What can I do if my domain is stuck in the "verification pending" status or in the "unverified" verification status in Amazon SES?

5 minute read
0

I added Canonical Name Records (CNAME) to my domain's DNS server. The CNAME matches the specified name and value of the domain that I want to verify on Amazon Simple Email Service (Amazon SES). However, the Amazon SES verification is still in the "verification pending," or "unverified" status.

Short description

Amazon SES domain verification might be stuck in "verification pending" or in the "unverified" status for one or more of the following reasons:

  • The CNAME records contain additional characters or is missing characters.
  • Your DNS provider automatically adds the apex domain to the end of DNS records.
  • You didn't add the CNAME records to the delegated name servers.

Resolution

The CNAME record contains additional characters or is missing characters

To review your CNAME record for additional or missing characters, complete the following steps:

  1. Use a DNS tool to search your CNAME records.
    Note: Amazon SES generates three CNAME records for Easy DKIM authentication. Repeat the following procedures for each record.
    Windows
    Run the nslookup command:
    C:\>nslookup -type=CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com
    Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com with your CNAME record name in Amazon SES.
    macOS or Linux
    Run the dig command:
    $ dig CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com +short
    Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com with your CNAME record name in Amazon SES.
  2. Review the output of the dig or nslookup command for the string that follows the canonical name. The string must match the CNAME value that's listed as the domain in the Identities list on the Amazon SES console.
    The following example output shows additional characters (spaces):
    dig CNAME 4hzwn5lmznmmjyl2pqf2agr3ueo2kf3d._domainkey.example.com +short
    " 4hzwn5lmcnmmoylkpqf2agr3uwo2kxyz.dkim.amazonses.com."

When you create your CNAME record, it's a best practice to copy the values directly from the Amazon SES console. Don't exclude any characters (for example, "="), and don't include any additional characters, such as spaces.

The DNS provider automatically adds the apex domain to the end of DNS records

Some DNS providers automatically append the apex domain to the end of a DNS record. For example, if you enter 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com, then some DNS providers might append .example.com to the record name. This changes the record name to 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com.

Note: Amazon SES generates three CNAME records for Easy DKIM authentication. Repeat the following procedures for each record.

Use a DNS tool to search your CNAME records with the apex domain duplicated.

Windows

Run the nslookup command:

C:\>nslookup -type=CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com

Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com with your CNAME record name in Amazon SES.

macOS or Linux

Run the dig command:
Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com with your CNAME record name in Amazon SES.

dig CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com

If the output returns your CNAME record value, then the DNS provider added the apex domain to the end of your DNS records name field. To resolve this, add a period to the end of the CNAME record name.

For example 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.

This keeps the DNS provider from appending the domain name to the record name.

You didn't add the CNAME records to the delegated name servers

To add the CNAME records to the delegated name servers, complete the following steps:

  1. Use a DNS tool to find the delegated name servers of the domain that you want to verify.
    Windows
    Run the nslookup command:
    C:\>nslookup -type=NS example.com
    Non-authoritative answer:
    example.com     nameserver = ns3.example.com
    example.com     nameserver = ns4.example.com
    example.com     nameserver = ns1.example.com
    example.com     nameserver = ns2.example.com
    Note: Replace example.com with the domain that you want to verify.
    macOS or Linux
    Run the dig command:
    $ dig -t NS example.com
    ;; ANSWER SECTION:
    example.com.   172800  IN    NS    ns1.example.com.
    example.com.   172800  IN    NS    ns2.example.com.
    example.com.   172800  IN    NS    ns3.example.com.
    example.com.   172800  IN    NS    ns4.example.com.
    Note: Replace example.com with the domain that you want to verify.
  2. Get the name servers for your CNAME records from the DNS service where you created your CNAME records. For example, suppose you created your CNAME records in Amazon Route 53. In the Route 53 console, the name servers appear in the Value column.
  3. If the name servers don't match, then add the CNAME record in the delegated name servers. Or, configure the name servers that have the CNAME records as the new delegated name servers in your DNS registrar.

Retry the domain verification on Amazon SES

Verification status is "Verification pending"

To retry the domain verification when the verification status is "Verification pending," complete the following steps:

  1. Open the Amazon SES console.
  2. Choose the AWS Region that your domain is in.
  3. In the navigation pane, choose Verified identities. Then, select the domain that's stuck in Verification pending.
  4. Choose Delete, and confirm the delete.
  5. Choose Create identity. Then, re-enter the domain name that was stuck in Verification pending. Make sure to choose the same settings.
  6. Choose Create identity.
  7. Wait for the domain's Verification Status to change to Verified.

Verification status is "Unverified"

To retry the domain verification when the verification status is "Unverified," complete the following steps:

  1. Open the Amazon SES console.
  2. Choose the AWS Region that your domain is in.
  3. In the navigation pane, choose Verified identities. Then, select the domain that's stuck in Unverified.
  4. Under Authentication, for the DomainKeys Identified Mail (DKIM) setting, choose Retry.
  5. Wait for the domain's Identity Status to change to Verified.

Related information

Verifying a DKIM domain identity with your DNS provider

Common domain verification problems

3 Comments

For the issue with: Check if your DNS provider automatically adds the apex domain to the end of DNS records.

Specifically on GoDaddy, the CNAME record only shows the domain name once.

So you do not see this:

CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com

Rather you see this, which I though was ok based on the instructions above:

CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com

But for the verification to work you need to see this (no domain at all):

CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey

I managed to come across this when I changed the TTL. If you change the TTL it prompts you with two options: to not add the domain name or to add the domain name. You have to select the first option.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

I am still waiting for my domain to verify, but I noticed that the CNAME record adds a period mark after the value, so instead of "dkim.amazonses.com" it reads "dkim.amazonses.com." Will this make a difference to the result, or should I contact support to report it as an issue? **EDIT: The period mark was not a problem. I am with Siteground, but since my domain was hosted with Cloudflare, I needed to insert entries into the DNS there, rather than the Siteground hosting, in order to make the connection work.

Frscoob
replied 10 months ago