James,
I too am looking for a good solution to this. After reading what amazon says, it looks to boil down to this: "If you want to comply with DMARC using SPF, you have to set up Amazon SES to use your own MAIL FROM domain and publish an SPF record." See the AWS SES FAQ for more info.
I'm currently testing my solution:
Content Rule to whitelist if found in the header: (?i)(\w|^)(DKIM-Signature\
[^"]+d=(zerto\.com|myworkboard\.com|adobe\.com|amazon\.com)
Regex101.com Verified to match the following examples:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=eaxkvsyelrnxjh4cicqyjjmtjpetuwjx; d=amazon.com
or
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=a5rqqfynqptdeegy7zn55uol6nemnabp; d=myworkboard.com;
or
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=fdvdxe5ofj4v47yx4t4275clv7bhlfrz; d=zerto.com;
or
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=u2eo3bxsv5kuml2bgbuudbwzuawyzw55; d=adobe.com;
Chris O.