Login Get Started
// fix guide · Amazon SES

Fix Amazon SES emails going to spam

With Amazon SES the cause of spam placement is almost always your configuration, not your copy. SES is a raw sending API, so by default it signs a second amazonses.com DKIM signature, uses a subdomain of amazonses.com as the MAIL FROM domain (which passes SPF but never aligns to your From domain for DMARC), and leaves bounce and complaint handling entirely to you. This guide covers Easy DKIM versus BYODKIM, the custom MAIL FROM domain, the sandbox and production access, shared versus dedicated IPs, configuration sets and the bounce or complaint thresholds that can pause your whole account. Then add Unspam's seed address as a recipient and send a real SES message to see your score, SPF, DKIM, DMARC and per-provider inbox placement.

Run a free spam test → How to test your sends
// why it happens

Why Amazon SES emails land in spam.

01

Your MAIL FROM is still a subdomain of amazonses.com, so SPF never aligns

Unless you configure a custom MAIL FROM domain, SES sets the Return-Path (envelope sender) to a subdomain of amazonses.com that varies by region. SPF passes, because it is checked against amazonses.com, but the domain in the From header does not match, so SPF alignment fails for DMARC. If you rely on SPF for DMARC and never set up DKIM alignment, every message fails DMARC. Fix it under Configuration > Identities > your domain > Custom MAIL FROM domain, set a subdomain like mail.yourbrand.com, and publish the one MX and one SPF TXT record SES gives you.

02

DKIM is signing with amazonses.com because Easy DKIM was never enabled on the domain

SES always adds its own d=amazonses.com DKIM signature for feedback loops, and many senders mistake that for real authentication. Until you enable Easy DKIM (or BYODKIM) on your domain identity, no signature carries your own d= domain, so DKIM cannot align to your From domain. Enable Easy DKIM under Configuration > Identities > your domain > Authentication > DomainKeys Identified Mail (DKIM) > Edit, pick RSA 2048-bit, and publish the 3 CNAME records SES generates (named token._domainkey.yourbrand.com pointing to token.dkim.amazonses.com). The d=amazonses.com signature stays and is safe to ignore.

03

You verified an individual email address, so domain DKIM is bypassed

If you set up Easy DKIM for the domain example.com but separately verified mary@example.com as its own identity, mail sent from mary@example.com goes out unsigned, because individually verified addresses use their own settings, not the domain's. The result is one sender that authenticates and another on the same domain that does not. Delete the standalone email-address identity from Configuration > Identities so all mail inherits the domain's DKIM, or configure DKIM on that address too.

04

You are still in the SES sandbox or just left it at full speed

New SES accounts are sandboxed per region: you can only send to verified addresses or the mailbox simulator, capped at 200 messages per 24 hours and 1 message per second. Request production access from the Account dashboard via Get set up > Request production access (choose Marketing or Transactional). Once approved, do not jump straight to full volume on a brand-new domain and IP reputation. Ramp gradually over 2 to 4 weeks, starting with your most engaged recipients, so mailbox providers build trust in your sending.

05

Thin volume on a standard dedicated IP that you never warmed up

SES offers shared IPs (the default), standard dedicated IPs you warm up and manage yourself, and managed dedicated IPs that SES warms up automatically per ISP and auto-scales with your volume. A standard dedicated IP with no warmup and low, irregular volume performs worse than the healthy shared pool, because ISPs barely see enough mail from it to build a reputation. If your sending is low or spiky, stay on shared IPs or choose dedicated IPs (managed); only take a standard dedicated IP for high, steady volume you are prepared to warm up by hand.

06

Bounces or complaints crossed the SES threshold and your account got reviewed or paused

SES enforces sender reputation at the account level. A bounce rate of 5% or higher (hard bounces to non-verified domains) puts your account under review, and 10% or higher can pause sending; a complaint rate of 0.1% or higher triggers review, and 0.5% or higher can pause it. Rates are measured over a representative volume, not a fixed window, and the Account dashboard shows Healthy, Under review or Paused. Without a configuration set publishing bounce and complaint events you will not see trouble coming. Suppress hard bounces and complainers immediately and keep bounces under 2%.

// authentication

How Amazon SES authenticates your mail.

SES is a raw sending platform, so authentication is entirely on you, and it ships two defaults that quietly break DMARC: the amazonses.com MAIL FROM domain and the d=amazonses.com DKIM signature. The two settings that matter are Easy DKIM on your domain identity and a custom MAIL FROM domain, both under Configuration > Identities.

record default the problem the fix
DKIM SES always adds a d=amazonses.com signature for feedback loops, but it does not sign with your own domain until you enable Easy DKIM or BYODKIM on the domain identity. With only the amazonses.com signature, DKIM has nothing aligned to your From domain, so DMARC has no aligned identifier to pass on (especially once you rely on DKIM rather than SPF). Configuration > Identities > your domain > Authentication > DKIM > Edit > Easy DKIM, choose RSA 2048-bit, enable, then publish the 3 CNAME records (token._domainkey.yourbrand.com pointing to token.dkim.amazonses.com). Use BYODKIM instead if you must control the key: it needs one TXT record with your own 1024 or 2048-bit RSA public key.
SPF The MAIL FROM (Return-Path) is a region-specific subdomain of amazonses.com, so SPF passes, but against amazonses.com, not your From domain. SPF passes without alignment, so DMARC sees an SPF pass that does not count, which is why reports show SPF pass but SPF alignment fail on default SES sends. Set a custom MAIL FROM under Configuration > Identities > your domain > Custom MAIL FROM domain (for example mail.yourbrand.com). Publish exactly one MX record to feedback-smtp.<region>.amazonses.com with priority 10 and one TXT SPF record v=spf1 include:amazonses.com ~all. Pick Reject message or Use default on MX failure, and note SES can take up to 72 hours to detect the MX.
DMARC SES sends fine with no DMARC record on your domain, and many SES senders never publish one. Without aligned DKIM or an aligned custom MAIL FROM, neither identifier aligns, so a DMARC policy of quarantine or reject sends your own SES mail to spam, while Gmail and Yahoo now expect at least p=none on bulk From domains. Publish v=DMARC1; p=none; rua=mailto:you@yourbrand.com on _dmarc.yourbrand.com, confirm Easy DKIM and the custom MAIL FROM align in the reports, then tighten to quarantine or reject. SES Virtual Deliverability Manager's advisor will flag a missing or misaligned DMARC setup.
MAIL FROM (custom) Defaults to a subdomain of amazonses.com; the custom MAIL FROM setup state is Pending until SES detects your MX, then Success. If the MX is missing, has multiple records, or fails detection within 72 hours, the state goes to Failed and SES falls back to amazonses.com (or rejects mail), so SPF alignment silently reverts. Publish exactly one MX record (multiple MX records make custom MAIL FROM fail) and the SPF TXT, then watch the state reach Success in Configuration > Identities. This is the subdomain that gives you SPF alignment for DMARC.
// test your real sends

How to test a Amazon SES campaign with Unspam.

Unspam does not connect to the SES API; testing is manual by design, which is exactly right for SES because the only honest test is a real send through your actual configuration set, identity, MAIL FROM and IP pool. Use the SES API, SMTP interface or the console's Send test email, but send a real message, not a console preview.

  1. 01

    Get your Unspam seed address

    Start a spam test or inbox placement test in Unspam and copy the seed address it generates. Inbox placement tests include seed addresses across Gmail, Outlook, Yahoo, Zoho, ProtonMail and AOL so you see real per-provider placement.

  2. 02

    Make the seed address a sendable recipient

    If your account is still in the SES sandbox you can only send to verified recipients, so either verify the Unspam seed address as an identity under Configuration > Identities first, or request production access from the Account dashboard. In production you can send to it directly.

  3. 03

    Send a real message through your normal SES path

    Trigger the send the way your app does, through the SES v2 API or the SMTP endpoint, using the same From identity, configuration set and custom MAIL FROM domain you use in production. If you use IP pools, send from the same pool. Avoid the mailbox simulator addresses, which never leave AWS and tell you nothing about placement.

  4. 04

    Confirm authentication on the live send

    In Unspam, check SPF, DKIM and DMARC on the received message. DKIM should show d=yourbrand.com (the amazonses.com signature is expected as a second signature), SPF should authenticate your custom MAIL FROM subdomain, and DMARC should pass with at least one aligned identifier.

  5. 05

    Read score, placement and heatmap in Unspam

    Review the spam score, per-provider Inbox, Promotions, Spam or Missing placement, the client previews including dark mode, and the AI eye-tracking heatmap. The AI fix assistant flags what to change, for example a missing custom MAIL FROM or unaligned DKIM, before you mail your real list.

// platform gotchas

Amazon SES features that quietly affect delivery.

Every SES message carries a second d=amazonses.com DKIM signature

SES always signs with amazonses.com in addition to your own DKIM, because that signature is required for complaint feedback loops, and it cannot be turned off. This is normal and not a misconfiguration. The signature that matters for your DMARC alignment is the one with d=yourbrand.com, so when reading a report or a tool, confirm your domain's signature is present and aligned rather than worrying about the amazonses.com one.

Sandbox status and reputation are per AWS region

The sandbox, your sending quotas, identities, DKIM configuration and sender reputation all live independently in each AWS region. Verify a domain and leave the sandbox in us-east-1 and you still have to repeat the whole setup in eu-west-1, and a region with no warmed history starts cold. Pick a region and stick to it, and if you send from several, configure DKIM and request production access in each one.

Multiple MX records break the custom MAIL FROM setup

SES requires exactly one MX record on the custom MAIL FROM subdomain (pointing to feedback-smtp.<region>.amazonses.com, priority 10). If the subdomain already has other MX records, custom MAIL FROM setup fails, the state never reaches Success, and SES falls back to amazonses.com so your SPF alignment quietly disappears. Use a dedicated subdomain that is not used to send or receive any other mail.

No configuration set means you are blind to bounces and complaints

SES does not show you bounces and complaints unless you publish events. Create a configuration set with an event destination (Amazon SNS, CloudWatch, Amazon Data Firehose or EventBridge) and set it as the identity's default configuration set, so deliveries, bounces, complaints, opens and clicks are captured. Without it, the first sign of trouble is an Under review or Paused notice in the Account dashboard, after the damage is done.

// FAQ

Amazon SES deliverability, answered.

Why does my SES mail show a DKIM signature for amazonses.com instead of my domain?

SES always adds its own d=amazonses.com signature for feedback loops, and that is the one you are seeing if you have not enabled Easy DKIM or BYODKIM on your domain identity. Enable Easy DKIM under Configuration > Identities > your domain > Authentication and publish the 3 CNAME records. After that you will have two signatures: yours (d=yourbrand.com, which aligns for DMARC) and the amazonses.com one, which is safe to ignore.

My SPF passes but DMARC still fails. What is wrong?

By default the MAIL FROM is a subdomain of amazonses.com, so SPF is checked against amazonses.com and passes, but it does not align to your From domain, so it does not count toward DMARC. Set a custom MAIL FROM domain (a subdomain like mail.yourbrand.com) with the MX and SPF records SES provides, or rely on aligned DKIM instead. Either aligned identifier lets DMARC pass.

Do I need a dedicated IP to stay out of spam on SES?

Usually not. Shared IPs are managed by AWS and are the right choice for low or irregular volume. A standard dedicated IP you never warm up performs worse than the shared pool. If you do want a dedicated IP and your volume is not perfectly steady, dedicated IPs (managed) are better because SES warms them up per ISP and auto-scales them. Fix authentication, list hygiene and complaint rate before reaching for a dedicated IP.

My SES account is under review or paused. What happened?

SES enforces reputation at the account level. A bounce rate of 5% or higher (hard bounces to non-verified domains) or a complaint rate of 0.1% or higher puts you under review; 10% bounces or 0.5% complaints can pause sending entirely. Suppress bounced and complaining addresses immediately, fix the list-acquisition or content issue, then reply to the support case SES opened on your behalf. Keep bounces under 2% and complaints under 0.1% to stay Healthy.

Can Unspam connect to my Amazon SES account and test sends automatically?

No. Unspam does not integrate with the SES API or any other ESP API. Testing is manual by design: you add Unspam's seed address as a recipient and send a real message through your normal SES path (API, SMTP or the console), then read SPF, DKIM, DMARC, the spam score and per-provider placement in Unspam. That is the only way to test the exact mail your recipients receive, through your real configuration set and MAIL FROM domain.

Should I use Easy DKIM or BYODKIM?

Use Easy DKIM unless you have a specific reason not to. It publishes 3 CNAME records, defaults to RSA 2048-bit, and rotates keys automatically. BYODKIM lets you supply your own RSA 1024 or 2048-bit key with a single TXT record, which is useful when you reuse one key across providers or must control rotation yourself. If you migrate from BYODKIM to Easy DKIM, do it during downtime or via an intermediary subdomain, because mail may go unsigned while the new setup is pending.

Amazon SES platform details were verified against publicly available documentation in June 2026 and may have changed since. Amazon SES is a trademark of its respective owner. Unspam is not affiliated with or endorsed by Amazon SES.

// see where you land

Test your next Amazon SES campaign before your subscribers do.

Start a free spam test → Inbox placement test