I added Canonical Name Records (CNAME) to my domain's DNS server that matches the specified name and value of the domain that I want to verify on Amazon Simple Email Service (Amazon SES). However, the Amazon SES verification status is still in "verification pending," or is in the "unverified" verification status. How can I fix this?
Short description
Amazon SES domain verification might be stuck in "verification pending" or in the "unverified" verification status for one or more of the following reasons:
- The CNAME records contain additional characters or has missing characters.
- Your DNS provider automatically adds the apex domain to the end of DNS records.
- The CNAME records haven't been added to the delegated name servers.
After you confirm that your records don't have any of these issues, then retry the domain verification on Amazon SES.
Resolution
Check if the CNAME record contains additional characters or is missing characters
Test your CNAME records using a DNS tool such as dig or nslookup. Amazon SES generates three CNAME records for Easy DKIM authentication, so you must repeat the following procedures for each record.
On macOS or a Linux operating system, run the dig command:
Note: Replace _domainkey.example.com with your CNAME record name in Amazon SES.
C:\>nslookup -type=CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com
On the Windows operating system, run the nslookup command:
Note: Replace _domainkey.example.com with your CNAME record name in Amazon SES.
$ dig CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com +short
Review the output of the dig or nslookup command. In the output, verify that the string following canonical name= matches the CNAME value listed as the domain in the Identities list on the Amazon SES console.
For example, the following output shows additional characters (spaces):
dig CNAME 4hzwn5lmznmmjyl2pqf2agr3ueo2kf3d._domainkey.example.com +short
" 4hzwn5lmcnmmoylkpqf2agr3uwo2kxyz.dkim.amazonses.com. "
As another example, the following output shows a CNAME record that's missing the "=" character:
C:\>nslookup -type=CNAME _amazonses.example.com
Server: dns.example.com
Address: 192.168.1.1
Non-authoritative answer:
_amazonses.example.com text = "9kFNbWDLzxvzYgPg1lUSTkUudKR1dDtzzCPuWmYhZro"
When you create your CNAME record, it's a best practice to copy the values directly from the Amazon SES console. Be sure to include the exact values provided. Don't exclude any necessary characters (for example, "="), and don't include any additional characters, such as spaces.
Check if your DNS provider automatically adds the apex domain to the end of DNS records
Some DNS providers automatically append the apex domain to the end of a DNS record. For example, if you enter _amazonses.example.com, then some DNS providers might append .example.com to the record name. This changes the record name to _amazonses.example.com.example.com. Amazon SES generates three CNAME records for Easy DKIM authentication, so you must repeat the following procedures for each record.
To check if the apex domain is duplicated in the DNS record, run a DNS tool such as dig or nslookup on your CNAME records with the apex domain duplicated. On macOS or a Linux operating system, run the dig command:
Note: Replace _domainkey.example.com with your CNAME record name in Amazon SES.
dig CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com
On the Windows operating system, run the
nslookup command:
Note: Replace _domainkey.example.com with your CNAME record name in Amazon SES.
C:\>nslookup -type=CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com
If the command returns the value of the CNAME record that you created, then your DNS provider added the apex domain to the end of the name field of your DNS records. To resolve this, edit the CNAME record and remove the apex domain from the text that you entered for the name field. For example, replace _amazonses.example.com with only _amazonses.
Check if the CNAME record hasn't been added to the delegated name servers
Use a DNS tool such as dig or nslookup to get the delegated name servers of the domain that you're trying to verify on Amazon SES. On macOS or a Linux operating system, run the dig command:
Note: Replace example.com with the domain that you're trying to verify on Amazon SES.
$ dig -t NS example.com
;; ANSWER SECTION:
example.com. 172800 IN NS ns1.example.com.
example.com. 172800 IN NS ns2.example.com.
example.com. 172800 IN NS ns3.example.com.
On the Windows operating system, run the
nslookup command:
Note: Replace example.com with the domain that you're trying to verify on Amazon SES.
C:\>nslookup -type=NS example.com
Non-authoritative answer:
example.com nameserver = ns3.example.com
example.com nameserver = ns4.example.com
example.com nameserver = ns1.example.com
example.com nameserver = ns2.example.com
Then, go to the DNS service where you created your CNAME records to get the name servers. For example, if you created your CNAME records in Amazon Route 53, then open the Route 53 console. When you view your CNAME records in the Route 53 console, the name servers appear in the Value column.
If the delegated name servers of the domain that you want to verify don't match the name servers that have the CNAME record, then do one of the following:
- Add the CNAME record in the delegated name servers.
- Configure the name servers that have the CNAME records as the new delegated name servers in your DNS registrar.
Retry the domain verification on Amazon SES
After you correct any issues on your records, retry the domain verification on Amazon SES.
Follow these steps to retry domain verification when the status is "verification pending":
- Open the Amazon SES console.
- From the AWS Region selector in the navigation bar, select the Region that your domain is in.
- In the left navigation pane, choose Verified identities. Then, select the domain that's stuck in "verification pending."
- Choose Delete, and confirm the delete.
- Choose Create identity. Then, re-enter the domain that's stuck in "verification pending," making sure to choose the same settings as you did originally.
- Choose Create identity.
- Wait for the domain's Verification Status to change to "verified."
Follow these steps to retry domain verification when the status is "unverified":
- Open the Amazon SES console.
- From the AWS Region selector in the navigation bar, select the Region that your domain is in.
- In the left navigation pane, choose Verified identities. Then, select the domain that's stuck in "verification pending."
- Choose retry.
- Wait for the domain's Verification Status to change to "verified."