How do Iterable shared infrastructure and Amazon SES handle SPF alignment and DMARC compliance?
Matthew Whittaker
Co-founder & CTO, Suped
Published 13 Aug 2025
Updated 16 Aug 2025
6 min read
When sending emails through a platform like Iterable, which uses Amazon SES as its underlying infrastructure, you might encounter situations where deliverability tools report "SPF not present/authenticated" errors. This can be particularly confusing when you're focused on maintaining strong email authentication and ensuring DMARC compliance for your brand's emails.
Understanding how SPF, DKIM, and DMARC interact, especially with shared infrastructure, is key to deciphering these reports. It helps clarify what these warnings mean for your email deliverability and overall email security posture.
SPF (Sender Policy Framework) is an email authentication protocol that prevents spammers from sending messages on behalf of your domain. It works by allowing receiving mail servers to check if an email claiming to be from a specific domain was sent by an IP address authorized by that domain's administrators.
DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM (DomainKeys Identified Mail) to provide email senders with the ability to instruct receiving mail servers on how to handle emails that fail authentication. For a DMARC check to pass, an email must pass either SPF or DKIM authentication, and the authenticating domain must align with the "From" header domain.
SPF alignment occurs when the domain found in the "Return-Path" (also known as the "Mail From" or envelope sender) header matches the domain in the "From" (or RFC 5322 From) header. This matching can be either strict (exact domain match) or relaxed (organizational domain match), as explained in a related article on DMARC passing and identifier alignment.
Iterable's shared infrastructure and Amazon SES
Iterable leverages Amazon SES as its email sending infrastructure. When you send emails through Iterable using their shared IP pools, the actual bounce or "Return-Path" address is typically set to an Amazon SES domain, for example, bounce-{{uniquestring}}@amazonses.com. Because this Mail From domain (amazonses.com) is not your primary sending domain, SPF alignment with your "From" header domain cannot be achieved directly.
However, Iterable does configure DKIM signatures for your sending domain. DKIM works by cryptographically signing outgoing emails, allowing the recipient's server to verify that the email has not been tampered with and truly originated from the claimed sender. Since DKIM aligns with your brand's domain in the "From" header, DMARC compliance is typically achieved through DKIM authentication, even without SPF alignment. This is a common setup with shared email sending services.
The documentation from Amazon SES on DMARC compliance highlights that DMARC can pass if either SPF or DKIM aligns. This is why you might see your emails successfully delivered despite an SPF misalignment warning.
Understanding SPF and DKIM roles
When using Iterable's shared infrastructure with Amazon SES, the lack of SPF alignment is due to the "Return-Path" being an amazonses.com domain. This means SPF authentication for your primary domain cannot align. However, your emails are signed with DKIM using your domain, allowing DMARC to pass based on DKIM alignment.
The impact of SPF misalignment on deliverability
While SPF misalignment can cause alarm in deliverability reports, it's often not an immediate threat to inbox placement if your DKIM setup is robust and aligned. DMARC's design allows for flexibility, passing authentication if either SPF or DKIM aligns with the "From" header domain.
The primary risk arises if there is a failure in your DKIM signature. If DKIM verification fails for any reason, such as message modification in transit or a misconfiguration, and SPF is already misaligned, then your DMARC check will also fail. This can lead to emails being marked as spam, quarantined, or even rejected by receiving mail servers, depending on your DMARC policy (p=quarantine or p=reject).
Many experts view both SPF and DKIM alignment as a "belt and suspenders" approach for email authentication. Having both layers of authentication provides redundancy, minimizing the chances of DMARC failure if one mechanism encounters an issue. This practice is crucial for long-term email deliverability and maintaining a positive sender reputation.
Practical considerations and recommendations
You might wonder if adding include:amazonses.com to your own domain's SPF record would resolve the SPF misalignment issue. Generally, this approach is not effective for SPF alignment in this specific scenario. The Mail From domain (Return-Path) is controlled by Iterable and Amazon SES, and your SPF record primarily validates the IP addresses sending on behalf of your domain, not the Mail From domain itself.
For true SPF alignment, Iterable would need to enable a custom "MAIL FROM" domain feature, which allows the Return-Path to be a subdomain of your own primary sending domain. While Amazon SES supports this feature, its availability through a shared infrastructure provider like Iterable might be limited or require a transition to a dedicated sending setup, which can introduce complexities such as IP warming for high-volume senders.
Regardless of SPF alignment, it's critical to regularly monitor your DMARC reports. These reports offer comprehensive insights into your email authentication status, helping you identify if your emails are passing authentication, which authentication method (SPF or DKIM) is aligning, and what actions are taken by receiving mail servers. You can learn more about this in our guide on troubleshooting DMARC reports from Google and Yahoo.
SPF alignment: shared infrastructure
Return-Path: Typically an amazonses.com domain, not matching your "From" domain.
SPF alignment status: Often shows as misaligned in deliverability checks due to the Return-Path difference.
DMARC compliance: Relies heavily on DKIM alignment for successful DMARC pass.
SPF alignment: dedicated infrastructure
Return-Path: Can be configured to use a subdomain of your own domain, enabling SPF alignment.
SPF alignment status: Achieves full SPF alignment, providing an additional layer of authentication.
DMARC compliance: Benefits from both SPF and DKIM alignment, creating a more robust authentication setup.
Views from the trenches
Best practices
Always ensure DKIM is correctly configured and aligned for your sending domain, as this is usually the primary authentication method for DMARC with shared infrastructure.
Regularly monitor your DMARC reports to identify any authentication failures and understand their root causes.
If possible, advocate for a custom MAIL FROM domain feature from your ESP to achieve full SPF alignment, although this may require dedicated infrastructure.
Common pitfalls
Assuming SPF misalignment automatically means DMARC failure, when DKIM may still provide alignment.
Adding 'include:amazonses.com' to your main SPF record, as it typically doesn't resolve the Mail From domain alignment issue.
Ignoring DMARC reports, which provide crucial insights into authentication performance and potential deliverability problems.
Expert tips
Consider SPF alignment as an important added layer of security. While DKIM alignment often suffices for DMARC, having both ('belt and suspenders') provides stronger protection against spoofing and ensures deliverability if one mechanism falters.
Prioritize a strong sender reputation through good sending practices, as even perfect authentication cannot fully compensate for poor engagement or high complaint rates.
Understand that some tools may flag SPF misalignment, but the ultimate indicator of success is DMARC pass rates based on your chosen policy.
Marketer view
Marketer from Email Geeks says that Iterable's system functions on SES infrastructure but does not provide SPF alignment to match your From: address, so you can only achieve DKIM alignment.
2022-06-17 - Email Geeks
Marketer view
Marketer from Email Geeks says that adding 'amazonses.com' to your own domain's SPF record will not help, as Iterable needs to activate the MAILFROM within their SES infrastructure and provide SPF and MX records for your domain.
2022-06-17 - Email Geeks
Key takeaways
In summary, when using Iterable's shared infrastructure built on Amazon SES, SPF alignment with your primary sending domain is typically not achieved due to the nature of the Return-Path address being an amazonses.com domain. However, DMARC compliance is still successfully met because Iterable ensures your emails are signed with DKIM, and this DKIM signature aligns with your sending domain. This means your emails are authenticated and should reach the inbox as intended.
While striving for full SPF alignment is a good long-term goal for added redundancy, its absence on shared platforms generally doesn't pose an immediate threat as long as DKIM is functioning correctly. Continuous DMARC monitoring remains your best defense to ensure consistent email deliverability and robust authentication practices.
amazonses.com domain. This means SPF authentication for your primary domain cannot align. However, your emails are signed with DKIM using your domain, allowing DMARC to pass based on DKIM alignment.
amazonses.com domain, not matching your "From" domain.
