Do I need more than one SPF record for Amazon SES?

No. You should have a single SPF TXT record at the root of your domain. If you use several senders, combine them into one record using include mechanisms.

How long does SPF take to update?

Often a few minutes, but it can take longer depending on TTL and caching. Always verify with dig or nslookup and a checker before assuming it is live.

What SPF value should I use if I only send from Amazon SES?

A typical starting point is v=spf1 include:amazonses.com ~all. Adjust it if you add more sending services later.

How to set up SPF on Amazon SES

Step by step SPF setup for Amazon SES: complete instructions, examples, verification commands, and common pitfalls.

Want to check your domain while following this guide?

Run a free SPF, DKIM and DMARC check on your domain to see exactly what is passing and what needs fixing.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

This is a reference guide for configuring SPF on Amazon SES. Use it while editing DNS or when troubleshooting deliverability.

Tip: Avoid common mistakes: follow these steps to add SPF on Amazon SES. Then verify everything with the InboxGreen Free Checker.

Provider-specific notes for Amazon SES

Amazon SES uses CNAME-based DKIM (Easy DKIM), not a plain TXT key. AWS generates three CNAME records - all three must be published for DKIM to pass.
SES requires domain identity verification before sending. SPF via the mail-from subdomain is optional when Easy DKIM is active, but both are recommended for DMARC alignment.
AWS Console → Amazon SES → Identities → Domain → DKIM and Authentication.

What you’ll need

Access to your DNS provider (for example, Cloudflare, Namecheap, GoDaddy).
Access to Amazon SES admin where you can confirm the services that send mail.

Add or update SPF

SPF is a single TXT record published at host @ that lists all systems allowed to send mail for your domain. If you already have an SPF record, edit it instead of adding a second one.

For Amazon SES, a typical SPF looks like:
v=spf1 include:amazonses.com ~all
If you also use another sender (for example, SendGrid), the combined record might be:
v=spf1 include:_spf.google.com include:sendgrid.net ~all

Open your DNS provider and locate the existing TXT record at host @ that contains v=spf1.
If it exists, edit its value and merge includes. If it does not exist, create a new TXT record:
- Type: TXT
- Name/Host: @
- Value: v=spf1 include:amazonses.com ~all
Prefer ~all while you are testing. Move to -all only when you are certain all real senders are covered.
Save and wait for DNS propagation (often a few minutes, sometimes longer).

Verify SPF

Use any of these:

Run the InboxGreen checker on your domain.

Command line:

dig TXT yourdomain.com +short
nslookup -type=txt yourdomain.com

Common mistakes

Multiple SPF records instead of one. Always merge mechanisms into a single record.
Placing the record on www instead of the root @.
Forgetting secondary senders such as marketing or transactional tools.
Switching to -all too early and blocking legitimate traffic.

Related for Amazon SES

quick_reference_all Set up DKIM on Amazon SES quick_reference_all Set up DMARC on Amazon SES quick_reference_all Set up List-Unsubscribe on Amazon SES

Pro tip: Turn on InboxGreen Monitoring to check these records daily and get alerts if something breaks.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.

Useful tools

tune SPF Generator tune DMARC Generator verified Badges