Amazon SES requires you to publish an SPF record along with an MX record. An MX record must pass an SPF check while using your custom MAIL FROM domain. To define a strict policy that invalidates emails from other sources, Acquia uses a custom MAIL FROM domain in the SPF entry. For more information, see Using a custom MAIL FROM domain. In addition, a custom MAIL FROM domain ensures that your emails comply with Domain-based Message Authentication, Reporting and Conformance (DMARC). DMARC enables a sender’s domain to indicate that the emails sent from the domain are protected by one or more authentication systems.

• The MAIL FROM domain must be a subdomain of the verified identity (email address or domain) that you send an email from. For example, mail.example.com is a valid MAIL FROM domain for the example.com domain. As mail.<domain>.com is a common subdomain used by many organizations, Acquia requires that you use acq-mail.<domain>.com, which has less chances of conflicting with your existing subdomain.
• Generally, a subdomain is used for sending an email to isolate the reputation of your emails to the subdomain level only. This does not impact the reputation of your main domain or other subdomains that you use to send emails. For more information about using subdomain for sending emails, see email subdomains.
• The custom MAIL FROM domain (acq-mail.<domain>.com) is used as an email envelope address while sending an email to the recipient. Your actual from email address, which belongs to the main domain, remains unchanged. At the recipient end, SPF check happens against the envelope address.

The following example shows how SPF check happens when emails are transported with envelope: