I was caught out by this, this week, so hopefully future-me will remember quicker how to fix this one.
- You want to get properly configured for DMARC for a domain you’re sending emails from via AWS SES
- You’ve verified the sender domain as an identity
- You’ve set up DKIM and SPF
- You’ve set up a custom MAIL FROM
- You’re still seeing SPF-related DMARC failures when sending emails
In my case, those failures were caused because I was sending email from a different identity that uses the same domain.
For example, I had ‘example.com’ set up as a verified identity in SES allowing me to send email from any address at that domain, and I configured a sender identity ‘firstname.lastname@example.org’ to be used by my application to send emails so that I could construct an ARN for use with Cognito or similar.
What isn’t necessarily obvious is that you need to enable the custom MAIL FROM setting for the sender identity, and not just for the domain identity that you’ve configured assuming you have multiple. AWS SES does not fall back to the configuration for the domain identity and you have to individually enable custom MAIL FROM for each sender identity – even if the configuration is identical.
So in my case, the fix was:
- Edit the Custom MAIL FROM setting for email@example.com
- Enable it to use mail.example.com (which was already configured)
- Save settings