Welcome the dmarcian forums!
The purpose of DMARC is authenticate the domain of the email shown to the recipient. This is the RFC 5322 From address, or the message body from address. There is another ‘from address’ in every email. It is the RFC 5321 From address and is more commonly known as the envelope sender or return-path. It is not normally visible to the recipient of the email.
There are two methods that DMARC can use to authenticate the (RFC 5322) sender domain: SPF and DKIM.
DKIM creates a cryptographic signature based on parts of the email which can be checked against the published DKIM record. If the math checks out, it passes. There is more to it than that, but that should sufficient explanation for your current situation.
SPF checks the relay IP to see if it is listed in the RFC 5321 sending domain’s SPF records. Assuming that it is included, in order for a successful SPF test to be useful in verifying the RFC 5322 domain, alignment must be present. The short explanation of alignment is that the RFC 5321 and RFC 5322 domains need to match.
e.g.
sender@example.com and sender@example.com OK
sender@example.com and sender@example.net NO
If you have set up a custom mail domain in your Amazon SES account, you should be able to also pass DMARC with SPF.
One important detail about DMARC: you don’t need to pass both SPF and DKIM to pass DMARC. As long as one is valid (which means alignment is required for SPF to pass DMARC), your DMARC is good.
I hope this has helped, and I will do my best to answer any additional questions you have about SPF, DKIM, and DMARC.
