How do Iterable shared infrastructure and Amazon SES handle SPF alignment and DMARC compliance?
Summary
What email marketers say11Marketer opinions
Email marketer from Postmark advises to be aware of SPF record lookup limits. SPF records have a limit of 10 DNS lookups. If your SPF record exceeds this limit, it can cause SPF checks to fail. SPF flattening is a technique used to reduce the number of lookups.
Email marketer from Mailjet shares the importance of having a DMARC record and that setting up a DMARC record involves creating a TXT record in your domain's DNS settings. This record specifies your DMARC policy (none, quarantine, or reject) and provides instructions to receiving email servers on how to handle emails that fail SPF and DKIM checks.
Email marketer from Iterable explains that Iterable supports sending emails using your own custom domain and authentication settings (SPF and DKIM). To configure a custom domain, you'll need to add DNS records provided by Iterable to your domain's DNS settings. This allows Iterable to send emails on your behalf while authenticating them with SPF and DKIM, improving deliverability and DMARC compliance.
Marketer from Email Geeks explains that Iterable's system functions on SES infrastructure but doesn't provide SPF alignment (setting up MAILFROM) to match with your From: address. For now, you can only achieve DKIM alignment. You can't add <http://amazonses.com|amazonses.com> in your own domain's SPF record. They need to activate the MAILFROM within their SES infrastructure and provide you with SPF and MX Records.
Email marketer from GlockApps emphasizes the importance of monitoring DMARC reports. DMARC reports provide valuable insights into your email authentication performance, helping you identify and address any issues with SPF, DKIM, or DMARC configuration. Analyzing these reports regularly can improve your email deliverability.
Marketer from Email Geeks shares that Iterable recommended their dedicated servers to achieve SPF alignment, but this is not always the best practice. DKIM will suffice if you're looking for DMARC compliance.
Email marketer from SparkPost explains that setting up a custom MAIL FROM domain allows you to align SPF even when using shared infrastructure like SES. This involves configuring DNS records to point to SES servers, but using your own domain for the 'mail from' address, which helps improve deliverability and DMARC compliance.
Email marketer from Reddit states that for DMARC to work effectively with SES, you need both SPF and DKIM properly configured. Make sure your DMARC policy is set appropriately (p=none, p=quarantine, or p=reject) based on your confidence in your email authentication setup. Starting with p=none is recommended to monitor results before enforcing stricter policies.
Email marketer from Email on Acid explains that SPF, DKIM, and DMARC work together to improve email deliverability. SPF verifies that the sending server is authorized to send emails on behalf of the domain, DKIM provides a digital signature that verifies the email's content hasn't been altered, and DMARC tells receiving servers what to do with emails that fail SPF and DKIM checks.
Email marketer from StackOverflow explains that when using shared SES infrastructure, achieving SPF alignment (where the 'mail from' domain matches the 'from' domain) can be challenging. Typically, the 'mail from' domain will be amazonses.com or something similar, rather than your own domain. This can be addressed by setting up a custom MAIL FROM domain, which allows you to align SPF.
Email marketer from SendGrid recommends periodically rotating your DKIM keys. This enhances security by reducing the window of opportunity for attackers to compromise your email authentication. This can be more easily managed when using easyDKIM.
What the experts say4Expert opinions
Expert from SpamResource explains the importance of having a correct SPF record, noting that it can specify the servers that are authorized to send email from your domain. With shared infrastructure like Iterable and Amazon SES, ensuring the SPF record includes the appropriate servers is crucial for deliverability.
Expert from Email Geeks explains that SPF does not align, but DMARC is passing because each brand has a first party DKIM signature. Thus it's passing DMARC based on DKIM alignment.
Expert from Email Geeks shares that if you ever end having a DKIM issue, you’re going to fail DMARC. So having SPF align too is a “belt and suspenders” kind of thing. It’s a good thing to implement in the long term, if you can, to minimize chances of future trouble.
Expert from Word to the Wise shares the complexity of DMARC and suggests a cautious approach. She mentions starting with a policy of `p=none` to monitor traffic and then gradually moving to more restrictive policies like `p=quarantine` or `p=reject` as you gain confidence in your setup. This is especially relevant when dealing with shared infrastructure where unexpected sending sources can affect DMARC compliance.
What the documentation says5Technical articles
Documentation from Amazon Web Services says to achieve DMARC compliance with Amazon SES, you need to ensure that your emails pass both SPF and DKIM checks. This requires properly configuring SPF and DKIM records for your domain. You also need to set up a DMARC policy that tells receiving email servers how to handle emails that fail SPF and DKIM checks.
Documentation from DMARC.org explains DMARC policies. A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the recipient’s exposure to potentially fraudulent & harmful messages.
Documentation from Amazon Web Services details that to set up SPF with Amazon SES, you need to publish an SPF record to your domain's DNS settings. This record should authorize Amazon SES to send emails on behalf of your domain. Amazon SES provides the necessary information to include in your SPF record.
Documentation from RFC Editor explains that DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a technical specification that builds on the existing SPF and DKIM protocols to add a reporting function, enabling email senders and receivers to improve and monitor protection of email from fraudulent and abusive activities, such as phishing, spoofing, and malware.
Documentation from Amazon Web Services shares to enable DKIM signing with Amazon SES, you can use either Easy DKIM or bring your own DKIM keys (BYODKIM). Easy DKIM simplifies the process by automatically managing DKIM keys for you. BYODKIM allows you to use your own DKIM keys, giving you more control over the signing process.