Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Why is my domain stuck in the "Verification pending" or "Unverified" status in Amazon SES?
I added Canonical Name Records (CNAME) to my domain's DNS server. The CNAME matches the specified name and value of the domain that I want to verify on Amazon Simple Email Service (Amazon SES). However, the Amazon SES verification is still in the "Verification pending" or "Unverified" status.
Short description
Amazon SES domain verification might be stuck in the "Verification pending" or "Unverified" status for one or more of the following reasons:
- The CNAME records contain additional characters or are missing characters.
- Your DNS provider automatically adds the apex domain to the end of DNS records.
- You didn't add the CNAME records to the delegated name servers.
Resolution
The CNAME record contains additional characters or is missing characters
To review your CNAME record for additional or missing characters, complete the following steps:
- Use a DNS tool to search your CNAME records.
Note: Amazon SES generates three CNAME records for Easy DKIM authentication. Repeat the following procedures for each record.
Windows
Run the nslookup command:
Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com with your CNAME record name in Amazon SES.C:\>nslookup -type=CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com
macOS or Linux
Run the dig command:
Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com with your CNAME record name in Amazon SES.$ dig CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com +short - Review the output of the dig or nslookup command for the string that follows the canonical name. The string must match the CNAME value that's listed as the domain in the Identities list on the Amazon SES console.
The following example output shows additional characters (spaces):dig CNAME 4hzwn5lmznmmjyl2pqf2agr3ueo2kf3d._domainkey.example.com +short" 4hzwn5lmcnmmoylkpqf2agr3uwo2kxyz.dkim.amazonses.com."
When you create your CNAME record, it's a best practice to copy the values directly from the Amazon SES console. Don't exclude any characters (for example, "="), and don't include any additional characters such as spaces.
The DNS provider automatically adds the apex domain to the end of DNS records
Some DNS providers automatically append the apex domain to the end of a DNS record. For example, if you enter 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com, then your DNS provider might append .example.com to the record name. This changes the record name to 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com.
Note: Amazon SES generates three CNAME records for Easy DKIM authentication. Repeat the following procedures for each record.
Use a DNS tool to search your CNAME records with the apex domain duplicated.
Windows
Run the nslookup command:
C:\>nslookup -type=CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com
Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com with your CNAME record name in Amazon SES.
macOS or Linux
Run the dig command:
Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com with your CNAME record name in Amazon SES.
dig CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com
If the output returns your CNAME record value, then the DNS provider added the apex domain to the end of your DNS records name field. To resolve this, add a period to the end of the CNAME record name.
For example, 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.
The DNS provider can't append the domain name to the record name with the period added to the end of the CNAME record name.
You didn't add the CNAME records to the delegated name servers
To add the CNAME records to the delegated name servers, complete the following steps:
- Use a DNS tool to find the delegated name servers of the domain that you want to verify.
Windows
Run the nslookup command:
Note: Replace example.com with the domain that you want to verify.C:\>nslookup -type=NS example.com Non-authoritative answer: example.com nameserver = ns3.example.com example.com nameserver = ns4.example.com example.com nameserver = ns1.example.com example.com nameserver = ns2.example.com
macOS or Linux
Run the dig command:
Note: Replace example.com with the domain that you want to verify.$ dig -t NS example.com ;; ANSWER SECTION: example.com. 172800 IN NS ns1.example.com. example.com. 172800 IN NS ns2.example.com. example.com. 172800 IN NS ns3.example.com. example.com. 172800 IN NS ns4.example.com. - Get the name servers for your CNAME records from the DNS service where you created your CNAME records. For example, you create your CNAME records in Amazon Route 53. In the Route 53 console, the name servers appear in the Value column.
- If the name servers don't match, then add the CNAME record in the delegated name servers. Or, configure the name servers that have the CNAME records as the new delegated name servers in your DNS registrar.
Retry the domain verification on Amazon SES
Verification status is "Verification pending"
To retry domain verification when the verification status is "Verification pending," complete the following steps:
- Open the Amazon SES console.
- Choose the AWS Region that your domain is in.
- In the navigation pane, choose Identities.
- Select the domain that's stuck in Verification pending.
- Choose Delete, and then confirm the deletion.
- Choose Create identity. Then, re-enter the domain name that was stuck in Verification pending. Make sure to choose the same settings.
- Choose Create identity.
- Wait for the domain's Verification status to change to Verified.
Verification status is "Unverified"
To retry domain verification when the verification status is "Unverified," complete the following steps:
- Open the Amazon SES console.
- Choose the AWS Region that your domain is in.
- In the navigation pane, choose Identities.
- Select the domain that's stuck in Unverified.
- Under Authentication, for the DomainKeys Identified Mail (DKIM) setting, choose Retry.
- Wait for the domain's Identity Status to change to Verified.
Related information
For the issue with: Check if your DNS provider automatically adds the apex domain to the end of DNS records.
Specifically on GoDaddy, the CNAME record only shows the domain name once.
So you do not see this:
CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com
Rather you see this, which I though was ok based on the instructions above:
CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com
But for the verification to work you need to see this (no domain at all):
CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey
I managed to come across this when I changed the TTL. If you change the TTL it prompts you with two options: to not add the domain name or to add the domain name. You have to select the first option.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I am still waiting for my domain to verify, but I noticed that the CNAME record adds a period mark after the value, so instead of "dkim.amazonses.com" it reads "dkim.amazonses.com." Will this make a difference to the result, or should I contact support to report it as an issue? **EDIT: The period mark was not a problem. I am with Siteground, but since my domain was hosted with Cloudflare, I needed to insert entries into the DNS there, rather than the Siteground hosting, in order to make the connection work.
Relevant content
- asked 3 months ago
- AWS OFFICIALUpdated 10 months ago
