2025 SES deliverability checklist: SPF/DKIM/DMARC/BIMI + Gmail/Yahoo rules

Amazon SES Deliverability Checklist (2025): SPF, DKIM, DMARC, BIMI + Gmail/Yahoo Rules

Use this copy-paste guide to harden deliverability for Amazon SES in 2025. It covers SPF, DKIM, DMARC, BIMI, and the current Gmail/Yahoo bulk-sender rules.

1) SES identity & DKIM (primary auth)

  • Verify your domain in SES (not just an individual email).
  • Enable Easy DKIM with 2048-bit keys on the domain identity.
  • If you run multiple mail streams (marketing vs transactional), use separate identities/subdomains (e.g., m.example.com, tx.example.com) to isolate reputation.

2) SPF (align via custom MAIL FROM)

SPF alignment is checked on the envelope sender (MAIL FROM). Configure a custom MAIL FROM domain in SES so SPF can align with your visible From: domain.

CLI example:

aws sesv2 put-email-identity-mail-from-attributes \
  --email-identity example.com \
  --mail-from-domain mfrom.example.com \
  --behavior-on-mx-failure USE_DEFAULT_VALUE

DNS at mfrom.example.com:

# MX (value provided by SES for your region)
<copy the SES-provided MX target and priority>

# SPF (TXT)
v=spf1 include:amazonses.com -all

3) DMARC (monitor → enforce)

Start in monitoring mode, analyze reports, then move to enforcement. BIMI requires enforcement (p=quarantine or p=reject).

Monitor (start here):

Host: _dmarc.example.com
TXT:  v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; aspf=s; adkim=s; pct=100

Enforce (after fixes):

Host: _dmarc.example.com
TXT:  v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:[email protected]; fo=1; aspf=s; adkim=s; pct=100

Move to p=reject when you’re confident all legitimate mail aligns.

4) One-click unsubscribe (Gmail/Yahoo requirement for marketing)

Add both headers to marketing/subscription emails and process within 2 days:

List-Unsubscribe: <https://example.com/unsubscribe/ABC123>, <mailto:[email protected]?subject=unsubscribe>
List-Unsubscribe-Post: List-Unsubscribe=One-Click

(With SES, add these headers in your application/template for marketing sends.)

5) BIMI (brand logo in inbox)

Prereqs: Good domain reputation, DMARC at enforcement (p=quarantine or reject), square SVG Tiny PS logo, and (ideally) a VMC/CMC certificate.

DNS (TXT at default._bimi.example.com):

v=BIMI1; l=https://brand.example.com/logo.svg; a=https://brand.example.com/brand-cert.pem
  • l= is your SVG logo URL
  • a= is your VMC/CMC certificate URL (PEM)

6) Gmail & Yahoo rules you must meet (2025)

  • Authentication:
    • All senders: valid SPF or DKIM, TLS, correct forward & reverse DNS.
    • Bulk senders (≈ 5,000+ messages/day to Gmail): SPF + DKIM + DMARC, alignment on SPF or DKIM, and one-click unsubscribe.
  • Spam complaint rate: keep <0.3% (aim for <0.1%).
  • Unsubscribe: one-click required for marketing; honor within 2 days.

7) DNS & transport hygiene (often missed)

  • Reverse DNS (PTR): If you’re on SES shared IPs, AWS manages rDNS. For Dedicated IPs/BYOIP, ensure PTR matches the forward A/AAAA and EHLO/HELO.
  • TLS: Ensure STARTTLS is supported end-to-end.
  • ARC (optional but helpful) for forwarders/mailing lists; add List-Id for list traffic.

8) Tooling & monitoring (daily/weekly)

  • Gmail Postmaster Tools for domain/IP reputation, spam rate, and feedback loop signals.
  • Yahoo Complaint Feedback Loop to receive complaint data; auto-suppress complainers.
  • Track bounces/complaints via SES notifications (SNS, Event Destinations, or Kinesis Firehose).

9) Sending best practices (keeps you under 0.1%)

  • Prefer confirmed opt-in; remove inactives (“sunset” policy).
  • Separate marketing vs transactional streams (different identities/IPs).
  • Warm up new domains and IPs gradually.
  • Keep content compliant with RFC 5322 (proper Date/From/Message-ID), and avoid URL shorteners/SpamTraps.

Copy-paste runbook checklist

  • SES domain identity verified; Easy DKIM 2048-bit enabled.
  • Custom MAIL FROM set; SPF aligned: v=spf1 include:amazonses.com -all at the MAIL FROM host.
  • DMARC published (p=none → analyze → p=quarantine/reject); strict alignment adkim=s; aspf=s.
  • List-Unsubscribe + List-Unsubscribe-Post headers on marketing mail; honor within 48h.
  • BIMI TXT live with VMC/CMC (optional but recommended); DMARC at enforcement.
  • Gmail Postmaster and Yahoo CFL configured; auto-suppress complaints/bounces.
  • TLS supported; valid forward & reverse DNS (or SES-managed).
  • Spam rate <0.1% target, never ≥0.3%.

Reference DNS snippets (replace example.com)

SPF (at MAIL FROM host, e.g., mfrom.example.com):

v=spf1 include:amazonses.com -all

DKIM (added automatically by SES Easy DKIM):

  • CNAMEs provided by SES, e.g.:
<random>._domainkey.example.com  CNAME  <random>.dkim.amazonses.com
<random>._domainkey.example.com  CNAME  <random>.dkim.amazonses.com
<random>._domainkey.example.com  CNAME  <random>.dkim.amazonses.com

DMARC (monitoring):

Host: _dmarc.example.com
TXT:  v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; aspf=s; adkim=s; pct=100

DMARC (enforcement):

Host: _dmarc.example.com
TXT:  v=DMARC1; p=quarantine; sp=quarantine; rua=mailto:[email protected]; fo=1; aspf=s; adkim=s; pct=100

BIMI:

Host: default._bimi.example.com
TXT:  v=BIMI1; l=https://brand.example.com/logo.svg; a=https://brand.example.com/brand-cert.pem

Atiqur Rahman

I am MD. Atiqur Rahman graduated from BUET and is an AWS-certified solutions architect. I have successfully achieved 6 certifications from AWS including Cloud Practitioner, Solutions Architect, SysOps Administrator, and Developer Associate. I have more than 8 years of working experience as a DevOps engineer designing complex SAAS applications.

Leave a Reply