Setting AWS SES for email delivery to Microsoft Exchange users

DMARC is an abbreviation for Domain-based Message Authentication Reporting and Conformance.

It is a basic yet fundamental configuration on your Domain Name Server (DNS). A DMARC protects your domain name from being spoofed by an attacker who pretends to be you.

For most mail exchange servers, this feature serves as an ‘instructor‘ on how to behave in the event of failure to validate DKIM and SPF.

Instructor in this scenario means it is up to the mail exchange server to respect, ignore, or override any rule. 

For most email service providers (Yahoo, Gmail, Hotmail, etc.), the instructor complies with DMARC - protecting users from unauthenticated email. 
Ignoring AWS SES Custom Mail Domain configuration

In general, many domain administrators did not set a DMARC policy to protect their domains from email spoofing. Hence, due to the lack of strict policy, there is no need for the admins to configure email authentication thoroughly.

However, leaving your domain without DMARC means making your domain name vulnerable to spoofing attacks.

When DMARC is in place, it will prioritize email authentication, and failure in authentication will render the email undelivered in most cases.

Hence, it is common for web developers who use Amazon Web Services Simple Email Service (AWS SES) to ignore the Custom Mail From Domain configuration.

However, ignoring the configuration will cause delivery issues for recipients on the Microsoft Exchange platform.

Moreover, Microsoft Exchange does not discard emails from AWS SES entirely. Instead, the server will filter unauthenticated emails into the Junk folder.

Info: Leaving the configuration blank will NOT cause issues to other email servers, such as Gmail.
Setting the AWS SES Custom Mail Domain configuration

Configuring the Custom Mail From Domain is straightforward. AWS has provided detailed how-to instructions here.

The screenshot above is an example of a configured Custom MAIL FROM domain. If the MAIL FROM configuration is successful, rest assured that your email will go to the recipient inbox instead of the Junk folder.

A further look into the log will show the difference in the Custom MAIL FROM domain. You can see the header.d value changes from to

Key takeaways
  1. Most MSME lack a DMARC policy to protect domains from spoofing.
  2. The DMARC-reject policy will cause the Microsoft Exchange platform to deliver into the Junk folder.
  3. Configure The AWS SES Custom Mail From Domain to prevent Microsoft Exchange from marking emails as junk. 

DMARC offers protection for your brand to prevent spoofing, which can damage your brand reputation in the event of an attack.

However, it can also cause delivery issues when sending emails from AWS SES to the recipients on Microsoft Exchange.

Instead of disabling it, all you need to do is to configure the AWS SES Custom Mail From Domain.

Featured image credit:

We’re always open to content contributions from our community. Join our Facebook Group and share your work or topic ideas to potentially be featured on our blog.

Moreover, if you have suggestions for our upcoming features, we’d love to hear them! Share your Wishlist with us.

Don’t forget to like and follow us on our social media platforms if you haven’t yet. You can find us on Facebook, Twitter, Instagram, and LinkedIn. We appreciate your support! 🙂

Share your love
Wan Zulkarnain
Wan Zulkarnain

Technical Sales Specialist

Articles: 2