Custom SPF Record

can i add the following to CUSTOM DNS IN THE BOX??? Or, how can I add to be allowed to send email? that domain is amazon ses instance running - my box is on vultr.

here are the detials of my issue:
[Sender ID] does not allow your server to use
Sender ID is like SPF, but it checks the FROM address, not the bounce address.
What we retained as your current SPF record is:

v=spf1 mx -all
It should be changed to:

v=spf1 mx l~al
More information about this error:

Hi uca,

If I understand you correctly you are getting an error message from MIAB that states you cannot send email through from Sendy? As long as you are able to configure a custom FROM address in Sendy and a custom SMTP server in Sendy, you should be okay.

It would look something like:
Custom SMTP From:
Custom SMTP Server:
Custom SMTP Login:
Custom SMTP Password:

Make sure you enable any STARTTLS options, and use SMTP port 587

This will bypass Amazon SES entirely. I don’t have applied experience with Sendy but I do know that while it’s designed for Amazon SES, it supports custom SMTP servers. See this article for more details.

Can I add DKIM signature to the custom DNS as well as the SPF record that is generated from SENDY / Amazon SES?

I want to continue to use Amazon SES via sending because the system works really well. When I was using external DNS with mail in a box, it worked fine, except d Kim and SPF records were not matching all the time. The information I posted above is from mail - tester which seems like I can just add that information to allow Amazon SES to send email as well as the mail in a box. What do you think?

Hi @uca,

A couple things to point out here:

  • You can use two different DKIM keys only if the selectors are different. So for example your DKIM keys cannot both be You’d need something like and the that MIAB issues. You’ll need to add the Amazon SES DKIM records to your name server (likely MIAB?)
  • You are likely failing to reliably deliver mail because the default MIAB DMARC settings are to reject email not delivered by the MIAB, which is not how SES is delivering it’s email. You’ll need to change the SPF records to permit both the MIAB server and Amazon SES. That should look something like a TXT record with “v=spf1 -all”. This will permit all SES and MIAB outgoing traffic to be authorized by DMARC. You should check your AWS Console to ensure there are not specific SPF records your SES instance requires (I’ve never used SES before, so I’m not sure if that’s the case. The guidance online seems to be that is the proper domain.)

P.S. You can use the DMARC Validator to help ensure the DKIM and SPF settings are correct. It’s a free service that provides an email address to which you send an email (send one from SES and one from MIAB) and it will analyze your DKIM, SPF, DNS, and email headers to ensure everything is right for your particular environment.

thank you. I believe this answers what I just posted in the other topic. I will take a crack at these directions and report back because I know there have been SES questions by others on here before.

This looks like great information.

ah, realized had quick question about the text record.

in the sub domain location (part before the what do I put for spf record?
I had one that looked like this:
v=spf1 -all

right now I decided to grasp at straws and add:
v=spf1 -all
v=spf1 -all

LOL. Anything else I should add? or delete…ha

Here’s an example to help illustrate how SPF works.

I’ve set up a MIAB for sending email from I’ve set the MX record for to my MIAB and taken care of A records and all that already. Now I just need SPF.

Because I’m only sending email from, I only need an SPF record on the domain. So for example, because I’m not sending email from, I don’t need an SPF record for

I assume you aren’t sending email from, but instead from Additionally, your email news letter is saying it’s from

So, the SPF record to focus on will be that of itself. You’d want to include both and This is because while you aren’t sending emails from, you are sending emails through in order to deliver your email. SPF is concerned with the email servers that deliver the email for a domain, which is why the email sending domain SPF should contain the email servers you’ll be using.

Now, if AmazonSES notes that it requires an, you should include that as an SPF record in addition to the ones you’ve already set.

So, you should have at least:

  • TXT “v=spf1 -a”. This will let only AmazonSES and your MIAB send mail claiming to be from, without SPF related issues.

You won’t need to change the SPF records for any of your subdomains unless you need to add some for Amazon SES to work.

The More You Know: Note that we have put -a instead of ~a. The former is restrictive and the latter is permissive. Email coming from somewhere not defined in your SPF, when you use the -a flag, will be rejected. This makes it harder on spammers. Email coming from somewhere not defined in your SPF when using the ~a flag, will result in the email probably getting through but maybe tagged as spam. This is good for debugging how you’ve set up SPF. The setting we have here, with -a, means that you expect legitimate email only to originate on your MIAB and from Amazon SES.

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.