Amazon SES SPF Not Working – Fix amazonses Include Setup (2026)

Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.

One-Minute Fix

Add the SES-provided SPF include to the existing SPF record for the exact MAIL FROM / Return-Path domain and keep only one SPF record. Do not create a second v=spf1 record for SES.

mail.example.com TXT "v=spf1 include:amazonses.com -all"

In many SES setups SPF is evaluated on a custom MAIL FROM subdomain, not always the visible From root domain. Update SPF where SES actually sends from.

Free live DNS check. No signup required.

Wrong vs correct setup

example.com TXT "v=spf1 include:_spf.google.com -all"
mail.example.com TXT "v=spf1 include:_spf.google.com -all"

mail.example.com TXT "v=spf1 include:_spf.google.com include:amazonses.com -all"

Why this happens

SES SPF failures usually come from domain mismatch: teams edit SPF on one domain while SES authenticates another. SPF also fails when duplicate records are created or SES include values are copied incorrectly. Since SPF accepts one policy per domain, incorrect placement quickly breaks evaluation. This is especially common when multiple SPF records are published or when DNS lookup limits are exceeded.

Why this is a problem

When SES messages fail SPF, receivers may classify them as less trustworthy and apply stricter filtering. Transactional flows like account verification, receipts, and notifications can land in spam or suffer DMARC alignment failures. For many senders the concrete symptom is a syntax error or a record that is too long for DNS to handle cleanly.

How this affects deliverability

SES relies on clean authentication signals for production sending reputation. Broken SPF on the MAIL FROM domain weakens trust, raises spam risk, and can undermine DMARC outcomes where SPF should have contributed aligned authorization. You can see this clearly in neutral SPF results or when softfail vs fail decisions tip borderline mail into spam.

Common causes

• SES include mechanism was missing from the actual MAIL FROM domain.
• The include hostname or value was copied incorrectly.
• Duplicate SPF records were created during setup changes.
• SPF was updated on the wrong domain compared to SES sending path.
• Propagation delay left receivers reading stale SPF records.

What we checked

We checked whether the evaluated sending domain has one valid v=spf1 record and whether the SES include is present in that active policy. Missing include, wrong domain placement, or duplicate SPF records are common SES SPF failure sources.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Next steps

• Inspect a real SES message header and identify the MAIL FROM / Return-Path domain.
• Update SPF on that exact domain to include SES authorization.
• Keep one merged SPF record and remove duplicate v=spf1 entries.
• Validate syntax and confirm external DNS propagation.
• Re-test SPF and DMARC alignment using fresh SES traffic.
• Review the full troubleshooting guidance in the SPF Hub.
• Check signing and selector issues in the DKIM Hub.
• Review alignment and policy issues in the DMARC Hub.

Related fixes

• SPF IP not authorized
• SPF record syntax explained
• Multiple SPF records found
• SPF record examples
• How to build an SPF record

Explore more issues

• SPF record examples
• SPF record syntax explained
• How to build an SPF record
• SendGrid SPF not working
• Google Workspace SPF not working
• Microsoft 365 SPF not working