AWS Security ChangesHomeSearch

AWS ses medium security documentation change

Service: ses · 2025-08-16 · Security-related medium

File: ses/latest/dg/receiving-email-action-bounce.md

Summary

Added note about bounce message DKIM signatures and workaround for custom MAIL FROM domains

Security assessment

Addresses email authentication concerns by clarifying bounce messages use amazonses.com DKIM signatures instead of custom domains, which could impact domain reputation and spoofing prevention. Provides security-relevant guidance for proper bounce handling.

Diff

diff --git a/ses/latest/dg/receiving-email-action-bounce.md b/ses/latest/dg/receiving-email-action-bounce.md
index fa440852b..6552b98b9 100644
--- a//ses/latest/dg/receiving-email-action-bounce.md
+++ b//ses/latest/dg/receiving-email-action-bounce.md
@@ -16,0 +17,4 @@ The **Bounce** action rejects the email by returning a bounce response to the se
+###### Note
+
+Bounce messages are not sent through your custom MAIL FROM domain, but are generated internally by SES and signed solely with the `amazonses.com` DKIM signature. As a workaround, use the **Reply Sender** option to set an email address for your bounce messages. Refer to this [AWS re:Post article ](https://repost.aws/questions/QURvN-26L_SJOcY9JoSFgCdg/ses-receiving-return-bounce-response-action-not-sending-bounce) for more information.
+