How do you set up DMARC on Amazon Route 53?
Updated July 3, 2026
To set up DMARC on Amazon Route 53, open your domain's public hosted zone in the Route 53 console, click Create record, and add a TXT record named _dmarc with a value starting with v=DMARC1. Route 53 serves the record within about a minute of saving.
What you need before starting
- ✓An AWS account with access to the domain's public hosted zone in Route 53 (your domain's nameservers must point at that zone)
- ✓A DMARC record value (generate one with our free DMARC generator if you don't have one yet)
- ✓Optional but recommended: SPF and DKIM already configured for your email provider
Step by step
- 1
Open your hosted zone
Sign in to the AWS console, open the Route 53 service, choose Hosted zones in the left sidebar, and click your domain. Make sure you pick the public hosted zone. A private zone is only visible inside your VPC.
- 2
Create a new record
Click Create record. If the wizard appears, choose Simple routing. A DMARC record needs nothing fancier.
- 3
Enter the DMARC record
In the Record name field enter _dmarc. The console shows your domain after the field and appends it automatically. Set Record type to TXT and paste your DMARC record into the Value box; the console adds the surrounding quotes for you.
Host _dmarcType TXTv=DMARC1; p=none; rua=mailto:[email protected]; fo=1
- 4
Save the record
Click Create records. Route 53 propagates changes to its nameservers within about 60 seconds.
- 5
Verify it's live
Run your domain through our free DMARC checker. If the record shows up and parses cleanly, you're done. The first aggregate reports typically arrive within 24-48 hours.
Check that it worked
Our free checker reads your DMARC record live and explains every tag. Run it after the record saves.
Open the DMARC checker →Common mistakes
Adding the record to the wrong hosted zone
Accounts often accumulate duplicate or private hosted zones. Check that the zone's NS records match the nameservers your domain actually uses. Records in an unused zone do nothing.
Assuming registration at Route 53 means DNS at Route 53
Registering a domain through Route 53 creates a hosted zone, but if you later pointed nameservers elsewhere (say, Cloudflare), the DMARC record must go there instead.
Adding a second DMARC record instead of editing the first
Route 53 lets multiple TXT values live under one record name. If _dmarc already exists, edit it, and keep exactly one v=DMARC1 value, since two makes receivers ignore both.
Frequently asked questions
- Do I need quotes around the TXT value in Route 53?
- In the console, no: paste the plain value and Route 53 quotes it for you. If you use the CLI or CloudFormation, wrap the value in double quotes yourself.
- How long does a Route 53 change take to go live?
- Route 53 typically propagates to all its nameservers within 60 seconds. The console shows the change status as INSYNC once it's fully deployed.
- Does Amazon SES set up DMARC for me?
- No. SES helps you configure DKIM (Easy DKIM) and a custom MAIL FROM domain, but the DMARC TXT record is yours to add in the hosted zone, exactly as shown above.
The record is step one. The reports are the point
Publishing p=none starts a stream of XML reports about everyone sending as your domain. DMARCPath turns them into a plain-English dashboard and walks you to full protection at p=reject. One domain free.
Monitor this domain free →