After reading this post, I changed my SPF record to
"v=spf1 include:box.example.com -a"
to allow only my MIAB (box.example.com) to send mail claiming to be from my domain (example.com), and prevent any further SPF related issues
J376A Jan '16
Here's an example to help illustrate how SPF works.
I've set up a MIAB for sending email from email@example.com. I've set the MX record for mailinabox.email to my MIAB and taken care of A records and all that already. Now I just need SPF.
Because I'm only sending email from mailinabox.email, I only need an SPF record on the mailinabox.email domain. So for example, because I'm not sending email from discourse.mailinabox.email, I don't need an SPF record for discourse.mailinabox.email.
I assume you aren't sending email from firstname.lastname@example.org, but instead from email@example.com. Additionally, your email news letter is saying it's from firstname.lastname@example.org
So, the SPF record to focus on will be that of fwla.com itself. You'd want to include both box.fwla.com and amazonses.com. This is because while you aren't sending emails from email@example.com, you are sending emails through box.fwla.com in order to deliver your email. SPF is concerned with the email servers that deliver the email for a domain, which is why the email sending domain SPF should contain the email servers you'll be using.
Now, if AmazonSES notes that it requires an _amazonses.fwla.com, you should include that as an SPF record in addition to the ones you've already set.
So, you should have at least:
fwla.com TXT "v=spf1 include:amazonses.com include:box.fwla.com -a". This will let only AmazonSES and your MIAB send mail claiming to be from fwla.com, without SPF related issues.
You won't need to change the SPF records for any of your subdomains unless you need to add some for Amazon SES to work.
The More You Know: Note that we have put -a instead of ~a. The former is restrictive and the latter is permissive. Email coming from somewhere not defined in your SPF, when you use the -a flag, will be rejected. This makes it harder on spammers. Email coming from somewhere not defined in your SPF when using the ~a flag, will result in the email probably getting through but maybe tagged as spam. This is good for debugging how you've set up SPF. The setting we have here, with -a, means that you expect legitimate email only to originate on your MIAB and from Amazon SES.