Amazon's current SES Documentation says:
If you are using Amazon SES to send from your domain, you need to know that the current SES implementation involves sending emails from an SES-owned MAIL-FROM domain. This means that you do not need to make any changes to your DNS records in order for your emails to pass SPF authentication.
Source: http://sesblog.amazon.com/post/Tx3IREZBQXXL8O8/SPF-and-Amazon-SES
OpenSPF describes SPF this way:
What is SPF?
SPF (defined in RFC 4408) validates the HELO domain and the MAIL FROM address given as part of the SMTP protocol (RFC 2821 – the "envelope" layer). The MAIL FROM address is usually displayed as "Return-Path" if you select the "Show all headers" option in your e-mail client. Domain owners publish records via DNS that describe their policy for which machines are authorized to use their domain in the HELO and MAIL FROM addresses, which are part of the SMTP protocol.
Source: http://www.openspf.org/SPF_vs_Sender_ID
I don't understand how these two match up.
If my current SPF Record looks like:
v=spf1 mx a ~all
(And Amazon is not in my MX records.)
I would imagine that the receiver gets...
HELO abc.smtp-out.amazonses.com
MAIL FROM: <[email protected]>
...then the receiver goes gets "mydomain.com" SPF TXT record and says, "Hey, abc.smtp-out.amazonses.com is not listed, therefore SPF=FAIL."
What am I misunderstanding?
P.S. It appears Amazon SES used to have you add "include:amazonses.com" to your SPF record, which makes perfect sense to me. Source: How to know if the SPF config is working (Amazon SES/Route53)?
So the SPF record you're referencing is not involved, because the MAIL FROM address used by Amazon SES is not an address on your domain.
Assuming you've got an email you've sent through Amazon SES, open it up and take a look at the Return-Path address. It will be an address at some Amazon owned domain (possibly amazonses.com, possibly something else). It is the MX and SPF records of this Amazon owned domain that are used for determining the receiving MTA for bounce messages and the SPF identity with which the message is authorized respectively.
So receivers of this Amazon message will never check the SPF record of the 'From' domain (mydomain.com) so it does not need to be added to the SPF record for mydomain.com. In fact, adding it is potentially harmful because of the 10 domain lookup limit in SPF (a receiver is only supposed to make a total of 10 DNS requests when evaluating the SPF result for a message).
The proper way to authenticate Amazon SES originating email is to use Easy DKIM. This ensures that the email is authenticated, and that the authentication uses the same domain as the From. That ensures the email can be authenticated with DMARC