DMARC for AmazonSES fails. Why?

Question

I've setup SPF and DKIM for my custom domain to send emails. While SPF and DKIM tests pass, the DMARC test fails for emails that have reply-to address different from "From" field. My SPF record:

v=spf1 include:amazonses.com include:_spf.google.com -all

My DMARC record:

v=DMARC1; p=none; pct=100; rua=mailto:dmarc-rua@mydomain.com; ruf=mailto:reports@mydomain.com

Headers from the email sent:

Delivered-To: contact@mydomain.com
Received: by 10.129.165.193 with SMTP id c184csp206242ywh;
        Thu, 19 May 2016 03:56:53 -0700 (PDT)
X-Received: by 10.233.239.210 with SMTP id d201mr13984760qkg.41.1463655413313;
        Thu, 19 May 2016 03:56:53 -0700 (PDT)
Return-Path: <01000154c8a933ce-e7e039ee-6c9d-4e64-9693-28708e049ecf-000000@amazonses.com>
Received: from a8-86.smtp-out.amazonses.com (a8-86.smtp-out.amazonses.com. [54.240.8.86])
        by mx.google.com with ESMTPS id g90si11881962qgg.13.2016.05.19.03.56.53
        for <contact@mydomain.com>
        (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Thu, 19 May 2016 03:56:53 -0700 (PDT)
Received-SPF: pass (google.com: domain of 01000154c8a933ce-e7e039ee-6c9d-4e64-9693-28708e049ecf-000000@amazonses.com designates 54.240.8.86 as permitted sender) client-ip=54.240.8.86;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amazonses.com;
       spf=pass (google.com: domain of 01000154c8a933ce-e7e039ee-6c9d-4e64-9693-28708e049ecf-000000@amazonses.com designates 54.240.8.86 as permitted sender) smtp.mailfrom=01000154c8a933ce-e7e039ee-6c9d-4e64-9693-28708e049ecf-000000@amazonses.com;
       dmarc=fail (p=NONE dis=NONE) header.from=mydomain.com
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
    s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1463655412;
    h=From:Reply-To:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID:Date:Feedback-ID;
    bh=F8+/Ni/QwQrszhKD2uANwAa3fcsUlA2ym/y/2fXINhY=;
    b=AlNNHzoGT1Ezy9haiRXTLviRYW5XGIGE8IXIMjGcLxogxh2tSPGCOt7yJCix/sI0
    5sGh1EHuBHkrd3sTlQ5i5/O2/ci+dXc47mS7Efo8snkyVK7Kf8FlfwsrTontTGoUJWB
    L76+pQCzbzs+HZS9HXym8EO7ZEWp+7g33IX+W0oE=
From: "MYDOMAIN.COM" <no-reply@mydomain.com>
Reply-To: someaddress@gmail.com
To: contact@mydomain.com

What could be an issue here?

Answer 1

Amazon SES sets the MAIL FROM domain for the messages that you send to a default value, in your case it is 01000154c8a933ce-e7e039ee-6c9d-4e64-9693-28708e049ecf-000000@amazonses.com (see the Return-Path)

This will fail the DMARC test.

I am using Route 53, so I resolved this by following the instructions here as follows:

• created and verified a new domain that is only used for mailing from SES, for example mail.mydomain.com.
• selected "Generate DKIM settings"
• SES applied the DKIM settings automatically using Route 53

Answer 2

Your DKIM is unaligned and your SPF might be un-aligned (I can't tell without real domain names) and that will cause your DMARC to fail. One of the two must be in alignment, you can read more about that here: Indentifier Alignments

You can also send an email to mailtest@unlocktheinbox.com and will pinpoint the DMARC issue. But the DMARC report section of the report is a paid feature, but it's cheap.

Answer 3

I had the same problem and it was because I verified my domain with "www" in SES.