AWS SES
Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails. It is a reliable, cost-effective service for businesses of all sizes that use email to keep in contact with their customers.
DNS
A reverse Domain Name System (DNS) lookup is used by email servers to track where a message originated from, and confirm that it's not spam or malicious. A reverse DNS lookup returns the domain name of an IP address. This is in contrast to a forward DNS lookup, which returns the IP address of a domain.
Configuring reverse DNS for an email server
Amazon Lightsail Configuring Reverse DNS For Email
AWS Console Support Reverse DNS Limit Request Form
Authentication
Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):
- SPF specifies the servers that can send email for a domain.
- DKIM verifies that message content is authentic and not changed.
- DMARC specifies how your domain handles suspicious incoming emails.
- Problems with Emails Received from Amazon SES
- Authenticating Your Email in Amazon SES
- Authenticating Email with DKIM in Amazon SES
- Authenticating Email with SPF in Amazon SES
- Complying with DMARC Using Amazon SES
SPF
Example...
example.com TXT "v=spf1 include:amazonses.com ~all"
DKIM
https://aws.amazon.com/premiumsupport/knowledge-center/ses-dmarc-spf-dkim-alignment/
DMARC
Example...
_dmarc.example.com TXT "v=DMARC1;p=quarantine;pct=25;rua=mailto:dmarcreports@example.com"
MTA-STS
https://www.checktls.com/TestReceiver
Certificates
You may need to help sendmail to find the chain certificate, when you see the warning 'verify=FAIL'...
May 22 11:38:04 server1 sendmail[8726]: STARTTLS=client, relay=email-smtp.eu-west-1.amazonaws.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Check that the system can find the chain...
$ openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25 CONNECTED(00000003) depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 verify error:num=20:unable to get local issuer certificate verify return:0
Check you have the certificates installed...
ls -lah /etc/ssl/certs | grep 'Amazon'
Now check again, using the -CApath parameter to help the client...
$ openssl s_client -CApath /etc/ssl/certs -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25 depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = email-smtp.eu-west-1.amazonaws.com verify return:1 250 Ok
Amazon Trust Services Repository
SPF DKIM Testing
...and...
Send a blank email to check-auth@verifier.port25.com and it will reply with test results...
========================================================== Summary of Results ========================================================== SPF check: pass "iprev" check: pass DKIM check: pass SpamAssassin check: ham
OpenDKIM
https://petermolnar.net/article/howto-spf-dkim-dmarc-postfix/