We utilize amazon SES as an email platform, and we whitelisted a single email with a client That basically just involves the recipient saying allow Amazon ses to send, then Amazon lets us use that email.
The client made no dns modifications but had prior setup a protection.spf.outlook.com spf record… logically I thought well I will fail spf when I send using the whitelisted email from amazonses. However it says that I passed SPF shockingly...
After looking at the logs which I was puzzled on it says I passed because spf.protection.outlook.com has amazonses as an approved sender. So I thought cool, I do not need to have the client change anything as I pass spf… That however is not the case as my sender from fails dmark because the sender from and domain are not aligned..
I know how to fix this by adding the mx record aws tells me to add so they will align the custom domain per their requirement, but is the only reason I am not passing DMARC because amazon will not align the header but could technically if they wanted to, and this step of the custom sender dns entry they want me to add is just telling them ok send it and change, or does this mx and spf it has me add actually do something beyond internal controls for Amazon?
If they wanted to could they just allow it in theory, or does that DNS record they want you to add for the alignment actually do something besides just let Amazon know it is ok for them to set it to ensure people do not pass dmarc on their service without this security step?
I always thought once an spf record got passed I could just set the from and sender domains and all worked to pass dmarc, so my mind feels like this is just an intentional security restriction and not required?
In other words is if I had an email server on that ip address under my control and I passed spf via that outlook record, could I pass dmarc, and set my SPF alignment?
In a nutshell:
- Am I really passing spf identical if I was sending from outlook even though it says passed due to it is an approved sender, is that the same as if amazonses.com was listed specifically? 2.if I pass spf like that, is the requirement to align the header just a security measure for Amazon, but nothing would prevent them from allowing it if they were not trying to enforce a dmark restriction, or there is another reason I would technically need those dns records?