Basic understanding
Story is kinda similar to DNs basics.

  • There is a sender and a receiver. Both have their Email server.
  • To make it easy these mail server can be gmail, yahoo, orkut etc.
  • EX:
    Sender's mail: [email protected]
    Receiver's mail: [email protected]
    sender wants to send mail to receiver, how does the mail server know that is a valid server am contacting to, before delivering senders message?.
    There has to be an entry in Public DNS. There are two kins of entry to be done MX and SPF Records.

By default aws puts or account in sandbox


  • Sender Policy Framework
  • identidies mail server is permitted to send email on behalf of my domain
  • Avoiding spam and forgery from hackers and validate an email message that has been sent from an authorized mail server
  • (which servers ae allowed to send mails from my domain)
    It generally means..the message which is at my door step is actually sent from valid host whose mail is authorized in respective domain.
    If you have a domain name, you can use DNS not only to store the IP address of your website, but also to advertise a list of IP addresses from which you send out email
    How it works?
  • Domain owners publish spf record to DNS...that tells the rules that is set for my domain. It could be listing Ip addresses that are allowe to send email on domain's behalf.
  • when emial server recieves the mail, It checks the domain shown n the message's Return-Path header.
  • Usig DNS shecks if there is an SPF record for that domain
  • If there is reord , it then checks the ip address of the mail server ..if it matches mail message gets delivered ..or else marks it suspicious
  • add in txt record
  • mail exchanger
  • has records in DNS telling if mail server can accept emails messages on behalf of  domain name
  • has some preference value to priortizing while receive

DKIM (DomainKeys Identified Mail)

  • a digital signature added to header of an email message
  • key is validated using public cryptographic key
  • a permission to send e-mails in my name and being authenticated to make sure its really me
  • With DKIM, you publish a public key in your DNS records
  • Emails sent by you will contain a digital signature that can be verified against your public key.
  • has my digital signature signes
  • he domain owner publishes a cryptographic key


  • when receiver mail server fails to deliver message from sender for whatsoever reason the mail is sent back to owner
    DMARC (Domain-based Message Authentication, Reporting, and Conformance)

verifying domain verifies all mail addresses in that domain.

+a: Includes A record
+mx: Includes Mail Server record
+ip4: Designates from which IPv4 server
~all: Records outside of the prior declared ones will fail.
TTL = 1 hour (or  3600 seconds): Time-To-Live, or how often this should expire. If you  were to change e-mail servers, you would be glad that there is only a  maximum gap of 1 hour of not being authenticated.

The other option is to verify an entire domain by creating the proper MX, TXT, and CNAME DNS entries on your nameserver.

"v=spf1 mx -all"

to use custom mail:
add mx record provided by ses dns provider
add spf record dns provider
validate doamin