SES SPF Configuration

Question

Is there any way to update the SES SPF entries ?  I am receiving the following error when sending emails to our clients through SES:

> Received: from smtp-mx-server-8.servers.netregistry.net (unknown [202.124.241.71])\
> 	by inpre01.tmes.trendmicro.eu (Trend Micro Email Security) with ESMTPS id 7BC531000030A\
> 	for ; Tue,  7 Mar 2023 16:15:42 +0000 (UTC)\
> Received: from b232-174.smtp-out.ap-southeast-2.amazonses.com ([69.169.232.174])\
> 	by smtp-mx-server-8.servers.netregistry.net protocol: esmtps (Exim 4.84_2 #1 (Debian))\
> 	id 1pZa1N-0002ZX-Lh\
> 	for ; Wed, 08 Mar 2023 03:18:41 +1100\
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;\
> 	s=hpebk22bkizsh6atur5nbat4au2alh6m; d=icn.org.au; t=1678205730;\
> 	h=Message-ID:List-Unsubscribe:From:Reply-To:To:Subject:Date:MIME-Version:Content-Type;\
> 	bh=FpZUfDYmSu471kLXy5HAcZskghFdjaMmiX8lxUZT+is=;\
> 	b=OioV28EAkEa1ZUznc4ZyTE/y7TPxSmQS8uUbp55iLRV6lZqDBt48g62ownzctA0K\
> 	1mp5ZxxWfYKK6OqRxJH33sXdiNDo+bF/odVauFL9kbh0bigd97YE0Fv+0+3vAjezd/h\
> 	SGcjQjMOk8xem11l3ueiHN/b3n7Lakqzpp7LgNrI=\
> DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;\
> 	s=o6ptibvfbllhpdhtxr7klizy2riobquz; d=amazonses.com; t=1678205730;\
> 	h=Message-ID:List-Unsubscribe:From:Reply-To:To:Subject:Date:MIME-Version:Content-Type:Feedback-ID;\
> 	bh=FpZUfDYmSu471kLXy5HAcZskghFdjaMmiX8lxUZT+is=;\
> 	b=nFSeUjAi8iXm6w7hVVqQfTQCGHfMNkOCg/TI/Zuk/csdbznhxLF7wywSM0WVwZjO\
> 	mpfq/R6nXE4OjlR4VGrYI1vaAmhOlEzEgHnD4R+zhhzi17ZiSonVHN1X7K7zqmY3yhB\
> 	ycGO8xTmDOQXrtjnxtXjYGGC/mdQW/9DqsrAfqLQ=\
> Message-ID: <01080186bcdb404f-50dd182b-5c62-4882-8f4b-047c45c5fdd8-000000@ap-southeast-2.amazonses.com>\
> List-Unsubscribe: =?utf-8?q?=3Cmailto=3Axxxx=40icn=2Eorg=2Eau=3E=2C=3Chttps=3A=2F=2Fgateway=2Eicn=2Eorg=2Eau=2Fcomp?=\
>  =?utf-8?q?any=2Fmember=3Fnotifications=3D1=3E?=\
> From: ICN Helpdesk \
> Reply-To: ICN Gateway \
> To: xxxx@xxxx.com.au\
> Subject: New Work Package Advice\
> Date: Tue, 7 Mar 2023 16:15:30 +0000\
> MIME-Version: 1.0\
> Content-Type: multipart/alternative; boundary="=-oL69DlJhcmknVEbcDS+8aA=="\
> Feedback-ID: 1.ap-southeast-2.m85nUVHKLSXfur1SoHQOQxJGTXLGoBlMupefzGlVEqQ=:AmazonSES\
> X-SES-Outgoing: 2023.03.07-69.169.232.174\
> **X-TM-Received-SPF: Fail (domain of  \
> 	 01080186bcdb404f-50dd182b-5c62-4882-8f4b-047c45c5fdd8-000000@ap-southeast-2\
> 	 .amazonses.com does not designates 202.124.241.71 as permitted sender) \
> 	 client-ip=202.124.241.71; \
> 	 envelope-from=01080186bcdb404f-50dd182b-5c62-4882-8f4b-047c45c5fdd8-000000@\
> 	 ap-southeast-2.amazonses.com; helo=smtp-mx-server-8.servers.netregistry.net**

Is this a configuration issue at our end or is this a config issue in the AWS SES ?

Answer

It looks like you want to use a custom MAIL FROM domain (icn.org.au). Since it is a custom domain, you need to have the appropriate SPF record configured in your DNS. If you use the Amazon SES FROM domain, then AWS takes care of the SPF setup for you.

Answer

This issue is due to a SMTP redirect/forwarding scenario. The headers indicate that the message was sent by SES and delivered to smtp-mx-server-8.servers.netregistry.net. During this hop the message passes SPF.

During the next hop smtp-mx-server-8.servers.netregistry.net delivers the message to inpre01.tmes.trendmicro.eu. It fails SPF because smtp-mx-server-8.servers.netregistry.net is not in the SPF policy for ap-southeast-2.amazonses.com

An intermediary SMTP server should rewrite the MAIL FROM address to something within a domain it controls.

If you trust smtp-mx-server-8.servers.netregistry.net then you can configure a custom MAIL FROM domain and add the necessary IP addresses to that domain's SPF record, as @rowanu instructed.

On the other hand, if you have no idea what that server is (who controls it, etc), then you should not authorize it via SPF. The recipient you are sending to is using a incompatible email forwarding service/strategy. This is likely resulting in most of their incoming email being rejected, and their downstream mailbox is likely not getting very much email from you or anyone else.

SES SPF Configuration

Relevant content