AWS SES – How to Replace ‘via amazonses.com’ with Custom Branding

amazon-sesamazon-web-servicesdkimsmtpspf

So in SES – there are two ways to verify identities as I can see:

Email identities
Domain identities

With domain identiies – it is easier to fix the "signed-by" and "mailed-by" headers in the outgoing mails. If the DKIM/SPF DNS records are set properly – it works well.

But with email identities – AWS SES adds something like "via amazonses.com". Now I am looking to fix this with my app's branding instead. So that when my clients only want to verify email identities and not whole domains – they can send emails via my app (and behind the scenes via SES) but when the emails go out – instead of saying "via amazonses.com", it should put my apps brancing like "via example.com" instead for the email identities.

How can I achieve this? 🙂

EDIT:

Someone verifies an email identity – [email protected] – I want it to say "via mydomain.com" instead of "via amazonses.com"
Someone verifies clientdomain.com – I want it to say "signed-by: clientdomain.com" and the "via…." will be removed

Number 2 is simple and I can achieve that with EasyDKIM in SES but I am having trouble figuring out how to achieve number 1

Best Answer

To achieve this successfully - we had to verify the main domain which we wanted to sign with in case of email identities. Example mydomain.com is the domain, we verified that domian including setting the MAIL FROM domain in it.

Then, we went ahead and verified the single email identity we wanted to send and sign it with mydomain.com. I used my personal email but for this example we will use [email protected].

Finally we had to tweak the FROM header like so in PHP before hitting the AWS PHP SDK for SES and call the sendRawEmail method

$message->setFrom('[email protected] via mydomain.xyz <[email protected]>');

Final solution was that Gmail said from header was:

from:   [email protected] via mydomain.xyz <[email protected]>

Related Solutions

Postfix and OpenDKIM – How to Configure and Inform Receiving Server

First of all, please remove these values (they aren't needed if you use KeyTable):

Domain      example1.com
KeyFile     /etc/opendkim/keys/example1_com/selc
Selector    selc

Domain      example2.com
KeyFile     /etc/opendkim/keys/example2_com/selc
Selector    selc

Setup your KeyTable like that:

mykey1 example1.com:recordname1:/path/to/domain.key
mykey2 example2.com:recordname2:/path/to/domain.key

Setup your SigningTable like that (note wildcard matching and mykey1 and mykey2 from KeyTable):

*@example1.com mykey1
*@example2.com mykey2

And finally change your opendkim.conf to include SigningTable via refile: prefix (regular expressions support):

SigningTable    refile:/etc/opendkim/SigningTable

And domain record for reference (note recordname1 and recordname2 from KeyTable):

recordname1._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."
recordname2._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."

Additionally, please, check if you have your node hostname (from which you are sending mail) in InternalHosts file:

server1.example1.com
server2.example2.com
mail.example1.com
mail.example2.com

Again, you can use refile: prefix to be able to add something like:

*.example1.com
*.example2.com

if you have multiple hosts and do not want to include all of them by hand. If you accept only local mail, you should add localhost here.

You should check log file for DKIM notices about skipping signing if your host is missing in the InternalHosts file.

Example of opendkim.conf:

# Set these values (Syslog, SyslogSuccess, LogWhy) for debugging and check syslog for details
Syslog      yes
SyslogSuccess   yes
LogWhy      yes

UMask       002
UserID      opendkim:opendkim

KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/mail/SigningTable
InternalHosts       refile:/etc/mail/hosts

Remove OR Replace “mailed by” field with DKIM & SPF enabled in AWS SES

You can replace mailed-by: us-west-2.amazonses.com with mailed by: sub.example.com but not with mailed-by: example.com.

In other words, unnaked domain (with subdomain) like sub.example.com is possible but naked domain like example.com is impossible to replace with us-west-2.amazonses.com for mailed-by.

To replace us-west-2.amazonses.com with sub.example.com for mailed-by, you must create a custom MAIL FROM domain.

The below is how you create the custom MAIL FROM domain sub.example.com.

Click on the domain example.com.

Then, the detail is shown.

Then, click on MAIL FROM Domain to show Set MAIL FROM Domain button.

Then, clicking on Set MAIL FROM Domain button, the window is open.

Then, put the subdomain "sub" to the field and click on Set MAIL FROM Domain button.

Then, the MX Record and SPF Record are shown. You must add the MX Record and SPF Record to Route 53 in addition to the records of the domain example.com to verify the custom MAIL FROM domain sub.example.com.

Finally, check if the custom MAIL FROM domain sub.example.com is verified under MAIL FROM domain section.

If MAIL FROM domain status is still pending verification, click on retry in blue.

Then, it will be verified.

After the custom MAIL FROM domain is verified, mailed-by is sub.example.com whether or not you send emails using example.com or sub.example.com and whether or not your account is in the sandbox.

Best Answer

Related Solutions

Postfix and OpenDKIM – How to Configure and Inform Receiving Server

Remove OR Replace “mailed by” field with DKIM & SPF enabled in AWS SES

Related Topic