How to authenticate Aftership with am-sns.com to pass SPF and DKIM for DMARC?
Michael Ko
Co-founder & CEO, Suped
Published 26 May 2025
Updated 17 Aug 2025
7 min read
Dealing with DMARC reports can often feel like solving a complex puzzle, especially when unexpected domains pop up. A common scenario for many businesses, particularly those using AfterShip, is seeing am-sns.com show up with SPF and DKIM failures.
The confusion often arises because am-sns.com might seem related to Amazon Simple Notification Service (SNS), especially if you are using Amazon Seller Central. However, the direct connection isn't always clear, and these failures can severely impact your email deliverability, pushing important messages into the spam folder.
To achieve a healthy email ecosystem, particularly to move towards a DMARC policy of p=reject, it's crucial to understand why these failures occur and how to properly authenticate AfterShip emails originating from am-sns.com so they pass SPF and DKIM checks, leading to DMARC alignment.
When am-sns.com appears in your DMARC reports with SPF or DKIM failures, it typically signifies that a third-party service is sending emails on your behalf, and these emails are being routed through infrastructure that uses this domain. While am-sns.com points to Amazon Simple Notification Service (SNS), it's not Amazon's primary email sending service, AWS SES (Simple Email Service). Instead, it appears to be a domain used by a larger cloud provider, like SendGrid, which might be leveraged by AfterShip for sending out notifications.
This setup means your emails are originating from an IP address associated with SendGrid, but the From address visible to recipients is your domain. Without proper authentication, this creates a mismatch that DMARC flags as suspicious. It's a common issue with third-party senders, where the underlying infrastructure's domain (like am-sns.com) isn't aligned with your From domain.
The problem
Unexpected Domain:am-sns.com appearing in DMARC reports despite not being a directly configured sender.
SPF/DKIM Failures: Emails sent via this domain are failing SPF and DKIM checks.
DMARC Disalignment: The SPF and DKIM failures lead to DMARC authentication failures for your domain.
Deliverability Impact: Emails are more likely to land in spam or be blocklisted (blacklisted).
The clarification
AfterShip's Infrastructure: AfterShip uses third-party email service providers, which might utilize am-sns.com for their sending infrastructure.
Not Amazon SES:am-sns.com is not the primary domain for Amazon's dedicated email sending service, AWS SES.
Authentication Required: To pass DMARC, you must configure SPF and DKIM records for your sending domain within AfterShip, which then aligns with their underlying senders.
It's important to differentiate between an email service provider (like AfterShip) and the actual mail transfer agent (MTA) or infrastructure they use. In this case, am-sns.com represents the latter. Your goal is to ensure that when AfterShip sends emails on your behalf, your domain is correctly authorized through SPF and DKIM records, allowing these emails to pass DMARC.
The role of SPF and DKIM in DMARC alignment
SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are foundational email authentication protocols. SPF allows a domain owner to specify which mail servers are authorized to send email on behalf of their domain. DKIM provides a cryptographic signature that verifies the email's sender and ensures its content hasn't been tampered with in transit. DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF and DKIM, requiring at least one of them to align with your From domain for an email to pass DMARC.
When am-sns.com appears as a failing domain in your DMARC reports, it means either your SPF record isn't authorizing am-sns.com's IPs to send on your behalf, or the DKIM signature isn't correctly signed with your domain. In essence, the recipient's mail server can't confirm that am-sns.com is permitted to send emails for your domain. This leads to DMARC failure, impacting your emails going to spam or being rejected.
Key email authentication standards
SPF (Sender Policy Framework): A DNS TXT record that lists authorized sending IP addresses for a domain. It verifies that the email came from an authorized server.
DKIM (DomainKeys Identified Mail): Adds a digital signature to emails, allowing recipients to verify the sender and ensure content integrity.
DMARC (Domain-based Message Authentication, Reporting, and Conformance): A policy that specifies what mail receivers should do with emails that fail SPF or DKIM alignment, and provides reporting on email authentication results.
The key to DMARC pass is alignment, meaning the domain in the From header of your email matches (or is a subdomain of) the domain validated by SPF or DKIM. If AfterShip sends emails with am-sns.com in the MailFrom (for SPF) or d=domain (for DKIM) that does not align with your domain, DMARC will fail. This is why configuring AfterShip's domain verification is so crucial, as it ensures your domain is used for these checks.
Troubleshooting Aftership authentication issues
The primary solution for resolving am-sns.com failures is to properly configure your sending domain within AfterShip. This process typically involves adding specific DNS records, usually CNAMEs, to your domain's DNS settings. These records allow AfterShip (or its underlying email service provider) to send emails on your behalf with your domain as the legitimate sender, ensuring SPF and DKIM alignment.
AfterShip provides instructions on how to verify your sending domain. Following these steps ensures that your domain is correctly authorized for SPF and DKIM, eliminating the am-sns.com issue and improving your DMARC pass rate. Once configured, you can verify your DMARC, DKIM, and SPF setup using online tools or your DMARC reports.
Best practices for third-party senders
Use Subdomains: Consider using a specific subdomain (e.g., notifications.yourdomain.com) for third-party services like AfterShip to isolate any potential reputation issues.
Regular Monitoring: Consistently review your DMARC reports to identify new or recurring authentication failures.
Maintain DNS Records: Ensure your DNS records for SPF, DKIM, and DMARC are always up-to-date and correctly configured.
Record type
Host/Name
Value/Points to
CNAME
as_dkim_01._domainkey
dkim.aftership.com
CNAME
as_dkim_02._domainkey
dkim2.aftership.com
TXT
@
v=spf1 include:spf.aftership.com ~all
Remember, after adding these records, it might take some time for DNS changes to propagate globally, typically a few hours. Continuously monitor your DMARC reports to confirm that emails from AfterShip are now passing SPF and DKIM authentication and achieving DMARC alignment.
Achieving DMARC enforcement (p=reject)
The ultimate goal of setting up SPF, DKIM, and DMARC is to achieve a p=reject DMARC policy. This policy instructs recipient mail servers to outright reject emails that fail DMARC authentication, effectively stopping spammers and phishers from spoofing your domain. However, moving to p=reject prematurely, before all legitimate sending sources are properly authenticated, can lead to your own legitimate emails being blocklisted (blacklisted) or marked as spam.
First, start with a p=none policy to gather reports and identify all your email sending sources. Once you're confident that all legitimate emails are passing DMARC, gradually transition to p=quarantine, then to p=reject. This phased approach, often referred to as safely transitioning your DMARC policy, allows you to monitor the impact and address any unforeseen issues before enforcing strict policies.
Warning: Avoid premature DMARC reject
Setting a DMARC policy to p=reject before all your legitimate email sending sources are fully authenticated (passing SPF and DKIM alignment) can have severe consequences for your email deliverability. Legitimate emails may be rejected by recipient servers, leading to missed communications, lost sales, and damage to your brand's reputation. Always ensure comprehensive authentication before moving to an enforcement policy.
By diligently monitoring your DMARC reports, addressing any failures from domains like am-sns.com, and gradually moving your DMARC policy, you can build a robust email authentication system. This not only protects your brand from spoofing and phishing attacks but also significantly improves your email deliverability and inbox placement rates, ensuring your messages reach their intended recipients.
Views from the trenches
Best practices
Always verify third-party sender domains directly within their settings to ensure proper SPF and DKIM.
Utilize DMARC reports to identify all email sending sources and monitor their authentication status.
Implement DMARC gradually, starting with `p=none` before moving to `p=quarantine` and `p=reject`.
If using multiple services, ensure each is properly integrated and authenticated with your domain.
Consider using specific subdomains for different email sending services to manage reputation and authentication.
Common pitfalls
Assuming a domain like `am-sns.com` is a direct Amazon service and not investigating further.
Not configuring SPF and DKIM directly within the third-party sending platform (e.g., AfterShip).
Implementing a `p=reject` DMARC policy without verifying all legitimate email sources first.
Ignoring DMARC reports, missing critical insights into authentication failures.
Not understanding that SPF and DKIM alignment are key to DMARC success, not just passing.
Expert tips
Monitor your DMARC reports closely for any unexpected sending domains.
Ensure SPF records authorize all legitimate senders, including third-party services.
Verify DKIM signing is active and correctly configured for all your email streams.
Use a DMARC monitoring tool to simplify report analysis and quickly identify issues.
If issues persist, consult the third-party service's documentation for specific authentication steps.
Expert view
Expert from Email Geeks says that specific details from DMARC reports are essential for diagnosing any authentication issues.
2023-10-24 - Email Geeks
Expert view
Expert from Email Geeks says that `am-sns.com` is highly unlikely to be an Amazon service directly sending mail through a competitor's platform, given Amazon's own cloud sending capabilities.
2023-10-24 - Email Geeks
Final thoughts on authentication
Successfully authenticating AfterShip emails that show am-sns.com in your DMARC reports is a critical step towards achieving full DMARC compliance. By understanding that am-sns.com represents the underlying infrastructure of a third-party sender (like AfterShip), you can focus on the correct solution: implementing the necessary SPF and DKIM records as instructed by AfterShip.
This proactive approach not only resolves DMARC failures, but also strengthens your overall email security, preventing your domain from being used for malicious purposes. Regularly checking your DMARC reports will help maintain a healthy email sending reputation, ensuring your legitimate messages consistently reach the inbox rather than falling prey to spam filters or blocklists (blacklists).
Amazon's dedicated email sending service, AWS SES.
AfterShip), you can focus on the correct solution: implementing the necessary SPF and DKIM records as instructed by AfterShip.
