AWS SES
Amazon Simple Email Service (Amazon SES) is a cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails. It is a reliable, cost-effective service for businesses of all sizes that use email to keep in contact with their customers.
DNS
A reverse Domain Name System (DNS) lookup is used by email servers to track where a message originated from, and confirm that it's not spam or malicious. A reverse DNS lookup returns the domain name of an IP address. This is in contrast to a forward DNS lookup, which returns the IP address of a domain.
Configuring reverse DNS for an email server
Amazon Lightsail Configuring Reverse DNS For Email
AWS Console Support Reverse DNS Limit Request Form
Authentication
Along with SPF, we recommend setting up DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting & Conformance (DMARC):
- SPF: Specifies the servers and domains that are authorized to send email on behalf of your organization.
- DKIM: Adds a digital signature to every outgoing message, which lets receiving servers verify the message actually came from your organization.
- DMARC: Lets you tell receiving servers what to do with outgoing messages from your organization that don't pass SPF or DKIM.
- Problems with Emails Received from Amazon SES
- Authenticating Your Email in Amazon SES
- Authenticating Email with DKIM in Amazon SES
- Authenticating Email with SPF in Amazon SES
- Complying with DMARC Using Amazon SES
SPF
Example...
example.com TXT "v=spf1 include:amazonses.com ~all"
DKIM
https://aws.amazon.com/premiumsupport/knowledge-center/ses-dmarc-spf-dkim-alignment/
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/troubleshoot-dkim.html
https://serverfault.com/questions/579879/how-to-avoid-554-error-duplicate-header
DMARC
Example...
_dmarc.example.com TXT "v=DMARC1;p=quarantine;pct=25;rua=mailto:dmarcreports@example.com"
MTA-STS
https://www.checktls.com/TestReceiver
https://www.naut.ca/blog/2020/04/07/mta-sts-in-5-minutes/
Certificates
You may need to help sendmail to find the chain certificate, when you see the warning 'verify=FAIL'...
May 22 11:38:04 server1 sendmail[8726]: STARTTLS=client, relay=email-smtp.eu-west-1.amazonaws.com., version=TLSv1/SSLv3, verify=FAIL, cipher=ECDHE-RSA-AES256-GCM-SHA384, bits=256/256
Check that the system can find the chain...
$ openssl s_client -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25 CONNECTED(00000003) depth=3 C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2 verify error:num=20:unable to get local issuer certificate verify return:0
Check you have the certificates installed...
ls -lah /etc/ssl/certs | grep 'Amazon'
Now check again, using the -CApath parameter to help the client...
$ openssl s_client -CApath /etc/ssl/certs -crlf -quiet -starttls smtp -connect email-smtp.eu-west-1.amazonaws.com:25 depth=2 C = US, O = Amazon, CN = Amazon Root CA 1 verify return:1 depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon verify return:1 depth=0 CN = email-smtp.eu-west-1.amazonaws.com verify return:1 250 Ok
Amazon Trust Services Repository
SPF Information
dig txt mydomain.com | grep "v=spf1" mydomain.com. 3600 IN TXT "v=spf1 include:amazonses.com ~all"
SPF DKIM Testing
...and...
Send a blank email to check-auth@verifier.port25.com and it will reply with test results...
========================================================== Summary of Results ========================================================== SPF check: pass "iprev" check: pass DKIM check: pass SpamAssassin check: ham
OpenDKIM
https://petermolnar.net/article/howto-spf-dkim-dmarc-postfix/