DMARC is a protocol for verifying the authenticity of an email sender. It is used by email providers to determine if an email is spam or not. It is a powerful tool for email deliverability and can help you avoid having your emails marked as spam. In AWS SES one can configure DMARC using Route 53 and Terraform. Here is how.

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It isn't a requirement for sending emails with SES but adding it to your domain (along with SPF) will dramatically improve your domain's reputation and deliverability.

Anatomy of a DMARC record

DMARC records are simply DNS TXT records that are added to your domain. They are used by email providers to determine if an email is spam or not. They are made up of a few different parts and look like this:

This record tells email providers that you have a DMARC record and that you want to reject emails that fail DMARC checks. It also tells them where to send DMARC reports to. These reports help you to reduce spam and impersonation attacks.

Lookup DMARC records

To see a real example let's use NSLookup in the terminal to fetch the DMARC records for Gmail:

Note the return TXT record. It contains the DMARC record for the domain. You can see that it has a policy which means that emails that fail DMARC checks will be rejected. It also has a field which tells email providers where to send DMARC reports ( means aggregate report destination).

Adding records to your SES setup

AWS SES uses Route53 to configure MX records. This Route53 setup can also be used to add DMARC records as they are simply TXT records. An example might look like this:

For more information on DMARC see our email DNS records guide.