Hi there,
I am using Amazon SES to allow customers to send emails from my SaaS application. Bring Your Own DKIM (BYODKIM) looks like a great solution because it requires a single DNS record for DKIM configuration and the fact that Amazon is used is not visible from DNS values.
I followed the official tutorial to create a private and public key (https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dkim-bring-your-own.html):
openssl genrsa -f4 -out private.key 2048
openssl rsa -in private.key -outform PEM -pubout -out public.key
Once done, I have created a new identity with BYODKIM in the dashboard. As a value, I have, again followed the docs:
You have to delete the first and last lines (-----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----, respectively) of the generated private key. Additionally, you have to remove the line breaks in the generated private key. The resulting value is a string of characters with no spaces or line breaks.
Then, I configured the DNS TXT record on Cloudflare with the value p=yourPublicKey
where yourPublicKey
is, again, as the docs says:
When you publish (add) your public key to your DNS provider, it must be formatted as follows:
You have to delete the first and last lines (-----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----, respectively) of the generated public key. Additionally, you have to remove the line breaks in the generated public key. The resulting value is a string of characters with no spaces or line breaks.
You must include the p= prefix as shown in the Value column in the table above.
A few hours have elapsed, and the DKIM configuration still appears as "Pending" in the dashboard. The TXT records is propagated since hours: I checked with dig TXT myselector._domainkey.mydomain.com
from several locations.
With CNAME records, validation seems to take some minutes at most. What is the expected time for BYODKIM? I mean, does the validation happens only once every X hours or days? Is there really no way to force trigger a check/validation via API for instance?
Otherwise, my private or public key maybe have a wrong format. Does Amazon would have displayed a specific error if that's the case?
BYODKIM is looking like a great solution for SaaS use cases, but if validation takes several hours or days, that's a kind of killer.