« SES Articles & Guides

Setup SPF with AWS SES

Setup SPF with AWS SES

What is SPF?

Sender Policy Framework (SPF) is an email authentication technique that helps protect your domain from email spoofing and phishing attacks. It also helps improve your email deliverability by ensuring that your emails are recognized as legitimate by Internet Service Providers (ISPs) and email clients. This article will explain what SPF is, how it works, and how to set it up to work with Amazon Web Services Simple Email Service (AWS SES) by modifying your existing DNS SPF TXT record.

Understanding SPF and How It Works

SPF is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on their behalf. By implementing SPF, you can prevent malicious actors from sending emails that appear to come from your domain, thereby protecting your domain's reputation and your recipients from phishing attacks.

When an email is sent, the receiving mail server performs an SPF check by querying the sender's DNS records for an SPF TXT record. This record contains a list of authorized sending IP addresses or hostnames for the domain. The receiving mail server then compares the sender's IP address with the authorized IP addresses in the SPF record. If the sender's IP address is included in the list, the email passes the SPF check and is more likely to be delivered to the recipient's inbox. If the sender's IP address is not in the list, the email may be marked as spam or rejected altogether.

Setting Up SPF with AWS SES

To set up SPF with AWS SES, you need to add or modify your domain's DNS SPF TXT record. Here's a step-by-step guide to help you through the process:

  • Locate your domain's current SPF record: First, you need to determine if your domain already has an existing SPF record. You can do this by using an online SPF record lookup tool or querying your domain's DNS records using command-line tools like 'nslookup' or 'dig.'
  • Create a new or modify the existing SPF record: If your domain does not have an SPF record, you'll need to create one. If you already have an SPF record, you'll need to modify it to include AWS SES as an authorized sender. The SPF record for AWS SES should include the following include statement: include:amazonses.com.

Here's an example of an SPF record that authorizes AWS SES to send emails on behalf of your domain:

v=spf1 include:amazonses.com ~all

If you already have an existing SPF record, simply add the include statement for AWS SES before the ending mechanism, usually ~all or -all. For example, if your current SPF record looks like this:

v=spf1 include:_spf.sesmonitor.com ~all

Then you should change it to this:

v=spf1 include:_spf.sesmonitor.com include:amazonses.com ~all

Once you've created or modified your SPF record, update your domain's DNS records by adding or replacing the existing TXT record. The exact steps to do this will vary depending on your domain registrar or DNS provider. Check their documentation for instructions on how to modify DNS records. After updating your domain's DNS records, use an online SPF record lookup tool or query your domain's DNS records again to verify that your SPF record includes AWS SES as an authorized sender.

Setting up SPF with AWS SES is an important step towards improving your email deliverability and protecting your domain from spoofing and phishing attacks. By following the steps outlined in this article, you can easily create or modify your SPF record to authorize AWS SES to send emails on your behalf, ensuring that your emails are more likely to be delivered to your recipients' inboxes.

Remember that implementing SPF is just one part of a comprehensive email authentication strategy. It is also essential to consider implementing other email authentication protocols, such as DKIM and DMARC, to further enhance your email deliverability and protect your domain from malicious actors.

AWS SES Resources