- Newest
- Most votes
- Most comments
Additional Troubleshooting Steps to the Former AI answer
While the duplicate domain suffix issue is common with GoDaddy, there are two other technical hurdles specific to your setup that often cause a "Pending" hang:
- RSA 2048-bit Length Issues: Some DNS interfaces struggle with the character length or formatting of 2048-bit CNAME targets.
- Test: Delete the identity and recreate it using
RSA_1024_BIT. If this verifies within an hour, your DNS provider likely has a limitation with the longer key string. - “Trailing Dot" Requirement: GoDaddy sometimes requires a trailing period at the end of the "Value/Points to" field (e.g.,
...dkim.amazonses.com.) to recognize it as a FQDN. Without it, GoDaddy might append your domain to the target address as well. - Manual Propagation Check: Run this command in your terminal:
nslookup -type=CNAME [selector]._domainkey.flowolf.aiIf it returns no result, butnslookup -type=CNAME [selector]._domainkey.flowolf.ai.flowolf.aiworks, you have confirmed the "Double Domain" error mentioned above. - DNSSEC: If you have DNSSEC enabled on
flowolf.ai, ensure the new records are correctly signed. SES will fail to verify if the DNSSEC chain is broken.
I would try: 1024-bit key first; it is the most common fix for persistent "Pending" statuses when records appear to be "there."
Based on your situation, here are some additional troubleshooting steps to consider:
DNS Record Name Verification
Some DNS providers, including GoDaddy, automatically append the domain name to DNS records you create. This is a common issue that can prevent DKIM verification. When you created the CNAME records, if you entered the full name (e.g., example._domainkey.flowolf.ai), GoDaddy may have automatically added your domain to the end, resulting in example._domainkey.flowolf.ai.flowolf.ai.
Check your DNS records in GoDaddy's interface to ensure the CNAME record names are exactly as provided by SES, without any duplicate domain suffixes. You may need to enter only the subdomain portion (the part before .flowolf.ai) rather than the full hostname, depending on how GoDaddy's interface works.
Timing Considerations While you've already waited over 70 hours, Amazon SES can take up to 72 hours in rare cases for DNS records to become visible to the service. Since you're approaching this threshold, you may want to wait a bit longer before taking further action.
DKIM Verification Status The verification status can be one of several states: PENDING (verification initiated but DKIM records not yet detected), SUCCESS, FAILED (typically when SES can't find the DKIM records in DNS), TEMPORARY_FAILURE (temporary issue preventing status determination), or NOT_STARTED. Your "Pending" status indicates SES hasn't yet detected the records, which points back to either a timing issue or a DNS configuration problem.
If the DNS record name issue doesn't resolve your problem and you've exceeded 72 hours, you may need to contact AWS Support for further investigation into why SES cannot detect your properly configured DKIM records.
Sources
Troubleshooting DKIM problems in Amazon SES - Amazon Simple Email Service
DkimAttributes - Amazon Simple Email Service
Hi everyone,
Thank you all so much for your responses and suggestions. I really appreciate the time you took to help me troubleshoot this.
I'm happy to report that the issue is now resolved, and I have to admit it was a bit embarrassing: the problem was a simple typo in one of the CNAME record names in GoDaddy. One character was wrong (a "q" instead of a "g") in the first DKIM token. Such a small difference in a 32-character string, but enough to prevent AWS SES from verifying the domain for over48 hours.
The lesson learned: when dealing with long auto-generated CNAME names, always verify each character carefully and copy-paste directly from the AWS console rather than letting an AI prompt to "read" the codes.
Thanks again to everyone who responded.
Best regards, Alvaro.
It may be due to misconfigured CNAME records, improper caching, or incomplete activation of DKIM for the domain identity. Please first validate the record values against those provided in the SES console, confirm that DKIM has been explicitly enabled for the identity, and ensure that the DNS provider correctly supports CNAME resolution without flattening or modification.
https://docs.aws.amazon.com/ses/latest/dg/troubleshoot-dkim.html
https://docs.aws.amazon.com/ses/latest/dg/receiving-email-verification.html
https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dkim.html
Relevant content
- asked 2 months ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
