How to Create an SPF Record for Amazon SES
Step-by-step guide to creating an SPF record for Amazon SES. Learn the correct include value, custom MAIL FROM setup, and common combinations.
Amazon Simple Email Service (SES) is one of the most widely used transactional email platforms, especially for businesses running applications on AWS. Developers use SES to send password resets, order confirmations, notifications, and marketing email at scale. But none of that matters if your messages land in spam because you haven't set up SPF.
An SPF record tells receiving mail servers that Amazon SES is authorized to send email on behalf of your domain. Without it, your SES-sent messages are more likely to be flagged as suspicious or rejected outright. This guide walks you through the setup from start to finish.
The SPF Include Value for Amazon SES
The include value for Amazon SES is straightforward:
include:amazonses.com
As described in the Amazon SES documentation, this single include covers all SES sending infrastructure across every AWS region. Whether you're sending from us-east-1, eu-west-1, or ap-southeast-2, the SPF include is the same. A complete SPF record with only Amazon SES looks like this:
v=spf1 include:amazonses.com -all
You don't need region-specific SPF values. The amazonses.com include covers all AWS regions globally. Even if you use multiple SES regions, one include is all you need.
Custom MAIL FROM Domains and SPF
By default, Amazon SES uses its own MAIL FROM domain (something like amazonses.com) when sending your messages. This means SPF is checked against Amazon's domain, not yours. That works, but it limits your control over authentication and can affect deliverability.
The Amazon SES documentation explains that SES gives you the option to set a custom MAIL FROM domain -- a subdomain of your domain like mail.yourdomain.com. When you configure this, SES sends with your subdomain in the MAIL FROM header, and SPF is checked against that subdomain instead.
If you use a custom MAIL FROM domain, add the SPF record to that subdomain specifically:
# On mail.yourdomain.com (your custom MAIL FROM subdomain)
v=spf1 include:amazonses.com -all
If you don't use a custom MAIL FROM domain, add the include to your root domain's SPF record alongside your other providers.
Custom MAIL FROM is recommended
Setting up a custom MAIL FROM domain gives you better SPF alignment for DMARC and more control over your sending reputation. AWS makes this easy to configure in the SES console under Verified Identities > MAIL FROM domain.
Step-by-Step: Creating Your Amazon SES SPF Record
Verify your domain in Amazon SES
In the AWS Management Console, go to Amazon SES > Verified Identities and add your domain. SES will provide DNS records for verification, DKIM, and optionally a custom MAIL FROM domain.
Decide on your MAIL FROM configuration
Check whether you're using a custom MAIL FROM domain. If yes, you'll add the SPF record on that subdomain. If no, you'll add the SES include to your root domain's SPF record.
Generate your SPF record
Use the free SPF record generator to build your record. Select Amazon SES from the provider list and add any other services that send from your domain. The tool creates a correctly formatted record automatically.
Log in to your DNS provider
Go to your DNS management dashboard. If you're using Route 53 (AWS's own DNS service), you can stay in the AWS console. Otherwise, log in to your registrar or DNS host -- Cloudflare, GoDaddy, Namecheap, or wherever your domain's DNS is managed.
Check for an existing SPF record
Look through your TXT records for any entry starting with v=spf1. Remember, a domain can only have one SPF record. If one exists, you'll need to edit it and add the Amazon SES include rather than creating a second record.
Add or update the TXT record
Create a new TXT record (or edit the existing one). Set the Name to @ for your root domain, or to your custom MAIL FROM subdomain if applicable. Set the Value to your complete SPF record. Save the changes.
Wait for propagation and verify
DNS propagation can take a few minutes to 48 hours depending on your provider. Once propagated, verify the record at SPF Record Check.
Common SPF Record Combinations With Amazon SES
SES is almost always used alongside another email provider for team communication. Here are the setups you'll see most often:
| Setup | SPF Record | Est. Lookups |
|---|---|---|
| Amazon SES only | v=spf1 include:amazonses.com -all | ~1 |
| SES + Google Workspace | v=spf1 include:_spf.google.com include:amazonses.com -all | ~4 |
| SES + Microsoft 365 | v=spf1 include:spf.protection.outlook.com include:amazonses.com -all | ~3 |
| SES + Google + Mailchimp | v=spf1 include:_spf.google.com include:amazonses.com include:spf.mandrillapp.com -all | ~6 |
| SES + Microsoft 365 + SendGrid | v=spf1 include:spf.protection.outlook.com include:amazonses.com include:sendgrid.net -all | ~4 |
Per RFC 7208, SPF allows a maximum of 10 DNS lookups. Each include adds at least one lookup, and nested includes add more. Amazon SES is lightweight at roughly one lookup, but combining multiple providers adds up. Check your total at SPF Record Check.
Build your SPF record in seconds
Select your email providers and generate a valid SPF record -- no DNS expertise needed.
Verifying Your Amazon SES SPF Record
After your DNS changes propagate, confirm everything is set up correctly.
Visit SPF Record Check and enter your domain (or your custom MAIL FROM subdomain). The tool will display your published SPF record, validate the syntax, count DNS lookups, and flag any issues. Make sure include:amazonses.com appears in the record and that there are no errors.
For a more hands-on test, send a message through SES and check the email headers on the receiving side. Look for Authentication-Results: spf=pass to confirm that Amazon's sending servers are properly authorized.
Common Amazon SES SPF Mistakes
Adding SPF to the Wrong Domain
If you've configured a custom MAIL FROM domain like mail.yourdomain.com, the SPF record for SES needs to go on that subdomain -- not your root domain. Adding the SES include only to your root domain won't help if the MAIL FROM header points to the subdomain. Check your SES settings to see which domain needs the record.
Creating a Second SPF Record
This is the most common DNS mistake across all providers. If you already have an SPF record for Google Workspace or Microsoft 365, don't create a new TXT record for SES. Two v=spf1 records on the same domain cause a permerror per RFC 7208 that breaks SPF completely. Edit the existing record and add include:amazonses.com to it.
Thinking Region-Specific Includes Are Needed
Some documentation you'll find online mentions region-specific SPF values for SES. This is outdated. The single include:amazonses.com value covers all SES regions. Don't add multiple region-specific includes -- they're unnecessary and waste DNS lookups.
Using ~all Instead of -all
The ~all qualifier (soft fail) tells receiving servers to accept messages that fail SPF but treat them with suspicion. For production email, -all (hard fail) is the stronger choice. It tells servers to reject unauthorized senders outright, giving you better protection against spoofing.
Complete Your Email Authentication
SPF is an important first step, but modern email authentication requires all three protocols working in concert:
- DKIM adds a cryptographic signature to each message, proving it hasn't been tampered with in transit. Amazon SES provides DKIM through Easy DKIM, which automatically signs messages for you. Use DKIM Creator to generate and manage your DKIM setup.
- DMARC ties SPF and DKIM together and tells receiving servers how to handle messages that fail authentication. Use DMARC Creator to create your DMARC policy.
With a custom MAIL FROM domain, SPF alignment for DMARC is straightforward -- your MAIL FROM domain matches your From domain, which is exactly what DMARC wants to see.
Related Articles
Never miss an SPF issue
Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.
Start Monitoring