By using AWS re:Post, you agree to the Terms of Use

Triggering Bring Your Own DKIM (BYODKIM) validation

1

Hi there,

I am using Amazon SES to allow customers to send emails from my SaaS application. Bring Your Own DKIM (BYODKIM) looks like a great solution because it requires a single DNS record for DKIM configuration and the fact that Amazon is used is not visible from DNS values.

I followed the official tutorial to create a private and public key (https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dkim-bring-your-own.html):

openssl genrsa -f4 -out private.key 2048
openssl rsa -in private.key -outform PEM -pubout -out public.key

Once done, I have created a new identity with BYODKIM in the dashboard. As a value, I have, again followed the docs:

You have to delete the first and last lines (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----, respectively) of the generated private key. Additionally, you have to remove the line breaks in the generated private key. The resulting value is a string of characters with no spaces or line breaks.

Then, I configured the DNS TXT record on Cloudflare with the value p=yourPublicKey where yourPublicKey is, again, as the docs says:

When you publish (add) your public key to your DNS provider, it must be formatted as follows: You have to delete the first and last lines (-----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----, respectively) of the generated public key. Additionally, you have to remove the line breaks in the generated public key. The resulting value is a string of characters with no spaces or line breaks. You must include the p= prefix as shown in the Value column in the table above.

A few hours have elapsed, and the DKIM configuration still appears as "Pending" in the dashboard. The TXT records is propagated since hours: I checked with dig TXT myselector._domainkey.mydomain.com from several locations.

With CNAME records, validation seems to take some minutes at most. What is the expected time for BYODKIM? I mean, does the validation happens only once every X hours or days? Is there really no way to force trigger a check/validation via API for instance?

Otherwise, my private or public key maybe have a wrong format. Does Amazon would have displayed a specific error if that's the case?

BYODKIM is looking like a great solution for SaaS use cases, but if validation takes several hours or days, that's a kind of killer.

1 Answer
1

As of OpenSSL 3.0, the openssl genrsa command produces PKCS #8 formatted private keys by default, which Amazon SES does not support. Amazon SES will accept a PKCS #8 formatted key during setup but the domain gets stuck for 72 hours at "verification pending" and then fails with the message "We have not been able to detect the required DNS records in your DNS settings".

To fix this problem, use the -traditional option to openssl genrsa when using OpenSSL 3.0 to produce the PKCS #1 format that Amazon SES requires.

Feature request: support in Amazon SES for PKCS #8 formatted private keys.

profile picture
answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions