Summary
When using Iterable and Amazon SES together, managing SPF alignment and DMARC compliance requires a multi-faceted approach. Iterable's shared infrastructure typically necessitates configuring a custom MAIL FROM domain to achieve SPF alignment, as the default may not align with your sending domain. While DMARC can pass with DKIM alone, experts recommend SPF as a backup to mitigate risks if DKIM fails. Proper setup involves publishing SPF records to authorize sending servers, choosing between Easy DKIM and BYODKIM for DKIM signing, and configuring DMARC policies to handle emails failing authentication checks. Monitoring DMARC reports is crucial for identifying and addressing issues. Additional considerations include SPF record lookup limits, DKIM key rotation, and adopting a cautious DMARC policy implementation, starting with 'p=none'.
Key findings
- Custom MAIL FROM for SPF: A custom MAIL FROM domain is typically required to achieve SPF alignment when using Iterable's shared infrastructure with Amazon SES.
- DKIM and DMARC: DMARC can pass with DKIM alignment, but SPF is recommended as a backup.
- Configuration Steps: Proper setup involves publishing SPF records, configuring DKIM, and setting DMARC policies.
- Importance of Monitoring: Regularly monitoring DMARC reports is critical for identifying and resolving email authentication issues.
- Cautious DMARC Implementation: Starting with a 'p=none' DMARC policy is recommended for monitoring and gaining confidence.
Key considerations
- SPF Record Management: Ensure SPF records accurately list authorized sending servers, considering SPF record lookup limits.
- DKIM Key Rotation: Periodically rotating DKIM keys enhances security.
- DMARC Policy Enforcement: Consider the implications of different DMARC policies (none, quarantine, reject) based on your confidence in authentication setup.
- Infrastructure Awareness: Be aware of the specific configurations and limitations of Iterable and Amazon SES regarding SPF and DMARC.
- Easy DKIM versus BYODKIM: Understand the difference between Easy DKIM (managed by SES) and BYODKIM (bring your own keys) and choose appropriately.
What email marketers say
11 marketer opinions
Iterable, when used with Amazon SES, presents specific challenges and solutions regarding SPF alignment and DMARC compliance. While Iterable's shared infrastructure may not provide SPF alignment out-of-the-box, it does support DKIM. Achieving SPF alignment typically requires setting up a custom MAIL FROM domain. Effective DMARC compliance necessitates correctly configuring both SPF and DKIM. Best practices also involve regularly monitoring DMARC reports and being mindful of SPF record lookup limits.
Key opinions
- SPF Alignment Challenge: Iterable's shared infrastructure doesn't inherently offer SPF alignment, often using amazonses.com as the 'mail from' domain.
- DKIM Support: Iterable supports DKIM, which can be used for DMARC compliance even without SPF alignment.
- Custom MAIL FROM: Setting up a custom MAIL FROM domain is a key method to achieve SPF alignment with shared SES infrastructure.
- DMARC Reliance on SPF and DKIM: DMARC relies on both SPF and DKIM for proper functionality, dictating how receiving servers should handle emails failing these checks.
- Importance of DMARC Reports: Regularly monitoring DMARC reports is crucial for identifying and resolving email authentication issues.
Key considerations
- Custom MAIL FROM Setup: Implementing a custom MAIL FROM domain requires configuring DNS records to point to SES while using your domain for the 'mail from' address.
- DMARC Policy Implementation: Start with a 'p=none' DMARC policy to monitor traffic before implementing stricter policies like 'p=quarantine' or 'p=reject'.
- SPF Record Lookup Limits: Be aware of SPF record lookup limits (typically 10) and consider SPF flattening to avoid SPF check failures.
- DKIM Key Rotation: Periodically rotating DKIM keys enhances security and reduces the risk of compromised email authentication.
- Dedicated Servers: Iterable offers dedicated servers for SPF alignment, but this may not always be the best solution due to complexities such as warming up new IPs.
Marketer view
Email marketer from Postmark advises to be aware of SPF record lookup limits. SPF records have a limit of 10 DNS lookups. If your SPF record exceeds this limit, it can cause SPF checks to fail. SPF flattening is a technique used to reduce the number of lookups.
26 Jan 2024 - Postmark
Marketer view
Email marketer from Mailjet shares the importance of having a DMARC record and that setting up a DMARC record involves creating a TXT record in your domain's DNS settings. This record specifies your DMARC policy (none, quarantine, or reject) and provides instructions to receiving email servers on how to handle emails that fail SPF and DKIM checks.
25 Feb 2022 - Mailjet
What the experts say
4 expert opinions
Experts emphasize the interplay between SPF, DKIM, and DMARC in ensuring email deliverability when using shared infrastructure like Iterable and Amazon SES. While DMARC can pass with DKIM alignment alone, especially when brands have a first-party DKIM signature, relying solely on DKIM poses a risk if DKIM fails. Properly configured SPF records specifying authorized sending servers are crucial for deliverability. A cautious approach to DMARC implementation, starting with a 'p=none' policy, is recommended due to the complexities involved, especially with shared infrastructures where unexpected sending sources can affect compliance.
Key opinions
- DMARC Passing with DKIM: DMARC can pass with DKIM alignment, particularly when a brand uses a first-party DKIM signature.
- Risk of Sole Reliance on DKIM: Solely relying on DKIM for DMARC compliance carries a risk of DMARC failure if DKIM fails.
- Importance of Correct SPF Records: Properly configured SPF records are crucial for specifying authorized sending servers and maintaining deliverability.
- Complexity of DMARC Implementation: DMARC implementation can be complex, especially with shared infrastructure where unexpected sending sources impact compliance.
Key considerations
- SPF as a Backup: Consider SPF alignment as a 'belt and suspenders' approach for long-term deliverability and to mitigate risks if DKIM fails.
- Cautious DMARC Policy: Implement DMARC cautiously, starting with a 'p=none' policy to monitor traffic and gain confidence before moving to stricter policies.
- Monitoring DMARC: Continuously monitor DMARC reports to identify and address issues related to SPF, DKIM, and overall compliance.
- Infrastructure Awareness: Be aware of the specific configurations and limitations of the shared infrastructure being used (e.g., Iterable, Amazon SES) and how they affect SPF and DMARC.
Expert view
Expert from SpamResource explains the importance of having a correct SPF record, noting that it can specify the servers that are authorized to send email from your domain. With shared infrastructure like Iterable and Amazon SES, ensuring the SPF record includes the appropriate servers is crucial for deliverability.
20 Feb 2024 - SpamResource
Expert view
Expert from Email Geeks explains that SPF does not align, but DMARC is passing because each brand has a first party DKIM signature. Thus it's passing DMARC based on DKIM alignment.
14 Dec 2021 - Email Geeks
What the documentation says
5 technical articles
Technical documentation outlines how Amazon SES and DMARC work to authenticate emails and protect against abuse. To set up SPF with Amazon SES, you need to publish an SPF record in your domain's DNS settings to authorize SES to send emails on your behalf. DKIM signing can be enabled using either Easy DKIM (managed by SES) or BYODKIM (bring your own keys). Achieving DMARC compliance requires emails to pass both SPF and DKIM checks, along with setting up a DMARC policy to instruct receiving servers on handling failed authentication attempts. DMARC, building upon SPF and DKIM, offers a reporting function to monitor and improve email protection against phishing and spoofing.
Key findings
- SPF Setup with SES: Setting up SPF with Amazon SES involves publishing an SPF record to authorize SES to send emails on behalf of your domain.
- DKIM Options with SES: DKIM signing with Amazon SES can be achieved using either Easy DKIM (managed by SES) or BYODKIM (bring your own keys).
- DMARC Compliance Requirements: DMARC compliance requires emails to pass both SPF and DKIM checks, along with a properly configured DMARC policy.
- DMARC's Role: DMARC builds on SPF and DKIM by adding a reporting function, improving email protection against fraudulent activities.
- SES Provides Info: Amazon SES provides the necessary information to include in your SPF record.
Key considerations
- Publishing SPF Record: Ensure the SPF record accurately lists authorized sending servers to avoid deliverability issues.
- Choosing DKIM Method: Consider the level of control needed when choosing between Easy DKIM (managed by SES) and BYODKIM (bring your own keys).
- DMARC Policy Setup: Configure a DMARC policy to instruct receiving servers on how to handle emails that fail SPF and DKIM checks.
- DMARC Monitoring: Utilize DMARC's reporting function to monitor email authentication performance and identify potential issues.
Technical article
Documentation from Amazon Web Services says to achieve DMARC compliance with Amazon SES, you need to ensure that your emails pass both SPF and DKIM checks. This requires properly configuring SPF and DKIM records for your domain. You also need to set up a DMARC policy that tells receiving email servers how to handle emails that fail SPF and DKIM checks.
22 Oct 2021 - Amazon Web Services
Technical article
Documentation from DMARC.org explains DMARC policies. A DMARC policy allows a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the recipient’s exposure to potentially fraudulent & harmful messages.
26 Dec 2023 - DMARC.org
Do I need DMARC for transactional emails from a small website, and what are the best low-cost alternatives for sending emails if my IP is blocked?
Do SPF and DKIM records need to be aligned for all email service providers?
How can I improve SPF alignment and email deliverability when using Hubspot?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF, DKIM, and DMARC affect email deliverability with Cvent?
How do SPF, DKIM, and DMARC email authentication standards work?
How to comply with Gmail's new sending rules for bulk email senders?
What are best practices and costs for implementing DKIM, SPF, and DMARC?
What are SPF, DKIM, and DMARC, and when are they needed?
