Skip to main content
Email identities are domains you send emails from. You must verify domain ownership before sending emails through AWS SES.
  1. Navigate to Email Identities > Create identity. Enter your domain (e.g., example.com), and click Create
  2. Open the identity, copy DKIM CNAME records, add to your DNS provider (verification typically takes 5-10 minutes, up to 72 hours)
  3. After verification, go to Senders tab > Add sender, enter email address using your domain (e.g., hello@example.com) and optional display name
DKIM verification is required before sending emails.

DomainKeys Identified Mail (DKIM)

DKIM prevents email spoofing by adding digital signatures to email headers. AWS SES generates cryptographic keys: the public key is published in DNS, and emails are signed with the private key.

Setup

AWS SES generates three DKIM CNAME tokens. Add all three records to your DNS provider:
FieldValue
TypeCNAME
Name{token}._domainkey.example.com
Value{token}.dkim.amazonses.com

Mail FROM Domain

The Mail FROM domain appears in the email’s envelope, separate from the “From” header recipients see.

Benefits

Configuring a custom Mail FROM domain instead of AWS default (amazonses.com):
  • Improves deliverability through domain alignment
  • Enables SPF alignment for DMARC
  • Maintains brand consistency
  • Controls sending reputation

Setup

  1. Authentication tab > Mail FROM > Enable
  2. Enter subdomain (e.g., mail)
  3. Choose MX failure behavior (recommend: Use default value)
  4. Add DNS records:
FieldValue
TypeMX
Namemail.example.com
Priority10
Valuefeedback-smtp.{region}.amazonses.com
FieldValue
TypeTXT
Namemail.example.com
Valuev=spf1 include:amazonses.com ~all
Mail FROM is highly recommended but optional for production sending.

DMARC

DMARC builds on SPF and DKIM, telling email servers how to handle failed authentication.

Benefits

  • Prevents phishing using your domain
  • Improves deliverability with major providers
  • Provides visibility into email sending
  • May be required for compliance

Setup

Add TXT record to your DNS provider:
FieldValue
TypeTXT
Name_dmarc.example.com
Valuev=DMARC1; p=none;
Policy options (p=):
  • none: Monitor only (start here)
  • quarantine: Send suspicious emails to spam
  • reject: Block failed emails
Start with p=none, then gradually move to p=quarantine and p=reject after reviewing reports.