email address that is unavailable. These issues are about email sending best practices that you should always follow and they are independent of whether you use Amazon SES or another email sending service.

What I will discuss here is more about the technical details on how you can increase deliverability of your emails by making necessary configurations for authenticating your Amazon SES emails according to DMARC (Domain-based Message Authentication, Reporting & Conformance) protocol.

What is DMARC protocol?

DMARC protocol is the standard for authentication used by ISPs to authenticate the sender of the emails to avoid email spoofing that used for phishing and spam. Simply, it allows the domain owner to publish policies using DNS records.

According to DMARC protocol, there are two methods to authenticate the emails: DKIM and SPF. I recommend to setup both for your domain to increase your chances.

Setting up DKIM for your Amazon SES domain?

Let’s start with DKIM which stands for DomainKeys Identified Mail. Actually, by using DKIM you will sign your emails and ISPs use signatures to verify that they are sent by you and not altered by a third party in transit.

As you can see, if you use your own email server, you need to set up this signing mechanism while sending emails. Fortunately, Amazon SES has Easy DKIM feature which makes all these configurations automatically behind the scenes. You need only to enable DKIM on your Amazon SES domain and make setting for necessary DNS records in your DNS service. If you are using Amazon Route 53, it is even easier.

  • Go to your Amazon SES domain settings on AWS Management Console. Click Generate DKIM Settings button under DKIM section.
How to generate DKIM on Amazon SES
  • Amazon SES will generate DKIM settings and display DNS records you need to set up on your domain. If you click Download record set as csv you will download these records as csv to share with your team.
Amazon SES Console after generating DKIM
  • If you are already using Amazon Route 53, click Use Route 53 button and approve the action by clicking Create Record Sets on the modal opened. Then, necessary DNS records will be created automatically on Amazon Route 53.
Creating DNS records for DKIM on Amazon Route 53 Console
  • After a while your DNS changes will propagate and DKIM Verification Status will become verified on your Amazon SES domain settings page. AWS will also notify you using your account email address once it is completed.

Setting up SPF for your Amazon SES domain?

SPF or Sender Policy Framework in long, checks whether the IP address of the server sent the email is authorized by the domain owner. Normally DKIM would suffice for DMARC authentication. But providing both DKIM and SPF might increase your chances. So let’s continue with SPF for your domain.

To pass SPF, the domain in the from address of your emails should allign with MAIL FROM that sending mail server provides to receiver. This allignment can be defined as strict so that from address domain should exactly match MAIL FROM domain. Or it can be defined as relaxed so that MAIL FROM domain can be a subdomain of from address domain.

For example, let’s assume that from address in your emails is “”. If you defined “strict” allignment, your MAIL FROM should be exactly “”. However, if you defined a “relaxed” allignment, MAIL FROM domain can be something like “” or something similar. By default, your SPF allignment is “relaxed” and it should be as “relaxed” for Amazon SES.

Then, let’s continue with MAIL FROM setup for SPF authentication on your Amazon SES domain.

  • Go to MAIL FROM section on your Amazon SES domain settings page and click Set MAIL FROM domain.
Setting MAIL From on Amazon SES domain settings
  • Set a subdomain like and click Set MAIL FROM domain again on the modal window opened. This subdomain should not be a subdomain that you already send or receive emails such as “”, because we will create an MX record for it.
Defining MAIL FROM subdomain
  • Now, Amazon SES will display you the DNS records you need to set on your DNS service. As you can see there is an MX record with the same subdomain and TXT record for SPF.
Viewing MAIL FROM subdomain on Amazon SES after definition
  • If you are already using Amazon Route 53 as DNS service, you can automate creation of these records by clicking Publish Records Using Route 53. Then, you should select each record using the checkbox on its left and click Create Record Sets to approve record creation.
Using Amazon Route 53 Console to create DNS records for SPF
  • Similar to DKIM, after some time your DNS changes will propagate and MAIL FROM domain status will become verified on your Amazon SES domain settings page. AWS will also notify you using your account email address once it is completed.


Email deliverability is a topic of maintaining reputation of your domain by following email sending best practices and authenticating your emails by conforming with DMARC protocol. In this post, I tried to show you how you can achieve authentication when using Amazon SES by setting DKIM and SPF on your domain.

After these settings, you should proceed with monitoring bounces and complaints, as well as being proactive to improve your sending statistics.

Thanks for reading!


Emre Yilmaz

AWS Consultant • Instructor • Founder @ Shikisoft