My DomainKeys Identified Mail (DKIM) domain fails to verify in Amazon Simple Email Service (Amazon SES). My DNS records for Easy DKIM are created successfully, but my DKIM status is pending or failed after 72 hours.
Resolution
When you set up Easy DKIM for a domain in Amazon SES, you must add the generated CNAME records to your domain's DNS records. Your CNAME records must also be publicly accessible. To verify that each CNAME is publicly accessible and shows the correct record value, run a DNS test. Run this test on each CNAME record that's generated by Amazon SES.
On a Linux operating system, run the dig command. The following is an example dig command:
dig CNAME +short hirjd4exampled5477y22yd23ettobiho._domainkey.example.com
On a Windows operating system, run the nslookup command. The following is an example nslookup command:
nslookup -q=CNAME hirjd4exampled5477y22yd23ettobiho._domainkey.example.com
If the CNAME is configured correctly on your domain's DNS records, then the command output shows the record value followed by .dkim.amazonses.com:
hirjd4exampled5477y22yd23ettobiho.dkim.amazonses.com
If the command output is empty, then verify the following:
-
Check the DNS settings for your domain.
-
Verify the NS records for your domain reflect the NS records of the DNS server that serves DNS requests for your domain. Make sure that the CNAME records are added to the correct DNS server. You can query the NS records with dig or nslookup.
dig NS example.com
nslookup -type=NS example.com
-
Confirm that the CNAME record names and values match the DKIM names and values generated by Amazon SES.
-
Confirm that all the CNAME record names are entered correctly on your domain's DNS settings.
-
When you check the record names, make sure that you confirm that the domain isn't duplicated. Some DNS providers automatically append the domain to the record name. For example, if you enter hirjd4exampled5477y22yd23ettobiho._domainkey.example.com, then some DNS providers might append example.com to the record name. This change in the record value changes the record name to hirjd4exampled5477y22yd23ettobiho._domainkey**.example.com.example.com**. This action causes your DKIM verification to fail.
If you don't see results when you use dig or nslookup against hirjd4exampled5477y22yd23ettobiho._domainkey.example.com, then check against hirjd4exampled5477y22yd23ettobiho._domainkey**.example.com.example.com** where the domain name is provided twice.
If you get a result when you run a check against hirjd4exampled5477y22yd23ettobiho._domainkey .example.com.example.com, then you must correct the record name with your DNS registrar. Contact your DNS provider for the specific requirements when you enter the record name.
Troubleshooting
To correct the record name, complete one of the following steps:
- Reenter your record name with a period at the end: hirjd4exampled5477y22yd23ettobiho._domainkey.example.com.
- Or, reenter your record name without the domain name: hirjd4exampled5477y22yd23ettobiho._domainkey
Note: Some DNS registrars don't support underscores (_) in the record name. If your DNS registrar doesn't support underscores, then you must contact your registrar's support for assistance because DKIM records with underscores are required.
After you verify that your CNAME records are correct, you can retry verification through the Amazon SES console. Amazon SES usually detects changes to your DNS configuration within 72 hours of the change.