My company setup DNS SPF record like: v=spf1 include:amazonses.com -all
and DMARC record like: v=DMARC1;p=reject;sp=reject;pct=100;rua=mailto:dmarc@domain.com;ruf=mailto:dmarc@domain.com;fo=1
Does this protect from another SES users?
My concern is if we allow Amazon SES IPs, then every SES user can send email as domain.com ?
First, make sure you are authenticating the right domain. AmazonSES does not use organizational level domains in its RFC5321 Mail From address (return-path) which is what the receiver uses to verify SPF. It only ever will use a subdomain delegated via MX or CNAMEs.
The only time you will ever need to add an SPF record that contains Amazon is for that subdomain.
Secondly, in order for an instance of Amazon to send email from a domain, email or domain sending ownership verification needs to be completed. This means even if I set up my own Amazon instance, without access to a mailbox at your domain I could not send on behalf of it.
I strongly recommend configuring DKIM, as it will be necessary if you choose not to configure a custom Mail From address to send from.