• Users report that the system is failing to send out notification emails.

• The customer's security team has recently enforced DMARC protocol on the network.

• Emails are being blocked/rejected by the receiving mail servers.

• Error logs (if available) may indicate authentication failures or DMARC rejection.

• VMware Cloud Services / Products utilizing AWS SES for notifications.

• Environments where strict DMARC policies are enforced.

The DMARC protocol requires that sending domains verify their identity using SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). If these records are missing or incorrect in the customer's DNS settings, the DMARC policy will instruct receivers to reject the unauthenticated emails.

To resolve this issue, the following DNS records must be added to the customer's DNS provider to authorize the system to send emails on behalf of the domain.

Prerequisite: Obtain the specific DKIM CNAME records generated for your Domain Identity from Broadcom Support/Engineering.

1. Configure MX Record:

   • Name: <SUBDOMAIN>.<CUSTOMER_DOMAIN>

   • Type: MX

   • Value: 10 feedback-smtp.<REGION>.amazonses.com

2. Configure SPF (TXT) Record:

   • Name: <SUBDOMAIN>.<CUSTOMER_DOMAIN>

   • Type: TXT

   • Value: "v=spf1 include:amazonses.com ~all"

3. Configure DKIM (CNAME) Records:

   • Refer to the specific DKIM-DNS-RECORDS file provided by Support.

   • Add the CNAME records to your DNS configuration.

4. Verification:

   • Once records are published, detection may take up to 72 hours.

   • Support will verify the domain identity status once propagation is complete.

• Amazon SES: Verified identities

• Amazon SES: Easy DKIM

• Amazon SES: MAIL FROM domain