Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

DKIM CNAME provided by AWS not resolving

0

We created an AWS SES Identity for our customer with DKIM verification and AWS supplied three public CNAME DNS records to add to customer DNS host (not Route53), although the Identity is verified, but two out of those three records are not resolving. My understanding the other two are for rotation and we checked other customer records are resolving properly. Does anyone experienced same issue and does its affect functionality?

These records were created months ago and pretty sure it's not propagation issue.

Any idea why they are not resolving or suggestions? Do I need to redo the DKIM (but not sure how) or contact AWS Support?

I shared my dig response below which first response successful but not the other two records:

; FIRST RECORD (successful):
dig CNAME fp6vr[:redacted:]nuguh._domainkey.[mydomain].com 

; <<>> DiG 9.10.6 <<>> CNAME fp6vr[:redacted:]nuguh._domainkey.[mydomain].com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28285
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;fp6vr[:redacted:]nuguh._domainkey.[mydomain].com.        IN CNAME

;; ANSWER SECTION:
fp6vr[:redacted:]nuguh._domainkey.[mydomain].com. 300 IN CNAME fp6vr[:redacted:]nuguh.dkim.amazonses.com.

;; Query time: 141 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Oct 21 08:25:12 CDT 2024
;; MSG SIZE  rcvd: 148

; SECOND RECORD (no response):
dig CNAME [od6w2:redacted:du6t4]._domainkey.[mydomain].com

; <<>> DiG 9.10.6 <<>> CNAME [od6w2:redacted:du6t4]._domainkey.[mydomain].com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46981
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;[od6w2:redacted:du6t4]._domainkey.[mydomain].com.        IN CNAME

;; AUTHORITY SECTION:
[mydomain].com.             300     IN      SOA     ns3.[mydomain].com. noc\@[mydomain].com. 2024101802 86400 10000 604800 86400

;; Query time: 52 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Oct 21 08:25:32 CDT 2024
;; MSG SIZE  rcvd: 144

; THIRD RECORD (no response):
dig CNAME [dgkuj:redacted:c5ml2]._domainkey.[mydomain].com

; <<>> DiG 9.10.6 <<>> CNAME [dgkuj:redacted:c5ml2]._domainkey.[mydomain].com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 49610
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;[dgkuj:redacted:c5ml2]._domainkey.[mydomain].com.        IN CNAME

;; AUTHORITY SECTION:
[mydomain].com.             300     IN      SOA     ns3.[mydomain].com. noc\@[mydomain].com. 2024101802 86400 10000 604800 86400

;; Query time: 51 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Oct 21 08:25:55 CDT 2024
;; MSG SIZE  rcvd: 144
Topics
Front-End Web & MobileBusiness ApplicationsNetworking & Content Delivery
Tags
Amazon Simple Email ServiceDomain Name System (DNS)
Language
English
asked a year ago138 views
1 Answer
0

The issue you're experiencing with two out of three DKIM CNAME records not resolving is concerning, but it may not necessarily affect the functionality of your DKIM setup for Amazon SES. Here's what you need to know:

  1. DKIM Setup: When you set up DKIM for a domain in Amazon SES, it provides three CNAME records. These are used for key rotation, ensuring that there's always a valid DKIM key available.

  2. Functionality: As long as at least one of the CNAME records is resolving correctly, DKIM signing should still work for your emails. However, having all three records in place is ideal for smooth key rotation.

  3. Possible Causes: If two of the records are not resolving, it's likely that they were not added correctly to your DNS configuration or were accidentally removed. This is not a problem on AWS's side, but rather with the DNS configuration for your domain.

  4. Verification Status: The fact that your identity is verified suggests that at least one record is working, which is why you're able to send DKIM-signed emails.

  5. Resolution:

  • Double-check your DNS configuration to ensure all three CNAME records are present and correctly entered.
  • If the records are missing or incorrect, add or update them in your DNS settings.
  • If you're certain the records are correctly configured but still not resolving, you may need to contact your DNS provider for assistance.

  1. Redoing DKIM: You don't necessarily need to redo the DKIM setup. Instead, focus on correcting the DNS entries for the missing records.

  2. AWS Support: If you've verified that the DNS entries are correct and the problem persists, contacting AWS Support might be helpful, especially if you suspect an issue on their end.

Remember, while having all three records is ideal, your DKIM functionality should still work with just one valid record. However, it's best to resolve this issue to ensure smooth key rotation and prevent potential future problems.
Sources
VerifyDomainDkim - Amazon Simple Email Service
Troubleshooting DKIM problems in Amazon SES - Amazon Simple Email Service
Troubleshooting DKIM problems in Amazon SES - Amazon Simple Email Service

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content