How to setup DMARC for both AWS SES and Office 365

Russell G

6/28/24, 8:56 PM

I'm trying to get DMARC working for the emails I send via Office 365 as well as Amazon SES. It's working for Office 365 because I setup the SPF and DKIM records in my DNS but it's failing for the emails I send via Amazon SES because of a domain alignment error (amazonses.com != mydomain.com). I understand that I need to create a custom MAIL FROM domain, but I'm running into a problem when adding the TXT and MX records to my DNS on Route 53.

The problem is that I use Office 365 for handling all our email, and I already have an MX record for mydomain-com.mail.protection.outlook.com. In Amazon's instructions for creating a custom MAIL FROM domain, it gives this warning:

To successfully set up a custom MAIL FROM domain with Amazon SES, you must publish exactly one MX record to the DNS server of your MAIL FROM domain. If the MAIL FROM domain has multiple MX records, the custom MAIL FROM setup with Amazon SES will fail.

How should I add the new TXT and MX records for the custom MAIL FROM domain if I already have an MX record to allow Office 365 to handle my email?

227

2 + 0

spf

dkim

amazon-ses

microsoft-office-365

dmarc

Score:1

Server

Keith Langmead

6/28/24, 9:13 PM

In Amazon's instructions they're talking a subdomain, not the domain itself. So you'd setup a subdomain like for instance aws.mydomain.com, which is then the domain from which our SES emails are sent from at least as far as any receiving mail servers are concerned.

Note, the SMTP Mail From address that mail servers look at can be different to the From address that users see in their email client, as you can see if you dig into the headers of an email from Amazon. For example, an email might show as coming from [email protected] in my email client, but the actual mail from address that the server sees is <random characters>@bounces.amazon.co.uk.

So you're not adding MX records or SPF records to mydomain.com where you already have it configured for 365, you're adding them to aws.mydomain.com which can have completely different records without impacting your root domain.

+ 1

Russell G

6/29/24, 1:11 AM

Perfect! That's the piece I was unsure about - whether subdomains can have different MX records. In SES, I edited the verified domain (mydomain.com) and added both DKIM and a "Custom MAIL FROM domain" (aws.mydomain.com). That got it very close, but it was still failing for the domain alignment. Then I realized that the verified email address I was sending the email from ([email protected]) didn't have the same custom MAIL FROM subdomain as the verified domain (aws.mydomain.com). When I set it to be the same, everything immediately worked and it tested correctly on learndmarc.com. Thank you!

Score:0

Server

Steven

6/28/24, 9:58 PM

If I understand what you're saying is that you want a SPF record that covers O365 and AWS SES.

"v=spf1 include:amazonses.com include:spf.protection.outlook.com -all"

+ 1

Russell G

6/29/24, 1:12 AM

Actually, Keith's answer is what I needed, but thanks anyway!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to setup DMARC for both AWS SES and Office 365

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.