How do Iterable shared infrastructure and Amazon SES handle SPF alignment and DMARC compliance?

Summary

When using Iterable and Amazon SES together, managing SPF alignment and DMARC compliance requires a multi-faceted approach. Iterable's shared infrastructure typically necessitates configuring a custom MAIL FROM domain to achieve SPF alignment, as the default may not align with your sending domain. While DMARC can pass with DKIM alone, experts recommend SPF as a backup to mitigate risks if DKIM fails. Proper setup involves publishing SPF records to authorize sending servers, choosing between Easy DKIM and BYODKIM for DKIM signing, and configuring DMARC policies to handle emails failing authentication checks. Monitoring DMARC reports is crucial for identifying and addressing issues. Additional considerations include SPF record lookup limits, DKIM key rotation, and adopting a cautious DMARC policy implementation, starting with 'p=none'.

Key findings

  • Custom MAIL FROM for SPF: A custom MAIL FROM domain is typically required to achieve SPF alignment when using Iterable's shared infrastructure with Amazon SES.
  • DKIM and DMARC: DMARC can pass with DKIM alignment, but SPF is recommended as a backup.
  • Configuration Steps: Proper setup involves publishing SPF records, configuring DKIM, and setting DMARC policies.
  • Importance of Monitoring: Regularly monitoring DMARC reports is critical for identifying and resolving email authentication issues.
  • Cautious DMARC Implementation: Starting with a 'p=none' DMARC policy is recommended for monitoring and gaining confidence.

Key considerations

  • SPF Record Management: Ensure SPF records accurately list authorized sending servers, considering SPF record lookup limits.
  • DKIM Key Rotation: Periodically rotating DKIM keys enhances security.
  • DMARC Policy Enforcement: Consider the implications of different DMARC policies (none, quarantine, reject) based on your confidence in authentication setup.
  • Infrastructure Awareness: Be aware of the specific configurations and limitations of Iterable and Amazon SES regarding SPF and DMARC.
  • Easy DKIM versus BYODKIM: Understand the difference between Easy DKIM (managed by SES) and BYODKIM (bring your own keys) and choose appropriately.

What email marketers say
11Marketer opinions

Iterable, when used with Amazon SES, presents specific challenges and solutions regarding SPF alignment and DMARC compliance. While Iterable's shared infrastructure may not provide SPF alignment out-of-the-box, it does support DKIM. Achieving SPF alignment typically requires setting up a custom MAIL FROM domain. Effective DMARC compliance necessitates correctly configuring both SPF and DKIM. Best practices also involve regularly monitoring DMARC reports and being mindful of SPF record lookup limits.

Key opinions

  • SPF Alignment Challenge: Iterable's shared infrastructure doesn't inherently offer SPF alignment, often using amazonses.com as the 'mail from' domain.
  • DKIM Support: Iterable supports DKIM, which can be used for DMARC compliance even without SPF alignment.
  • Custom MAIL FROM: Setting up a custom MAIL FROM domain is a key method to achieve SPF alignment with shared SES infrastructure.
  • DMARC Reliance on SPF and DKIM: DMARC relies on both SPF and DKIM for proper functionality, dictating how receiving servers should handle emails failing these checks.
  • Importance of DMARC Reports: Regularly monitoring DMARC reports is crucial for identifying and resolving email authentication issues.

Key considerations

  • Custom MAIL FROM Setup: Implementing a custom MAIL FROM domain requires configuring DNS records to point to SES while using your domain for the 'mail from' address.
  • DMARC Policy Implementation: Start with a 'p=none' DMARC policy to monitor traffic before implementing stricter policies like 'p=quarantine' or 'p=reject'.
  • SPF Record Lookup Limits: Be aware of SPF record lookup limits (typically 10) and consider SPF flattening to avoid SPF check failures.
  • DKIM Key Rotation: Periodically rotating DKIM keys enhances security and reduces the risk of compromised email authentication.
  • Dedicated Servers: Iterable offers dedicated servers for SPF alignment, but this may not always be the best solution due to complexities such as warming up new IPs.
Marketer view

Email marketer from Postmark advises to be aware of SPF record lookup limits. SPF records have a limit of 10 DNS lookups. If your SPF record exceeds this limit, it can cause SPF checks to fail. SPF flattening is a technique used to reduce the number of lookups.

June 2023 - Postmark
Marketer view

Email marketer from Mailjet shares the importance of having a DMARC record and that setting up a DMARC record involves creating a TXT record in your domain's DNS settings. This record specifies your DMARC policy (none, quarantine, or reject) and provides instructions to receiving email servers on how to handle emails that fail SPF and DKIM checks.

September 2023 - Mailjet
Marketer view

Email marketer from Iterable explains that Iterable supports sending emails using your own custom domain and authentication settings (SPF and DKIM). To configure a custom domain, you'll need to add DNS records provided by Iterable to your domain's DNS settings. This allows Iterable to send emails on your behalf while authenticating them with SPF and DKIM, improving deliverability and DMARC compliance.

August 2021 - Iterable
Marketer view

Marketer from Email Geeks explains that Iterable's system functions on SES infrastructure but doesn't provide SPF alignment (setting up MAILFROM) to match with your From: address. For now, you can only achieve DKIM alignment. You can't add <http://amazonses.com|amazonses.com> in your own domain's SPF record. They need to activate the MAILFROM within their SES infrastructure and provide you with SPF and MX Records.

October 2021 - Email Geeks
Marketer view

Email marketer from GlockApps emphasizes the importance of monitoring DMARC reports. DMARC reports provide valuable insights into your email authentication performance, helping you identify and address any issues with SPF, DKIM, or DMARC configuration. Analyzing these reports regularly can improve your email deliverability.

September 2021 - GlockApps
Marketer view

Marketer from Email Geeks shares that Iterable recommended their dedicated servers to achieve SPF alignment, but this is not always the best practice. DKIM will suffice if you're looking for DMARC compliance.

September 2022 - Email Geeks
Marketer view

Email marketer from SparkPost explains that setting up a custom MAIL FROM domain allows you to align SPF even when using shared infrastructure like SES. This involves configuring DNS records to point to SES servers, but using your own domain for the 'mail from' address, which helps improve deliverability and DMARC compliance.

May 2023 - SparkPost
Marketer view

Email marketer from Reddit states that for DMARC to work effectively with SES, you need both SPF and DKIM properly configured. Make sure your DMARC policy is set appropriately (p=none, p=quarantine, or p=reject) based on your confidence in your email authentication setup. Starting with p=none is recommended to monitor results before enforcing stricter policies.

September 2022 - Reddit
Marketer view

Email marketer from Email on Acid explains that SPF, DKIM, and DMARC work together to improve email deliverability. SPF verifies that the sending server is authorized to send emails on behalf of the domain, DKIM provides a digital signature that verifies the email's content hasn't been altered, and DMARC tells receiving servers what to do with emails that fail SPF and DKIM checks.

January 2024 - Email on Acid
Marketer view

Email marketer from StackOverflow explains that when using shared SES infrastructure, achieving SPF alignment (where the 'mail from' domain matches the 'from' domain) can be challenging. Typically, the 'mail from' domain will be amazonses.com or something similar, rather than your own domain. This can be addressed by setting up a custom MAIL FROM domain, which allows you to align SPF.

February 2022 - StackOverflow
Marketer view

Email marketer from SendGrid recommends periodically rotating your DKIM keys. This enhances security by reducing the window of opportunity for attackers to compromise your email authentication. This can be more easily managed when using easyDKIM.

January 2025 - SendGrid

What the experts say
4Expert opinions

Experts emphasize the interplay between SPF, DKIM, and DMARC in ensuring email deliverability when using shared infrastructure like Iterable and Amazon SES. While DMARC can pass with DKIM alignment alone, especially when brands have a first-party DKIM signature, relying solely on DKIM poses a risk if DKIM fails. Properly configured SPF records specifying authorized sending servers are crucial for deliverability. A cautious approach to DMARC implementation, starting with a 'p=none' policy, is recommended due to the complexities involved, especially with shared infrastructures where unexpected sending sources can affect compliance.

Key opinions

  • DMARC Passing with DKIM: DMARC can pass with DKIM alignment, particularly when a brand uses a first-party DKIM signature.
  • Risk of Sole Reliance on DKIM: Solely relying on DKIM for DMARC compliance carries a risk of DMARC failure if DKIM fails.
  • Importance of Correct SPF Records: Properly configured SPF records are crucial for specifying authorized sending servers and maintaining deliverability.
  • Complexity of DMARC Implementation: DMARC implementation can be complex, especially with shared infrastructure where unexpected sending sources impact compliance.

Key considerations

  • SPF as a Backup: Consider SPF alignment as a 'belt and suspenders' approach for long-term deliverability and to mitigate risks if DKIM fails.
  • Cautious DMARC Policy: Implement DMARC cautiously, starting with a 'p=none' policy to monitor traffic and gain confidence before moving to stricter policies.
  • Monitoring DMARC: Continuously monitor DMARC reports to identify and address issues related to SPF, DKIM, and overall compliance.
  • Infrastructure Awareness: Be aware of the specific configurations and limitations of the shared infrastructure being used (e.g., Iterable, Amazon SES) and how they affect SPF and DMARC.
Expert view

Expert from SpamResource explains the importance of having a correct SPF record, noting that it can specify the servers that are authorized to send email from your domain. With shared infrastructure like Iterable and Amazon SES, ensuring the SPF record includes the appropriate servers is crucial for deliverability.

July 2023 - SpamResource
Expert view

Expert from Email Geeks explains that SPF does not align, but DMARC is passing because each brand has a first party DKIM signature. Thus it's passing DMARC based on DKIM alignment.

October 2024 - Email Geeks
Expert view

Expert from Email Geeks shares that if you ever end having a DKIM issue, you’re going to fail DMARC. So having SPF align too is a “belt and suspenders” kind of thing. It’s a good thing to implement in the long term, if you can, to minimize chances of future trouble.

January 2024 - Email Geeks
Expert view

Expert from Word to the Wise shares the complexity of DMARC and suggests a cautious approach. She mentions starting with a policy of `p=none` to monitor traffic and then gradually moving to more restrictive policies like `p=quarantine` or `p=reject` as you gain confidence in your setup. This is especially relevant when dealing with shared infrastructure where unexpected sending sources can affect DMARC compliance.

October 2021 - Word to the Wise

What the documentation says
5Technical articles

Technical documentation outlines how Amazon SES and DMARC work to authenticate emails and protect against abuse. To set up SPF with Amazon SES, you need to publish an SPF record in your domain's DNS settings to authorize SES to send emails on your behalf. DKIM signing can be enabled using either Easy DKIM (managed by SES) or BYODKIM (bring your own keys). Achieving DMARC compliance requires emails to pass both SPF and DKIM checks, along with setting up a DMARC policy to instruct receiving servers on handling failed authentication attempts. DMARC, building upon SPF and DKIM, offers a reporting function to monitor and improve email protection against phishing and spoofing.

Key findings

  • SPF Setup with SES: Setting up SPF with Amazon SES involves publishing an SPF record to authorize SES to send emails on behalf of your domain.
  • DKIM Options with SES: DKIM signing with Amazon SES can be achieved using either Easy DKIM (managed by SES) or BYODKIM (bring your own keys).
  • DMARC Compliance Requirements: DMARC compliance requires emails to pass both SPF and DKIM checks, along with a properly configured DMARC policy.
  • DMARC's Role: DMARC builds on SPF and DKIM by adding a reporting function, improving email protection against fraudulent activities.
  • SES Provides Info: Amazon SES provides the necessary information to include in your SPF record.

Key considerations

  • Publishing SPF Record: Ensure the SPF record accurately lists authorized sending servers to avoid deliverability issues.
  • Choosing DKIM Method: Consider the level of control needed when choosing between Easy DKIM (managed by SES) and BYODKIM (bring your own keys).
  • DMARC Policy Setup: Configure a DMARC policy to instruct receiving servers on how to handle emails that fail SPF and DKIM checks.
  • DMARC Monitoring: Utilize DMARC's reporting function to monitor email authentication performance and identify potential issues.
Technical article

Documentation from Amazon Web Services says to achieve DMARC compliance with Amazon SES, you need to ensure that your emails pass both SPF and DKIM checks. This requires properly configuring SPF and DKIM records for your domain. You also need to set up a DMARC policy that tells receiving email servers how to handle emails that fail SPF and DKIM checks.

October 2021 - Amazon Web Services
Technical article

Documentation from DMARC.org explains DMARC policies. A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the recipient’s exposure to potentially fraudulent & harmful messages.

November 2022 - DMARC.org
Technical article

Documentation from Amazon Web Services details that to set up SPF with Amazon SES, you need to publish an SPF record to your domain's DNS settings. This record should authorize Amazon SES to send emails on behalf of your domain. Amazon SES provides the necessary information to include in your SPF record.

April 2024 - Amazon Web Services
Technical article

Documentation from RFC Editor explains that DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a technical specification that builds on the existing SPF and DKIM protocols to add a reporting function, enabling email senders and receivers to improve and monitor protection of email from fraudulent and abusive activities, such as phishing, spoofing, and malware.

July 2024 - RFC Editor
Technical article

Documentation from Amazon Web Services shares to enable DKIM signing with Amazon SES, you can use either Easy DKIM or bring your own DKIM keys (BYODKIM). Easy DKIM simplifies the process by automatically managing DKIM keys for you. BYODKIM allows you to use your own DKIM keys, giving you more control over the signing process.

May 2023 - Amazon Web Services