AWS SES has an API for programmatically sending a bounce email in reply to a received email—SendBounce. However, emails sent through SendBounce—unlike "normal" emails sent through SendEmail—only contain a DKIM-Signature for amazonses.com. Since bounced emails use MAIL FROM: <>, both of these result in SPF and DKIM alignment failure, and thus DMARC failure.
With this, is it even possible to achieve DMARC compliance for emails sent with SendBounce? And is there a good reason why SES does not include a DKIM signature with the From: domain for SendBounce emails?
Example
- SES email domain:
email.com - MAIL FROM domain for
email.com:from.email.com - DMARC record (
_dmarc.email.com):v=DMARC1; p=quarantine- Note: Because
adkimandaspftags are omitted, the DMARC conducts alignment for DKIM and SPF in "relaxed" mode.
- Note: Because
A sample email sent with SendEmail has the following:
From:header:[email protected]HELOidentity:a27-123.smtp-out.us-west-2.amazonses.comMAIL FROM:<01010181add736ef-0f477553-2014-4704-b7ee-a030525d7a66-000000@from.email.com>from.email.comis a subdomain ofemail.com, which achieves relaxed SPF alignment.
DKIM-Signature: d=amazonses.comDKIM-Signature: d=email.comemail.comis exactlyemail.com, which achieves strict DKIM alignment.
However, an email sent via SendBounce has:
From:header:[email protected]HELOidentity:a27-9.smtp-out.us-west-2.amazonses.comMAIL FROM:<>(empty, as expected for a bounce message)DKIM-Signature: d=amazonses.com
Note that for the bounce email, neither the HELO identity nor any of the DKIM signature domains match the From: domain of email.com. Hence, DMARC fails.
Possible workaround (hack)
Given these limitations of bounce messages sent with SendBounce, one workaround which preserves DMARC (with a p=reject or p=quarantine policy) for normal emails but disables it for bounce emails is to designate a subdomain of email.com with DMARC explicitly disabled.
For example, set _dmarc.bounce.email.com to v=DMARC1; p=none, and use [email protected] as the From: address of SendBounce. This allows SendBounce emails to not end up in spam or dropped outright (per DMARC) but hardly seems like an ideal solution.