All posts
September 5, 20251 min read

Setting Up DKIM, SPF, and DMARC with AWS CLI for Trusted Email Delivery

I once saw an email campaign burn to the ground because one record was missing. When you send email through AWS, trust is the currency. Without proper authentication, your messages land in spam or vanish in silence. AWS CLI gives you the control to set up and verify email authentication fast, but only if you configure DKIM, SPF, and DMARC the right way. Why Authentication Matters DKIM signs your email with a digital key so receivers know it’s from you. SPF declares which servers can send mai

Free White Paper

AWS IAM Policies + Step-Up Authentication: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

I once saw an email campaign burn to the ground because one record was missing.

When you send email through AWS, trust is the currency. Without proper authentication, your messages land in spam or vanish in silence. AWS CLI gives you the control to set up and verify email authentication fast, but only if you configure DKIM, SPF, and DMARC the right way.

Why Authentication Matters

DKIM signs your email with a digital key so receivers know it’s from you. SPF declares which servers can send mail for your domain. DMARC ties it together, telling providers how to handle mail that fails checks. Without these, your domain is open to spoofing, phishing, and delivery failures.

Setting It Up with AWS CLI

First, verify your domain through Amazon SES with:

aws ses verify-domain-identity --domain example.com

AWS returns DNS records to add. These include a TXT record for SPF and CNAME records for DKIM. Update your DNS settings exactly as shown. Propagation can take time.

For DKIM, enable signing with:

aws ses verify-domain-dkim --domain example.com

Add the provided CNAME records to your DNS. Once verified, every email gets a cryptographic signature.

Continue reading? Get the full guide.

AWS IAM Policies + Step-Up Authentication: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

For SPF, create or update your DNS TXT record:

"v=spf1 include:amazonses.com -all"

This tells receiving servers that only SES can send for your domain.

For DMARC, add a TXT record at _dmarc.example.com:

"v=DMARC1; p=quarantine; rua=mailto:you@example.com; ruf=mailto:you@example.com; fo=1"

Adjust p= to reject after monitoring reports. Reports reveal who is trying to send as you.

Testing and Verification

AWS CLI can check status:

aws ses get-identity-dkim-attributes --identities example.com
aws ses get-identity-verification-attributes --identities example.com

Use online tools to confirm DNS records resolve. Send test emails to multiple providers. Watch headers for spf=pass, dkim=pass, and dmarc=pass.

Keep It Tight

Rotate keys regularly. Review DNS for outdated entries. Monitor DMARC reports every week. Strong authentication is not set-and-forget; it’s active defense.

If you want to set up DKIM, SPF, and DMARC — and see it live without wrestling with DNS for days — try it with hoop.dev. You can be up and running in minutes, sending authenticated, trusted email with AWS CLI precision and zero wasted time.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts