DKIM and SPF for Emails on SES

by Hugh Bien — 12/10/2020

If your application sends transactional or marketing emails, you must setup both DKIM and SPF. Failing to do so will hurt your email deliverability. Your messages will end up in spam.

I've recently had to setup DKIM/SPF for Boutique. The application uses Amazon SES, which has pretty straightforward steps. I'll be using Amazon SES as the email service provider in this article.

What are DKIM and SPF?

DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) are both email authentication methods. They let email receivers know that an incoming email from that domain has been authorized by the domain owners.

DKIM uses asymmetric cryptography to sign the email before it's sent out. The public key is listed on the domain's DNS records, where email clients can find it to verify any emails.

SPF adds a list of authorized IP addresses to a domain's DNS records. When an email client receives an email, it can check the domain's DNS to verify the sender's IP address is on that list.

What domains should I send email from?

The best practice is to send your transactional emails from a different subdomain than your marketing emails. For example: for transactional emails and for marketing emails.

Transactional emails are sent after a user action. They're expected and tend to have a much better reputation than marketing emails. Splitting the two keeps their reputation scores separate. You don't want your "confirm account" or "reset password" emails ending up in customers' spam folder.

Setting up DKIM

From your AWS console:

  1. go to the SES management console
  2. in the sidebar, under "Identity Management", go to "Email Addresses"
  3. click on the email address you want to verify
  4. click DKIM and click "Generate DKIM Settings"

This will generate a table of DKIM CNAME records. You'll need to log into your domain registrar and add these three CNAME records. An example row for the subdomain will look like:

Please note, that some registrars automatically append the apex domain name to the hostname portion of the CNAME record. So the actual value you should paste in would be:

Since your registrar will automatically append to it.

Setting up SPF

All domains require the same TXT record to use Amazon SES as an email service provider. See Authenticating Email with SPF in Amazon SES for a full guide. Here's the TLDR:

  1. go to your domain registrar
  2. add a TXT record with @ as the hostname
  3. use v=spf1 ~all for the value

You need to have a TXT record for each subdomain. So @ can be used if you're sending from the apex (eg, but if you're sending from you'll need to add another TXT record with marketing as the hostname.

Also if you already have an SPF record, you can add additional domains to it with the include: directive. The format below adds two email service providers:

v=spf1 ~all

Follow me via , RSS feed, or Twitter.

You may also enjoy:
Deliberate Practice and the Hero's Journey · Developer Financial Independence · Chicago · All Articles →