Why does my DKIM domain fail to verify in Amazon SES?

3 minute read

My DomainKeys Identified Mail (DKIM) domain fails to verify in Amazon Simple Email Service (Amazon SES). My DNS records for Easy DKIM are created successfully, but my DKIM status is pending or failed after 72 hours.


When you set up Easy DKIM for a domain in Amazon SES, you must add the generated CNAME records to your domain's DNS records. Your CNAME records must also be publicly accessible. To verify that each CNAME is publicly accessible and shows the correct record value, run a DNS test. Run this test on each CNAME record that's generated by Amazon SES.

On a Linux operating system, run the dig command. The following is an example dig command:

dig CNAME +short hirjd4exampled5477y22yd23ettobiho._domainkey.example.com

On a Windows operating system, run the nslookup command. The following is an example nslookup command:

nslookup -q=CNAME hirjd4exampled5477y22yd23ettobiho._domainkey.example.com

If the CNAME is configured correctly on your domain's DNS records, then the command output shows the record value followed by .dkim.amazonses.com:


If the command output is empty, then verify the following:

  1. Check the DNS settings for your domain.

  2. Verify the NS records for your domain reflect the NS records of the DNS server that serves DNS requests for your domain. Make sure that the CNAME records are added to the correct DNS server. You can query the NS records with dig or nslookup.

    dig NS example.com
    nslookup -type=NS example.com
  3. Confirm that the CNAME record names and values match the DKIM names and values generated by Amazon SES.

  4. Confirm that all the CNAME record names are entered correctly on your domain's DNS settings.

  5. When you check the record names, make sure that you confirm that the domain isn't duplicated. Some DNS providers automatically append the domain to the record name. For example, if you enter hirjd4exampled5477y22yd23ettobiho._domainkey.example.com, then some DNS providers might append example.com to the record name. This change in the record value changes the record name to hirjd4exampled5477y22yd23ettobiho._domainkey**.example.com.example.com**. This action causes your DKIM verification to fail.

    If you don't see results when you use dig or nslookup against hirjd4exampled5477y22yd23ettobiho._domainkey.example.com, then check against hirjd4exampled5477y22yd23ettobiho._domainkey**.example.com.example.com** where the domain name is provided twice.

    If you get a result when you run a check against hirjd4exampled5477y22yd23ettobiho._domainkey .example.com.example.com, then you must correct the record name with your DNS registrar. Contact your DNS provider for the specific requirements when you enter the record name.


To correct the record name, complete one of the following steps:

  • Reenter your record name with a period at the end: hirjd4exampled5477y22yd23ettobiho._domainkey.example.com.
  • Or, reenter your record name without the domain name: hirjd4exampled5477y22yd23ettobiho._domainkey

Note: Some DNS registrars don't support underscores (_) in the record name. If your DNS registrar doesn't support underscores, then you must contact your registrar's support for assistance because DKIM records with underscores are required.
After you verify that your CNAME records are correct, you can retry verification through the Amazon SES console. Amazon SES usually detects changes to your DNS configuration within 72 hours of the change.

AWS OFFICIALUpdated 9 days ago

when i used the dig command on my mac

I received the following output:


It has the fullstop at the end.

i.e. not 5dfapl5einrhttiwdftjlirxhdkyh5nz.dkim.amazonses.com

The documentation says that there should not be fullstop at the end. Which one is the correct one?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
replied a year ago

Hello Sheen,

This is called a canonical name, which is the fully qualified domain name (for example, www.example.com) that you want Route 53 to return in response to DNS queries for this record. A trailing dot is optional; Route 53 assumes that the domain name is fully qualified. This means that Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical.

This is mentioned in the official documentation of R53 here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-shared.html#:~:text=CNAME%20%E2%80%94%20Canonical%20name,dot)%20as%20identical.

If your DKIM verification is failing, the dot "." is not the cause. Please open a case with Premium Support, and I will be more than happy to look into your issue further.

Thanks! Mo

profile picture
replied a year ago

My DNS host is AWS and I'm trying to verify DKIM through AWS, the records are automatically generated in Route 53 but they are not getting populated. when I run dig command CNAME is blank. what am I doing wrong?

replied 10 months ago