SPF if Amazon SES is used as relayhost

Question

We operate several EC2 instances with changing public IPv4 addresses (instances are launched on demand). These instances use Amazon SES as their "relayhost" (postfix configuration). This all works perfectly fine with SMTP SASL auth and the email sender domain is a verified identity in SES. SES also adds DKIM records to all outgoing mails.

Assuming these EC2 instances are the only hosts generating emails using a specific sender domain, how should the SPF record of that domain look like?
Is the following sufficient or do I have to also add the hosts as the servers that generate the emails?

`v=spf1 include:amazonses.com -all`

Accepted Answer

Since EC2 are using [SES SMTP interface](https://docs.aws.amazon.com/ses/latest/dg/send-email-smtp.html) to send mail,  specifying `amazonses.com` is sufficient as per [documentation](https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-spf.html)

I noticed you have implemented DKIM and SPF. If you have not, I suggest you implement [DMARC](https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dmarc.html) as well.

As I understand, [Yahoo](https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam) and [Gmail](https://blog.google/products/gmail/gmail-security-authentication-spam-protection/) are mandating DMARC for mails beginning Feb 2024.

Answer

Perfect answer and perfect reference to the documentation 👍 I must have missed that. Thanks @Mike_L.

Yes, we want to go all the way including [BIMI](https://bimigroup.org). This includes SPF, DKIM and DMARC but I got stuck at SPF 🙈
Thanks for your clarification.

SPF if Amazon SES is used as relayhost

Relevant content