blog
Configure DMARC for Amazon SES: Route 53 setup, Terraform, and rollout phases
Set up DMARC for Amazon SES using Route 53 and Terraform, then roll from monitoring to enforcement safely.
DMARC in Amazon SES is configured via DNS. The safest approach is phased: start with monitoring, validate alignment, then enforce.
Quick answer: what DMARC record should you start with?
Start with a monitoring policy:
v=DMARC1; p=none; rua=mailto:dmarc-report@example.com
Use p=none first to collect data, then move to quarantine or reject once legitimate send paths are aligned.
DMARC prerequisites for SES
Before tightening policy, confirm:
- SPF is configured for your sending path
- DKIM is enabled and signing correctly
- MAIL FROM / return-path alignment is understood
- You have a mailbox or processor for aggregate reports (
rua)
Route 53 + Terraform example
resource "aws_route53_record" "dmarc" {
zone_id = var.zone_id
name = "_dmarc.${var.domain}"
type = "TXT"
ttl = 600
records = [
"v=DMARC1; p=none; rua=mailto:${var.dmarc_report_address}; fo=1"
]
}
Rollout phases
| Phase | Policy | Objective |
|---|---|---|
| Phase 1 | p=none |
Collect report data and find misalignment |
| Phase 2 | p=quarantine |
Reduce abuse while monitoring false positives |
| Phase 3 | p=reject |
Enforce strict protection once stable |
Move to the next phase only after report data is clean for your critical send streams.
Validation workflow after publish
- Confirm DNS propagation and record syntax
- Send controlled test traffic
- Verify SPF/DKIM pass and DMARC alignment
- Review aggregate reports for failing sources
- Track bounce/reject trends before policy tightening
Common SES DMARC mistakes
- Moving to
rejectbefore report analysis - Ignoring subdomain and third-party sender alignment
- Treating DMARC as one-time DNS work
- Missing operational ownership for report review
SES DMARC rollout checklist
- Validate syntax with DMARC checker and DNS lookup
- Track drift in DMARC monitoring
- Rehearse changes in email sandbox
- Capture reject and bounce signals with email webhooks
- Confirm outcomes via email deliverability test
Final take
DMARC for Amazon SES is easiest to maintain when managed as an ongoing control loop: publish, monitor, tune, and then enforce. That sequence protects both reliability and reputation.