Aligned Authentication Method:
SPF - Yes
DKIM - Yes - CNAME
Amazon SES can authenticate using either SPF or DKIM (or both). In the majority of cases, only DKIM is used. The instructions for each of these are here:
Note that before you can send from your domain using Amazon SES, you need to verify your domain by adding a TXT record to your DNS. This must be done in DNS for your domain and can not be done using the Enforce UI.
The instructions are here:
Once you generate the DKIM instructions as in the link above, publish them in Enforce. Amazon SES will detect when the DKIM keys have been published and then begin to use these to sign emails. Note that Amazon SES will only check for up to 72 hours after the DKIM keys have been generated. Since it takes only a few minutes to do this in Enforce, this is rarely an issue.