If there was a much larger list of problem destinations I'd maybe do something nicer involving separate routers and a domainlist, but those cover all the cases that are broken right now.
Interestingly, I've not had a problem delivering directly to those (except the time I switched to an IP block with a bad rep and couldn't deliver anything anywhere directly at all); it's just the ones on the list above that don't like me.
Mysterious and ineffable are the ways of Microsoft.
(note that their MX record is usually a *.protection.outlook.com entry regardless of the custom domain, so I'd use that to bootstrap a rule if I had a more general problem with Microsoft)
Yes, you do need to include:amazonses.com in your SPF. Amazon aren't too bad at kicking spammers off SES promptly. More importantly, Amazon doesn't sign for DKIM - your server still does that; so no-one else gets to DKIM for you; and you can set the DMARC policy to require both.
SES currently charges $0.10 per 1000 outbound emails. The first 3000 mails are free. I received my first official bill for $0.02 after around two years of use.
Do investigate other relay services. I only stopped at SES because I was in a mad rush and it was the first one I tried that did everything I needed, without bouncing or getting filed to trash on any services I cared about. I have done nothing like a full survey of the market, and there may well be a better option. It is the general approach I am suggesting, not trying to shill SES specifically despite what it may look like.
i didn't assume that. obviously you can only talk about the one that you are using, and while the general setup applies to other such services, i can now file SES as an option that works. and with that price point i am probably going to be to lazy to look for alternatives. (although i should check if the email service i am already paying can do that too without requiring me to send all emails through them)
