Domain verification for AWS email

In AWS Simple Email Service (SES), domain verification is typically done using TXT records. While DKIM records are also used for email authentication, they serve a different purpose and are not used for domain verification checks by SES. Here’s a detailed explanation of the process and considerations:

Domain Verification in AWS SES

1. Initial Verification:

• When you verify a domain in SES, you add a specific TXT record to your domain's DNS settings.
• This TXT record is used to prove that you own the domain.

2. Periodic Verification:

• AWS periodically checks the presence of this TXT record to ensure ongoing domain ownership.
• Removing the TXT record can cause the domain to become unverified, potentially disrupting your ability to send emails through SES.

Why TXT Records Are Essential

• Ownership Proof: The TXT record uniquely proves that you control the domain. Without this, AWS cannot verify that you still own the domain.
• Compliance and Security: Regular checks ensure that domains are not misused or hijacked for sending unauthorized emails.

DKIM Records

• Purpose of DKIM: DomainKeys Identified Mail (DKIM) records are used to authenticate the email itself, ensuring that it has not been altered in transit and confirming the sender's identity.
• Not Used for Domain Verification: While DKIM records help with email deliverability and authenticity, they do not prove domain ownership in the way TXT records do.

Concerns About Multiple TXT Records

• Managing Multiple Records: It’s common to have multiple TXT records for various purposes, including domain verification, SPF, DMARC, and other services.
• Organizational Issues: Properly organizing and documenting these records can mitigate issues with having multiple TXT records.

Recommended Practices 1. Keep Verification TXT Records:

• Maintain the TXT records required for SES domain verification to ensure uninterrupted email service.
• Periodically review and document your DNS records to manage them effectively.

2. Use Descriptive Naming:

• Use clear, descriptive names for TXT records to avoid confusion.**

3. Automate Management:

• Use infrastructure-as-code tools (e.g., Terraform, CloudFormation) to manage DNS records and ensure consistency across environments.

Example of TXT Records in Route 53 Here’s an example of how TXT records might look in Amazon Route 53:

Type    Name                              Value
--------------------------------------------------------------
TXT     _amazonses.example.com            "abcdefgh12345678"
TXT     example.com                       "v=spf1 include:amazonses.com -all"
TXT     _dmarc.example.com                "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"
TXT     default._domainkey.example.com    "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9..."

Summary

AWS SES uses TXT records for domain verification, and these records need to be retained for ongoing verification checks. DKIM records, while essential for email authentication, are not used for domain verification. Managing multiple TXT records is a common practice and can be effectively handled with good documentation and automation. Removing the verification TXT record can lead to the domain becoming unverified, so it’s advisable to keep it in place to ensure continuous email functionality.