Domain Verification

To send email from @yourcompany.com you need three DNS records: SPF (who is allowed to send), DKIM (a cryptographic signature), and DMARC (what to do when either fails). Gmail and Yahoo now require all three for bulk senders.

How it works

SES Mailbox generates the exact DNS records you need. You paste them into your DNS provider (Cloudflare, Route 53, Namecheap, GoDaddy, etc.). DNS propagation takes anywhere from 5 minutes to 24 hours, after which SES Mailbox automatically confirms your domain is verified.

SPF — authorise your sending servers

SPF (Sender Policy Framework) tells receiving mail servers which servers are allowed to send email on behalf of your domain. When SES sends your email, the receiving server checks your SPF record to confirm SES is on the approved list.

The record

Type:  TXT
Name:  @ (or your domain, e.g. yourcompany.com)
Value: "v=spf1 include:amazonses.com ~all"

What the parts mean

DKIM — cryptographic signature

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email SES sends on your behalf. The receiving server fetches your DKIM public key from DNS and verifies the signature — confirming the email genuinely came from your domain and wasn't altered in transit.

AWS SES uses Easy DKIM, which adds three CNAME records pointing to AWS-managed keys. This is far more secure than self-managed DKIM because AWS rotates the keys automatically.

The records

SES Mailbox generates your specific CNAME values. They follow this pattern (the prefix is unique to your domain):

Type:  CNAME
Name:  abc123._domainkey.yourcompany.com
Value: abc123.dkim.amazonses.com

Type:  CNAME
Name:  def456._domainkey.yourcompany.com
Value: def456.dkim.amazonses.com

Type:  CNAME
Name:  ghi789._domainkey.yourcompany.com
Value: ghi789.dkim.amazonses.com

DMARC — policy for authentication failures

DMARC tells receiving servers what to do when an email claiming to be from your domain fails SPF or DKIM checks. It also sends you reports about who is sending email as your domain — invaluable for catching phishing and spoofing.

Start with monitor mode

Type:  TXT
Name:  _dmarc.yourcompany.com
Value: "v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com; pct=100"

p=none means "monitor only — don't reject anything." You'll receive weekly aggregate reports at the rua address showing all sources sending as your domain.

Tighten the policy after 30 days

Once you've reviewed reports and confirmed all your legitimate sending sources are aligned (SPF and DKIM both passing), tighten:

# Step 2 — quarantine suspicious mail (goes to spam folder)
"v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.com; pct=100"

# Step 3 — reject unauthenticated mail outright (30 days later)
"v=DMARC1; p=reject; rua=mailto:dmarc@yourcompany.com; pct=100"

Checking verification status

In SES Mailbox: Settings → Sending Domains. Each domain shows its SPF, DKIM, and DMARC status. Click Refresh to re-check after adding records.

You can also check from the command line:

# Check SPF
dig TXT yourcompany.com | grep spf

# Check DKIM (replace the prefix)
dig CNAME abc123._domainkey.yourcompany.com

# Check DMARC
dig TXT _dmarc.yourcompany.com

Troubleshooting

Records not verifying after 24 hours

• Confirm you added the records to the correct domain (not a subdomain of the wrong parent)
• Check for extra spaces or quotes — some DNS providers add quotes automatically; others require you to add them manually
• For Cloudflare CNAME records: ensure the orange cloud (proxy) is disabled
• Use MXToolbox SPF checker or DMARC Inspector to independently verify

Two SPF records error

You can only have one SPF TXT record per domain. If you see a "PermError: more than one record" error, merge all include: directives into a single record:

# Correct — single record with multiple includes
"v=spf1 include:amazonses.com include:_spf.google.com ~all"

# Wrong — two separate SPF records
"v=spf1 include:amazonses.com ~all"
"v=spf1 include:_spf.google.com ~all"   ← delete this