DKIM not propagating after more than 5 days

The situation you're describing, where DKIM appears to be set up correctly in AWS SES but isn't being recognized by external DMARC checkers after several days, can be frustrating. Here are some potential reasons and steps you can take to troubleshoot:

1. DNS Propagation: While DNS changes typically propagate within 72 hours, in rare cases it can take longer. However, after 5 days, this is less likely to be the issue.

2. DNS Record Configuration: Double-check that the DKIM CNAME records in your DNS settings exactly match what Amazon SES provided. Pay special attention to the record names, as some DNS providers might automatically append your domain name to the records, potentially causing issues.

3. DNS Provider Issues: Ensure your DNS provider is correctly responding to CNAME queries for these records. You can use online DNS lookup tools to verify if the records are publicly visible.

4. Multiple AWS Regions: If you're using Amazon SES in multiple AWS regions, make sure DKIM is properly set up in each region you're using.

5. Verification Process: Try disabling and then re-enabling DKIM for your domain in the Amazon SES console. This will restart the verification process. Remember to republish the DNS records if prompted.

6. Domain Ownership Verification: Ensure that the domain verification process (separate from DKIM) is also complete and successful.

7. Check for Errors: Look for any syntax errors in your DNS records. You can use a reliable DKIM record generator tool to avoid these errors.

If after trying these steps the issue persists, it would be advisable to contact AWS Support for further assistance. They can provide more specific guidance based on your account and domain configuration. Remember, while the SES console shows DKIM as successful and allows you to send verification emails, external DMARC checkers may be using different methods to verify the DKIM setup, which could explain the discrepancy you're experiencing.
Sources
DKIM Verification Stuck in "Pending" for domain | AWS re:Post
DKIM-verification issues | AWS re:Post
DKIM records was successfully added but status not changed for last 2 days | AWS re:Post

1. Double-check the DKIM selector you're testing. AWS SES uses selectors like selector1, selector2, and selector3. If you’re testing with a tool, make sure you’re actually entering something like:

selector1._domainkey.yourdomain.com

Most public tools need you to input the full selector, if you leave it blank or guess, it’ll say “record not found” even if it’s there.

2. Make sure your DNS record is a CNAME SES uses CNAME records for DKIM, not TXT. Some DNS providers mess this up (or silently convert it), so it’s worth confirming that:

• You’re using CNAME
• It points to an Amazon SES DKIM endpoint like selector1-domainkey-yyyyy.amazonses.com

3. Try checking with a public DNS resolver. Even if it looks good in your DNS portal, try running:

dig +short selector1._domainkey.yourdomain.com CNAME

4. If SES says "verified", you're probably fine. If SES shows DKIM as verified and you can send emails through it, then you’re good, even if external tools complain. Some don’t handle SES-style DKIM setups (especially the CNAME approach) correctly. You can double-check by sending a test email to Gmail or Outlook, then looking at the message headers to confirm it passes DKIM.