Amazonses.com SPF Record missing IP addresses?

Question

Using Amazon SES service, we have noticed that email is coming from 69.169.238.144 and failing SPF check.

https://ipinfo.io/AS16509/69.169.238.0/23 indicates that this is an IP range belonging to Amazon.

Using reverse lookup tools or https://ipinfo.io/69.169.238.144 indicates that 69.169.238.144 belongs to b238-144.smtp-out.us-west-2.amazonses.com

So why is this IP range not included in the SPF include:amazonses.com if this is a valid smtp-out for us-west-2?

v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ip4:69.169.224.0/20 ip4:23.249.208.0/20 ip4:23.251.224.0/19 ip4:76.223.176.0/20 ip4:54.240.64.0/19 ip4:54.240.96.0/19 ip4:52.82.172.0/22 ip4:76.223.128.0/19 -all

Answer

Hi There

There are two ways to achieve DMARC validation: using [Sender Policy Framework (SPF)](https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-spf.html), and using [DomainKeys Identified Mail (DKIM)](https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dkim.html). The only way to comply with DMARC through SPF is to use a custom MAIL FROM domain, because SPF validation requires the domain in the From address to match the MAIL FROM domain. By using your own MAIL FROM domain, you have the flexibility to use SPF, DKIM, or both to achieve DMARC validation.

See https://docs.aws.amazon.com/ses/latest/dg/mail-from.html

Amazonses.com SPF Record missing IP addresses?

関連するコンテンツ