Amazon SES authentication requires three coordinated configurations: Easy DKIM via three CNAME records with 90-day automatic rotation, a Custom MAIL FROM subdomain for SPF DMARC alignment (without it SPF authenticates with amazonses.com and breaks alignment), and a DMARC policy starting at p=none progressing to enforcement. The default "via amazonses.com" header warning disappears only after both DKIM and Custom MAIL FROM are configured. Sandbox mode limits accounts to 200 emails/day until production access is approved.
Amazon SES is the most cost-efficient large-scale email platform in the industry at $0.10 per 1,000 emails, roughly one-tenth the price of SendGrid or Mailgun equivalents. The catch is configuration complexity. SES gives you the raw sending infrastructure, but leaves every deliverability decision (authentication, alignment, sandbox exit, dedicated IPs, reputation management) in your hands. This power is the reason SES is ubiquitous at AWS-native organizations, and the reason misconfigured SES accounts are a common source of deliverability problems.
This guide covers SES authentication end-to-end: Easy DKIM, Custom MAIL FROM and why it matters for DMARC alignment, BYODKIM for bring-your-own-key setups, sandbox-to-production transition, DMARC policy progression, the notorious "via amazonses.com" header warning, and the specific misconfigurations that account for the majority of SES deliverability complaints. It is written for developers and infrastructure teams deploying SES in production.
- Easy DKIM in Amazon SES generates three CNAME records that handle both domain verification and DKIM signing, with automatic key rotation every 90 days.
- Custom MAIL FROM is essential for SPF DMARC alignment. Without it, SPF authenticates with amazonses.com, which does not match your From domain and fails DMARC alignment checks.
- The "via amazonses.com" warning in Gmail appears when authentication is not configured. After DKIM plus Custom MAIL FROM are both active, the warning disappears.
- New SES accounts start in sandbox mode with a 200 emails/day limit and can only send to verified addresses. Production access requires a support ticket detailing the use case.
- For p=reject DMARC enforcement, combine Easy DKIM, Custom MAIL FROM, and relaxed alignment (adkim=r, aspf=r). This is the most durable SES authentication stack.
Amazon SES Architecture: What You Are Actually Configuring
Before configuring, understand the SES architecture. SES operates per-region: US East (Virginia), US West (Oregon), EU (Ireland, Frankfurt, Paris, London, Milan), Asia Pacific (Tokyo, Sydney, Mumbai, Singapore). Each region is a separate sending infrastructure. If you send from multiple regions, you must configure authentication for each region independently.
The SES sending flow:
- Your application calls the SES SendEmail API (or connects via SMTP)
- SES accepts the message for the region you called
- SES applies DKIM signature using your configured selector
- SES sends from an SES-owned IP in that region
- Return-Path is set to either an amazonses.com subdomain (default) or your Custom MAIL FROM subdomain
- Receiving servers authenticate via SPF (checking the Return-Path) and DKIM (checking the signature)
The default Return-Path of amazonses.com is what causes most SES authentication problems. It works technically, but it produces DMARC alignment failures and the "via amazonses.com" warning in Gmail.
Step 1: Verify Your Domain in Amazon SES
Navigate to the Amazon SES console in your target region. Go to Verified Identities and click Create Identity. Select Domain as the identity type, enter your sending domain, and enable Easy DKIM (recommended for all new setups).
SES generates three CNAME records for DKIM. Typical values:
abc1234567._domainkey.yourdomain.com CNAME abc1234567.dkim.amazonses.com
def8901234._domainkey.yourdomain.com CNAME def8901234.dkim.amazonses.com
ghi5678901._domainkey.yourdomain.com CNAME ghi5678901.dkim.amazonses.comPublish these at your DNS provider. SES will automatically verify the records (typically within 15 minutes to 48 hours depending on DNS propagation). Once verified, the domain shows as Verified and Easy DKIM shows as Active in the console.
Easy DKIM handles key rotation automatically every 90 days. You do not need to update DNS records during rotation; SES publishes new keys under the same CNAME targets. This is a meaningful operational simplification compared to manually managed DKIM on other platforms.
BYODKIM: Bring Your Own DKIM Key
If you need to use a specific DKIM key (for compliance, consistency across ESPs, or security reasons), SES supports BYODKIM. Instead of three CNAMEs, you publish a single TXT record containing your public key and upload the private key to SES. The tradeoff is manual rotation; automatic 90-day rotation is lost.
BYODKIM is appropriate for enterprise setups with existing DKIM key management infrastructure. For new deployments, Easy DKIM is almost always the better choice.
Step 2: Configure Custom MAIL FROM for SPF Alignment
This is the step most SES guides skip and where most SES deliverability problems originate. Custom MAIL FROM overrides the default amazonses.com Return-Path with a subdomain of your domain, which allows SPF to authenticate against your domain rather than amazonses.com.
Why This Matters for DMARC
DMARC alignment requires that either SPF or DKIM authenticate with a domain that matches your From header. With default SES configuration:
- From header: notifications@yourdomain.com
- Return-Path (MAIL FROM): 01020304abcdef@us-east-1.amazonses.com
- SPF authenticates amazonses.com, which does NOT match yourdomain.com
- DKIM signs with yourdomain.com (if Easy DKIM is active), which DOES match
DKIM alignment alone passes DMARC, but there are scenarios where this fails: forwarded messages can lose the DKIM signature, and some receiving servers evaluate SPF more heavily than DKIM for specific message types. Configuring Custom MAIL FROM ensures both SPF and DKIM align, which produces the strongest authentication result.
Setting Up Custom MAIL FROM
In the SES console, open the verified identity for your domain, go to Custom MAIL FROM domain, and click Use custom MAIL FROM domain. Enter a subdomain like mail.yourdomain.com or bounces.yourdomain.com. SES provides two DNS records:
mail.yourdomain.com MX 10 feedback-smtp.us-east-1.amazonses.com
mail.yourdomain.com TXT "v=spf1 include:amazonses.com ~all"Publish these records. SES verifies the configuration and activates Custom MAIL FROM. Your Return-Path becomes something like 01020304abcdef@mail.yourdomain.com, which SPF authenticates with yourdomain.com (matching your From header and passing DMARC alignment).
Critical: Skipping Custom MAIL FROM is the single most common source of SES deliverability problems. Without it, DMARC relies on DKIM alignment alone, which works in most cases but fails during forwarding, in certain mailbox provider configurations, and for specific message types. If you plan to enforce DMARC at p=reject, Custom MAIL FROM is not optional.
Step 3: Publish and Progress Your DMARC Policy
Publish a DMARC record at _dmarc.yourdomain.com. Start with a monitoring-only policy:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; adkim=r; aspf=r; fo=1With Easy DKIM and Custom MAIL FROM both active, you should see SPF alignment pass, DKIM alignment pass, and DMARC pass in aggregate reports within 24 to 72 hours. Use a DMARC checker to validate the record structure before publishing.
Progression to Enforcement
Monitor aggregate reports for 30 to 60 days to confirm all legitimate sending sources are properly authenticated. Look for any unexpected IPs or authentication failures that suggest either spoofing or misconfigured legitimate senders.
Once the report stream is clean, progress the policy:
- p=none (30 to 60 days monitoring)
- p=quarantine; pct=25 (14 days partial quarantine)
- p=quarantine; pct=100 (14 days full quarantine)
- p=reject; pct=25 (14 days partial reject)
- p=reject; pct=100 (final enforcement)
The full progression takes 3 to 6 months for organizations with multiple sending sources. Rushing triggers unexpected legitimate-mail rejection.
Sandbox to Production Access
New SES accounts start in sandbox mode. Sandbox restrictions:
- 200 emails per 24-hour period maximum
- 1 email per second rate limit
- Can only send to verified recipient addresses or verified domains
- Cannot send to arbitrary external addresses
To exit sandbox, submit a production access request through the SES console. The request requires:
- A description of your use case (transactional, marketing, mixed)
- Expected sending volume and rate
- How you collected recipient email addresses (opt-in process)
- How you handle bounces and complaints
- Your unsubscribe process for marketing mail
AWS typically responds within 24 to 48 hours. Approval grants production access with an initial 50,000 emails/day limit that grows based on sending quality. Sustained good sending behavior (low bounces, low complaints) increases the limit automatically.
The "Via amazonses.com" Warning Explained
When Gmail cannot verify that a message was authentically sent by your domain, it displays a "via amazonses.com" notation under the sender name. This warning is a direct deliverability signal: it tells recipients the message came from a shared sending infrastructure rather than from your own domain.
The warning appears when:
- DKIM is not active for your domain (mail is signed with amazonses.com default key only)
- Custom MAIL FROM is not configured (Return-Path is amazonses.com)
- Either of the above is misconfigured
To remove the warning, complete both Easy DKIM and Custom MAIL FROM setup. After DNS propagation and a few test sends, Gmail stops showing the warning on messages from your domain. The improvement in perceived legitimacy directly impacts engagement and reputation.
Amazon SES Best Practices for Production
Monitor Bounce Rate and Complaint Rate Continuously
SES automatically suspends accounts with sustained high bounce rates (over 5%) or complaint rates (over 0.1%). Set up CloudWatch alarms on SES bounce and complaint metrics to catch issues before they trigger suspension. Use SNS topics to route bounce and complaint notifications to your application so you can suppress problem addresses immediately.
Use Configuration Sets for Event Tracking
SES Configuration Sets let you attach event destinations (CloudWatch, SNS, Kinesis Firehose) to specific sending operations. Route delivery, bounce, complaint, and rendering events to a centralized store for analytics and reputation monitoring.
Implement Suppression List Management
SES maintains an account-level suppression list that automatically blocks sends to addresses that previously bounced or complained. Enable this at the account level to prevent accidental resends. For multi-tenant applications, maintain application-level suppression on top of the SES list.
Dedicated IPs for High-Volume Senders
SES default sending uses shared IP pools. For senders above 100,000 emails/day with established sending patterns, dedicated IPs provide reputation isolation. The tradeoff is warmup: a new dedicated IP requires 4 to 6 weeks of graduated volume before reaching full capacity.
Enable Virtual Deliverability Manager (VDM)
VDM is a paid SES feature that provides a deliverability dashboard with placement metrics, authentication analysis, and automated recommendations. For production senders at meaningful scale, VDM is worth the incremental cost for the diagnostic depth it provides.
When configuring SES for a multi-region deployment, use a consistent subdomain strategy like mail-us.yourdomain.com for US regions and mail-eu.yourdomain.com for EU regions. This gives you regional isolation of SPF records, keeps DKIM keys per-region (easy rotation), and surfaces region-specific deliverability patterns in DMARC aggregate reports.
Common Amazon SES Deliverability Issues and Fixes
Issue: Gmail Shows "via amazonses.com" Warning
Cause: Custom MAIL FROM is not configured or DKIM is not active. Fix: Complete both configurations, wait 24 hours for DNS propagation, send a test, and verify the warning disappears.
Issue: DMARC Reports Show SPF Fails But DKIM Passes
Cause: Custom MAIL FROM is not configured, so SPF authenticates with amazonses.com which does not match your From domain. Fix: Configure Custom MAIL FROM as described above.
Issue: Account Suddenly Suspended
Cause: Bounce rate exceeded 5% or complaint rate exceeded 0.1%. Fix: Do not send more mail until the issue is resolved. Review recent sends, identify the source of bounces/complaints (often a specific campaign or list segment), clean the problematic addresses, submit a reinstatement request explaining the remediation.
Issue: Cannot Exit Sandbox
Cause: Production access request was denied or incomplete. Fix: Review the AWS response for specific feedback, strengthen the use case description (be specific about opt-in, suppression handling, volume), and resubmit.
Issue: Emails Still Going to Spam Despite Clean Authentication
Cause: Content, sending pattern, or list quality issues unrelated to authentication. Fix: Investigate sender reputation via Gmail Postmaster Tools, check for spam trap hits via Spamhaus lookup, audit list sources, and review recent content for spam trigger patterns.
Amazon SES is the underlying sending infrastructure for many well-known email services and applications, including parts of AWS itself. Your Amazon order confirmations, S3 bucket notifications, and many third-party ESPs all route through SES. This is both a strength (SES IP reputation is generally strong due to the scale and diversity of legitimate senders) and a risk (any single misbehaving tenant can temporarily affect shared IP pool reputation).
Frequently Asked Questions
Open the SES console, navigate to Verified Identities, create a new domain identity, and enable Easy DKIM. SES provides three CNAME records. Publish them at your DNS provider. SES automatically verifies the records (typically within 15 minutes to 48 hours) and activates DKIM signing with automatic key rotation every 90 days.
Custom MAIL FROM is a Amazon SES feature that replaces the default amazonses.com Return-Path with a subdomain of your domain. This is essential for SPF DMARC alignment because without it, SPF authenticates with amazonses.com which does not match your From header domain. Configuration requires publishing an MX record and an SPF TXT record at your subdomain.
The warning appears when Gmail cannot verify authentication against your domain. Remove it by completing two configurations: enable Easy DKIM in SES with all three CNAME records published and verified, and configure Custom MAIL FROM with the MX and SPF records published. After DNS propagation (typically 24 hours), Gmail stops showing the warning.
Sandbox mode is the default state for new SES accounts. It limits sending to 200 emails per 24 hours, 1 email per second, and only to verified recipient addresses or domains. This prevents abuse during account onboarding. To move to production, submit an access request through the SES console describing your use case, expected volume, and compliance practices. AWS typically approves within 24 to 48 hours.
Yes, Easy DKIM rotates keys automatically every 90 days without any DNS changes required. SES publishes new keys under the same CNAME targets you originally configured. For BYODKIM (Bring Your Own DKIM) setups, rotation is manual because you control the key material directly. For most new deployments, Easy DKIM is the better choice specifically because automatic rotation is handled for you.