M
MX Record Checker

Amazon WorkMail MX Records: Complete Setup Guide

Step-by-step guide to setting up Amazon WorkMail MX records, SPF, and Autodiscover. Includes region-specific record values and verification steps.

Amazon WorkMail is Amazon's managed business email service, built on the AWS infrastructure that powers much of the internet. It integrates naturally with other AWS services and is a solid option for businesses already using AWS, particularly those who want to keep their tools within a single cloud ecosystem. If your organization runs on AWS and you want a straightforward managed email service without moving outside that environment, WorkMail is worth a look.

Setting it up requires adding a few DNS records, with the MX record being the most important. This guide walks through the complete setup.

What Amazon WorkMail Offers

WorkMail gives you managed email hosting with support for standard email clients (Outlook, Apple Mail, mobile apps) through Exchange ActiveSync and IMAP protocols. You get 50 GB of mailbox storage per user, calendar and contacts sync, and integration with AWS services like AWS Lambda, Amazon S3, and Amazon SES.

Pricing is per-user per-month, with no per-message fees, which makes it predictable for small teams.

Before You Start

Before configuring DNS, complete the initial WorkMail setup in the AWS Management Console:

  1. Sign in to the AWS Console at console.aws.amazon.com
  2. Navigate to WorkMail (search for it in the services search bar)
  3. Create an organization if you have not already (this is the container for your WorkMail users)
  4. Choose the AWS region for your organization, as this matters for your MX record values

Note which region you select. The MX record value you need depends directly on your region.

The MX Record Value for Amazon WorkMail

This is the key piece of information for WorkMail setup: the MX record value is region-specific. The format is:

10 inbound-smtp.[region].amazonaws.com

Where [region] is the AWS region code for where your WorkMail organization is hosted. Common values:

US East (N. Virginia):    inbound-smtp.us-east-1.amazonaws.com
US West (Oregon):         inbound-smtp.us-west-2.amazonaws.com
EU West (Ireland):        inbound-smtp.eu-west-1.amazonaws.com

To find your specific value, go to the WorkMail console, select your organization, and look under Domains. Amazon shows you the exact DNS records you need to add for your domain, including the correctly formatted MX record for your region.

Step 1: Add Your Domain to WorkMail

In the WorkMail console:

  1. Open your organization
  2. Click Domains in the left sidebar
  3. Click Add domain
  4. Enter your domain name and click Add domain

WorkMail will now show you a list of DNS records you need to add. Keep this page open; you will copy values from it directly into your DNS provider.

Step 2: Add the MX Record at Your DNS Provider

Log into wherever you manage DNS for your domain (your registrar, Cloudflare, Route 53, etc.) and add a new MX record:

  • Type: MX
  • Host / Name: @ (or blank for root domain)
  • Value: inbound-smtp.[your-region].amazonaws.com
  • Priority: 10
  • TTL: 3600

Copy the exact value from the WorkMail console to avoid typos. The region identifier must match exactly.

If your domain previously had MX records pointing to another email provider, remove those before adding the WorkMail record. Competing MX records will split your incoming email unpredictably between providers.

Step 3: Add the SPF Record

SPF (Sender Policy Framework) authorizes Amazon WorkMail's servers to send email on behalf of your domain. Without it, outgoing email from WorkMail may be marked as spam.

Add a TXT record:

  • Type: TXT
  • Host: @ (root domain)
  • Value: v=spf1 include:amazonses.com ~all

If you already have an SPF record for other services (like a CRM or marketing tool), you need to merge this into the existing record rather than adding a second one. A domain can only have one SPF record. The merged version might look like:

v=spf1 include:amazonses.com include:_spf.google.com ~all

Step 4: Add the Autodiscover CNAME Record

Autodiscover helps email clients automatically configure themselves when users add their WorkMail account. Without it, users may need to manually enter server settings. With it, they just enter their email address and password and the client figures out the rest.

Add a CNAME record:

  • Type: CNAME
  • Host: autodiscover
  • Value: autoprovision.mail.iamdef.us-east-1.amazonaws.com

Wait: the exact Autodiscover endpoint depends on your region. Get this value directly from the WorkMail console under Domains rather than guessing. Amazon provides the correct endpoint for your specific setup.

Step 5: Verify Your DNS Records in WorkMail

After adding records at your DNS provider, return to the WorkMail console and click Check DNS Records (or the equivalent verification option in the Domains section). WorkMail will query your domain and confirm that each required record is in place.

This process can take a few minutes to a few hours depending on DNS propagation. If records are not verifying, wait 30 minutes and try again.

Step 6: Verify With the MX Checker

For an independent confirmation, visit mxrecordchecker.com and enter your domain name. The tool will show you what MX records are currently published. You should see your WorkMail inbound SMTP endpoint listed with priority 10.

This is a good double-check that the record is actually visible from the outside internet, not just within the AWS console. If the MX checker shows your old provider's records, DNS propagation is still in progress.

Step 7: Create Mailboxes and Test

Once DNS is verified in the WorkMail console:

  1. Go to Users in the WorkMail console
  2. Create user accounts for your team
  3. Assign email addresses to each user
  4. Have users configure their email clients using the WorkMail connection settings

Send a test email to a WorkMail address from an external email account (Gmail, etc.) and confirm it arrives in the WorkMail mailbox.

Integration With Other AWS Services

One of the main reasons businesses choose WorkMail is how it integrates with the rest of AWS:

Amazon SES: WorkMail can use SES for outgoing email, which gives you detailed sending analytics and the ability to share SES sending quotas with other applications.

AWS Lambda: You can create Lambda functions that trigger on inbound email, enabling automated email processing workflows without third-party tools.

Amazon S3: Email content can be stored in S3 buckets for archiving or compliance purposes.

AWS CloudTrail: All WorkMail administrative actions are logged in CloudTrail for security auditing.

Common Setup Issues

Wrong region in the MX record. If you create your WorkMail organization in us-east-1 but accidentally add the MX record for eu-west-1, email will not be delivered. Double-check the region code in your MX record against your actual WorkMail organization region.

Old MX records not removed. If you had a previous email provider, leftover MX records will compete with WorkMail. Remove all old records before or immediately after adding the new ones.

SPF record conflicts. If you add a second SPF TXT record instead of merging it with an existing one, the duplicate record can cause SPF to fail. You should only ever have one SPF TXT record per domain or subdomain.

Domain not verified in WorkMail. You cannot receive email in WorkMail until the domain is verified in the console. Adding DNS records is necessary but not sufficient; WorkMail must also confirm the records are in place.

Related Articles