From Indie IT Wiki
Revision as of 13:01, 13 January 2022 by Plittlefield (talk | contribs) (→‎DKIM)

Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails. It is a reliable, cost-effective service for businesses of all sizes that use email to keep in contact with their customers.


A reverse Domain Name System (DNS) lookup is used by email servers to track where a message originated from, and confirm that it's not spam or malicious. A reverse DNS lookup returns the domain name of an IP address. This is in contrast to a forward DNS lookup, which returns the IP address of a domain.

Configuring reverse DNS for an email server

Amazon Lightsail Configuring Reverse DNS For Email

AWS Console Support Reverse DNS Limit Request Form


Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):

  • SPF specifies the servers that can send email for a domain.
  • DKIM verifies that message content is authentic and not changed.
  • DMARC specifies how your domain handles suspicious incoming emails.
  1. Problems with Emails Received from Amazon SES
  2. Authenticating Your Email in Amazon SES
  3. Authenticating Email with DKIM in Amazon SES
  4. Authenticating Email with SPF in Amazon SES
  5. Complying with DMARC Using Amazon SES


Example... TXT "v=spf1 ~all"

SPF Checker



Example... TXT "v=DMARC1;p=quarantine;pct=25;"

DMARC Report Analyzer



You may need to help sendmail to find the chain certificate, when you see the warning 'verify=FAIL'...

May 22 11:38:04 server1 sendmail[8726]: STARTTLS=client,, version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256

Check that the system can find the chain...

$ openssl s_client -crlf -quiet -starttls smtp -connect
depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
verify error:num=20:unable to get local issuer certificate
verify return:0

Check you have the certificates installed...

ls -lah /etc/ssl/certs | grep 'Amazon'

Now check again, using the -CApath parameter to help the client...

$ openssl s_client -CApath /etc/ssl/certs -crlf -quiet -starttls smtp -connect
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN =
verify return:1
250 Ok

Amazon Trust Services Repository

SPF DKIM Testing


Send a blank email to and it will reply with test results...

Summary of Results
SPF check:          pass
"iprev" check:      pass
DKIM check:         pass
SpamAssassin check: ham