MailSlurp logo

blog

Configure DMARC for Amazon SES: Route 53 setup, Terraform, and rollout phases

Set up DMARC for Amazon SES using Route 53 and Terraform, then roll from monitoring to enforcement safely.

DMARC in Amazon SES is configured via DNS. The safest approach is phased: start with monitoring, validate alignment, then enforce.

Quick answer: what DMARC record should you start with?

Start with a monitoring policy:

v=DMARC1; p=none; rua=mailto:dmarc-report@example.com

Use p=none first to collect data, then move to quarantine or reject once legitimate send paths are aligned.

DMARC prerequisites for SES

Before tightening policy, confirm:

  • SPF is configured for your sending path
  • DKIM is enabled and signing correctly
  • MAIL FROM / return-path alignment is understood
  • You have a mailbox or processor for aggregate reports (rua)

Route 53 + Terraform example

resource "aws_route53_record" "dmarc" {
  zone_id = var.zone_id
  name    = "_dmarc.${var.domain}"
  type    = "TXT"
  ttl     = 600

  records = [
    "v=DMARC1; p=none; rua=mailto:${var.dmarc_report_address}; fo=1"
  ]
}

Rollout phases

Phase Policy Objective
Phase 1 p=none Collect report data and find misalignment
Phase 2 p=quarantine Reduce abuse while monitoring false positives
Phase 3 p=reject Enforce strict protection once stable

Move to the next phase only after report data is clean for your critical send streams.

Validation workflow after publish

  1. Confirm DNS propagation and record syntax
  2. Send controlled test traffic
  3. Verify SPF/DKIM pass and DMARC alignment
  4. Review aggregate reports for failing sources
  5. Track bounce/reject trends before policy tightening

Common SES DMARC mistakes

  • Moving to reject before report analysis
  • Ignoring subdomain and third-party sender alignment
  • Treating DMARC as one-time DNS work
  • Missing operational ownership for report review

SES DMARC rollout checklist

Final take

DMARC for Amazon SES is easiest to maintain when managed as an ongoing control loop: publish, monitor, tune, and then enforce. That sequence protects both reliability and reputation.