Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails. It is a reliable, cost-effective service for businesses of all sizes that use email to keep in contact with their customers.
A reverse Domain Name System (DNS) lookup is used by email servers to track where a message originated from, and confirm that it's not spam or malicious. A reverse DNS lookup returns the domain name of an IP address. This is in contrast to a forward DNS lookup, which returns the IP address of a domain.
Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):
- SPF specifies the servers that can send email for a domain.
- DKIM verifies that message content is authentic and not changed.
- DMARC specifies how your domain handles suspicious incoming emails.
- Problems with Emails Received from Amazon SES
- Authenticating Your Email in Amazon SES
- Authenticating Email with DKIM in Amazon SES
- Authenticating Email with SPF in Amazon SES
- Complying with DMARC Using Amazon SES
example.com TXT "v=spf1 include:amazonses.com ~all"
_dmarc.example.com TXT "v=DMARC1;p=quarantine;pct=25;rua=mailto:firstname.lastname@example.org"
You may need to help sendmail to find the chain certificate, when you see the warning 'verify=FAIL'...
May 22 11:38:04 server1 sendmail: STARTTLS=client, relay=email-smtp.eu-west-1.amazonaws.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Check that the system can find the chain...
$ openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25 CONNECTED(00000003) depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 verify error:num=20:unable to get local issuer certificate verify return:0
Check you have the certificates installed...
ls -lah /etc/ssl/certs | grep 'Amazon'
Now check again, using the -CApath parameter to help the client...
$ openssl s_client -CApath /etc/ssl/certs -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25 depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = email-smtp.eu-west-1.amazonaws.com verify return:1 250 Ok
SPF DKIM Testing
Send a blank email to email@example.com and it will reply with test results...
========================================================== Summary of Results ========================================================== SPF check: pass "iprev" check: pass DKIM check: pass SpamAssassin check: ham