AWS SES domain verification failure with BYODKIM

Question

I've followed the [docs](https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dkim-bring-your-own.html). I've tried via the console and via the API.

Both times verification has failed.

I can get the TXT record if I do `dig -t txt selector._domainkeydomain.com`. The record is in GoDaddy.

How could I debug the issue further?

Accepted Answer

Fixed by following the troubleshoot guide (https://docs.aws.amazon.com/ses/latest/dg/troubleshoot-dkim.html):

>    When attempting to set up BYODKIM, the DKIM verification process fails. 
>
>    Make sure that your private key uses the right format. The private key has to be in PKCS #1 format and use either 1024 or 2048 bit RSA encryption. Additionally, the private key has to be base64 encoded.

My version is OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022) meaning, by default, I’m generating PKCS #8 keys. I’ve passed the -traditional flag to generate PKCS #1 keys.

Answer

Hello,

Few things you should consider with BYODKIM. Check the below:

1. TXT record must be placed with the value of the public key.
2. Value of that record must begin with "p=".
3. Name of the record should look like this "selector._domainkey.example.com". And of course you should change the selector and the example.com.
4. The private and the public keys must not contain any spaces or line breaks.
5. The value of both keys must not include the beginning and the closure of the keys (-----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----).
6. If you generated the keys with the 'openssl' command, then no need to encode them, as the command does the encoding itself.

If all of that does not help, then open a case with SES Premium Support.

Thanks!
Mo

AWS SES domain verification failure with BYODKIM

Relevant content