The Amazon SES team is pleased to announce that, to increase your email authentication options, you can now use your own MAIL FROM domain when you send emails with SES.
First, a quick refresher on the different "source" addresses associated with an email: an email has a "From" address and a MAIL FROM address. The "From" address is the address that you pass to SES in the header of your email. This is the address that recipients see when they view your email in their inbox (RFC 5322). The MAIL FROM address (a.k.a. "envelope MAIL FROM"), on the other hand, is the address that the sending mail server (SES) transmits to the receiving mail server to indicate the source of the mail (RFC 5321). The MAIL FROM address is used by the receiving mail server to return bounce messages and other error notifications, and is only viewable by recipients if they inspect the email's headers in the raw message source. By default, SES uses its own MAIL FROM domain (amazonses.com or a subdomain of that) when it sends your emails.
Why use my own MAIL FROM domain?
You might choose to use your own MAIL FROM domain to give you more flexibility in complying with Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC is an email authentication protocol that relies on two other authentication protocols (Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM)) to enable receiving mail servers to validate that an incoming email is authorized by the owner of the sending domain and has not been modified during transit.
An email can comply with DMARC in two ways: by satisfying the DKIM requirements and/or by satisfying the SPF requirements. You can use either method, but some senders prefer to use both DKIM and SPF for maximum deliverability. As established by DMARC, the requirements for each validation are as follows:
- DKIM. The requirements to pass DKIM validation for DMARC are: 1) the message must have a valid DKIM signature, and 2) the domain in the DKIM signature must align with the domain in the "From" address in the header of the email. You can easily achieve DKIM validation with SES, which provides a tool (EasyDKIM) to DKIM-sign your messages automatically.
- SPF. The requirements to pass SPF validation for DMARC are: 1) The domain in the MAIL FROM address of the email must authorize the sending mail server to send for it via a DNS record, and 2) the domain in the email's "From" address must match the MAIL FROM domain. When SES uses its default MAIL FROM domain, the first SPF requirement is satisfied (because the MAIL FROM domain is amazonses.com, and the mail server is SES), but the second requirement is not satisfied. This is where the benefit of using your own MAIL FROM domain comes in – it enables you to meet that second SPF requirement.
Can I use any domain as my MAIL FROM domain?
The MAIL FROM domain you use with SES must be a subdomain of the verified identity you want to use it with. For example, a MAIL FROM domain of bounce.example.com would be a legitimate MAIL FROM domain for verified domain example.com or verified email address firstname.lastname@example.org. An additional requirement is that the MAIL FROM domain you use with SES must not be a domain that you use in a "From" address if the MAIL FROM domain is the destination of email feedback forwarding.
How do I set it up?
You configure an identity to use a specific MAIL FROM domain within the Identity Management part of the SES console, or by using the SES API. You also must publish MX and SPF records to your domain's DNS server. When SES successfully detects the MX record, emails you send from the identity will use the specified MAIL FROM domain. For a full description of the set-up procedure, see the developer guide.
Will my sending process change?
No. After you configure a verified identity to use a specified MAIL FROM domain and SES successfully detects the required MX record, you simply continue to send emails in the usual way.
We hope you find this feature useful! If you have any questions or comments, let us know in the SES Forum or here in the comment section of the blog.