I added Canonical Name Records (CNAME) to my domain's DNS server. The CNAME matches the specified name and value of the domain that I want to verify on Amazon Simple Email Service (Amazon SES). However, the Amazon SES verification is still in the "verification pending," or "unverified" status.
Short description
Amazon SES domain verification might be stuck in "verification pending" or in the "unverified" status for one or more of the following reasons:
- The CNAME records contain additional characters or is missing characters.
- Your DNS provider automatically adds the apex domain to the end of DNS records.
- You didn't add the CNAME records to the delegated name servers.
Resolution
The CNAME record contains additional characters or is missing characters
To review your CNAME record for additional or missing characters, complete the following steps:
- Use a DNS tool to search your CNAME records.
Note: Amazon SES generates three CNAME records for Easy DKIM authentication. Repeat the following procedures for each record.
Windows
Run the nslookup command:
C:\>nslookup -type=CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com
Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com with your CNAME record name in Amazon SES.
macOS or Linux
Run the dig command:
$ dig CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com +short
Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com with your CNAME record name in Amazon SES.
- Review the output of the dig or nslookup command for the string that follows the canonical name. The string must match the CNAME value that's listed as the domain in the Identities list on the Amazon SES console.
The following example output shows additional characters (spaces):
dig CNAME 4hzwn5lmznmmjyl2pqf2agr3ueo2kf3d._domainkey.example.com +short
" 4hzwn5lmcnmmoylkpqf2agr3uwo2kxyz.dkim.amazonses.com."
When you create your CNAME record, it's a best practice to copy the values directly from the Amazon SES console. Don't exclude any characters (for example, "="), and don't include any additional characters, such as spaces.
The DNS provider automatically adds the apex domain to the end of DNS records
Some DNS providers automatically append the apex domain to the end of a DNS record. For example, if you enter 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com, then some DNS providers might append .example.com to the record name. This changes the record name to 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com.
Note: Amazon SES generates three CNAME records for Easy DKIM authentication. Repeat the following procedures for each record.
Use a DNS tool to search your CNAME records with the apex domain duplicated.
Windows
Run the nslookup command:
C:\>nslookup -type=CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com
Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com with your CNAME record name in Amazon SES.
macOS or Linux
Run the dig command:
Note: Replace 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com with your CNAME record name in Amazon SES.
dig CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.example.com
If the output returns your CNAME record value, then the DNS provider added the apex domain to the end of your DNS records name field. To resolve this, add a period to the end of the CNAME record name.
For example 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.example.com.
This keeps the DNS provider from appending the domain name to the record name.
You didn't add the CNAME records to the delegated name servers
To add the CNAME records to the delegated name servers, complete the following steps:
- Use a DNS tool to find the delegated name servers of the domain that you want to verify.
Windows
Run the nslookup command:
C:\>nslookup -type=NS example.com
Non-authoritative answer:
example.com nameserver = ns3.example.com
example.com nameserver = ns4.example.com
example.com nameserver = ns1.example.com
example.com nameserver = ns2.example.com
Note: Replace example.com with the domain that you want to verify.
macOS or Linux
Run the dig command:
$ dig -t NS example.com
;; ANSWER SECTION:
example.com. 172800 IN NS ns1.example.com.
example.com. 172800 IN NS ns2.example.com.
example.com. 172800 IN NS ns3.example.com.
example.com. 172800 IN NS ns4.example.com.
Note: Replace example.com with the domain that you want to verify.
- Get the name servers for your CNAME records from the DNS service where you created your CNAME records. For example, suppose you created your CNAME records in Amazon Route 53. In the Route 53 console, the name servers appear in the Value column.
- If the name servers don't match, then add the CNAME record in the delegated name servers. Or, configure the name servers that have the CNAME records as the new delegated name servers in your DNS registrar.
Retry the domain verification on Amazon SES
Verification status is "Verification pending"
To retry the domain verification when the verification status is "Verification pending," complete the following steps:
- Open the Amazon SES console.
- Choose the AWS Region that your domain is in.
- In the navigation pane, choose Verified identities. Then, select the domain that's stuck in Verification pending.
- Choose Delete, and confirm the delete.
- Choose Create identity. Then, re-enter the domain name that was stuck in Verification pending. Make sure to choose the same settings.
- Choose Create identity.
- Wait for the domain's Verification Status to change to Verified.
Verification status is "Unverified"
To retry the domain verification when the verification status is "Unverified," complete the following steps:
- Open the Amazon SES console.
- Choose the AWS Region that your domain is in.
- In the navigation pane, choose Verified identities. Then, select the domain that's stuck in Unverified.
- Under Authentication, for the DomainKeys Identified Mail (DKIM) setting, choose Retry.
- Wait for the domain's Identity Status to change to Verified.
Related information
Verifying a DKIM domain identity with your DNS provider
Common domain verification problems