Why is my DKIM domain failing to verify on Amazon SES?

3 minute read
0

My DomainKeys Identified Mail (DKIM) domain is failing to verify on Amazon Simple Email Service (Amazon SES). My DNS records for Easy DKIM were created successfully, but my DKIM status is pending or failed after 72 hours. How can I fix this?

Resolution

When you set up Easy DKIM for a domain on Amazon SES, your generated CNAME records must be added to your domain's DNS records and be publicly accessible.

To verify that each CNAME is publicly accessible and shows the correct record value, run a DNS test on each of the CNAME records generated by Amazon SES. On a Linux operating system, run the dig command, similar to the following:

dig CNAME +short hirjd4exampled5477y22yd23ettobiho._domainkey.example.com

On a Windows operating system, run the nslookup command, similar to the following:

nslookup -q=CNAME hirjd4exampled5477y22yd23ettobiho._domainkey.example.com

If the CNAME is configured correctly on your domain's DNS records, then the command output returns the record value followed by .dkim.amazonses.com:

hirjd4exampled5477y22yd23ettobiho.dkim.amazonses.com

If the command output is empty, then verify the following:

1.    Check the DNS settings for your domain.

2.    Confirm that the CNAME record names and values match the DKIM names and values generated by Amazon SES.

3.    Confirm that all the CNAME record names are entered correctly on your domain's DNS settings.

4.    When you check the record names, be sure to confirm that the domain isn't duplicated. Some DNS providers automatically append the domain to the record name. For example, if you enter hirjd4exampled5477y22yd23ettobiho._domainkey.example.com, some DNS providers might append example.com to the record name, which changes the record name to hirjd4exampled5477y22yd23ettobiho._domainkey**.example.com.example.com**. This causes your DKIM verification to fail.

If you don't see results when you use dig or nslookup against hirjd4exampled5477y22yd23ettobiho._domainkey.example.com, then run the check against hirjd4exampled5477y22yd23ettobiho._domainkey**.example.com.example.com** where the domain name is provided twice.

If you get a result when you run a check against hirjd4exampled5477y22yd23ettobiho._domainkey .example.com.example.com, then you must correct the record name with your DNS registrar. Contact your DNS provider for the specific requirements for entering the record name:

  • As one example, you might correct your record name by re-entering it with a period at the end:
    hirjd4exampled5477y22yd23ettobiho._domainkey.example.com.
  • As another example, you might correct your record name by re-entering it without the domain name:
    hirjd4exampled5477y22yd23ettobiho._domainkey

Note: Some DNS registrars don't support underscores (_) in the record name. If your DNS registrar doesn't support underscores, you must contact your registrar's support for assistance, because DKIM records with underscores are required.

After you verify that your CNAME records are correct, you can retry verification using the Amazon SES console.

Note: Amazon SES usually detects changes to your DNS configuration within 72 hours of the change.


AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
4 Comments

when i used the dig command on my mac

I received the following output:

5dfapl5einrhttiwdftjlirxhdkyh5nz.dkim.amazonses.com.

It has the fullstop at the end.

i.e. not 5dfapl5einrhttiwdftjlirxhdkyh5nz.dkim.amazonses.com

The documentation says that there should not be fullstop at the end. Which one is the correct one?

Sheen
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago

Hello Sheen,

This is called a canonical name, which is the fully qualified domain name (for example, www.example.com) that you want Route 53 to return in response to DNS queries for this record. A trailing dot is optional; Route 53 assumes that the domain name is fully qualified. This means that Route 53 treats www.example.com (without a trailing dot) and www.example.com. (with a trailing dot) as identical.

This is mentioned in the official documentation of R53 here: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values-shared.html#:~:text=CNAME%20%E2%80%94%20Canonical%20name,dot)%20as%20identical.

If your DKIM verification is failing, the dot "." is not the cause. Please open a case with Premium Support, and I will be more than happy to look into your issue further.

Thanks! Mo

profile picture
Mo
replied 8 months ago

My DNS host is AWS and I'm trying to verify DKIM through AWS, the records are automatically generated in Route 53 but they are not getting populated. when I run dig command CNAME is blank. what am I doing wrong?

AS
replied 6 months ago