By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

SES domain identity verification pending for awsapps.com from different region

0

Our organisation is currently testing an AWS Workmail + SES setup. As AWS Workmail is not available for our region we've set this up in us-east-1. We've created a WorkMail organisation 'abc' (example), with corresponding aws provided domain 'abc.awsapps.com'. The DNS is managed by Route53. The setup completed fine, and the SES domain identity verification process for us-east-1 finished within minutes.

We'd now like to apply SES settings for 'abc.awsapps.com' in other regions (same organisation, different regions). According to AWS documentation, there should be no issues doing this: https://aws.amazon.com/blogs/messaging-and-targeting/how-to-use-domain-with-amazon-ses-in-multiple-accounts-or-regions/ . We're aware different regions have different validation records.

The required set of CNAME records for the other regions were added to the Route53 hosted zone (in fact AWS adds these automatically, so there is no chance of a misconfiguration here. We can see them in the console too). However this time the verification seems stuck in 'pending'. This long wait seems to happen for ANY region other than us-east-1 (incl other us regions).

nslookup cannot find CNAME records other than the ones from us-east-1.

Interestingly,

dig -t NS abc.awsapps.com

shows a different set of name servers than the NS record in Route53. (I've tried updating the NS record to match the server set from dig, but doesn't look like that helped anything....)

Are there hidden restrictions or additional requirements in play here? Why would identity verification be so fast for us-east-1, but keep pending for others? It's been days...

Topics
Networking & Content DeliveryFront-End Web & MobileBusiness Applications
Tags
Amazon Route 53Amazon Simple Email ServiceAmazon WorkMail
Language
English
asked 10 months ago472 views
2 Answers
1

Hi,

The awsapps.com domain that comes with a WorkMail organization is for testing. You will not have control over the domain as its owned by AWS. Its recommended to get your own domain.

Kind regards, Robin

AWS
EXPERT
answered 10 months ago
  • adam-mkts
    10 months ago

    True, but doesn't address the question. There should be no issue verifying and using an awsapps test domain in any region.

  • robinkaws EXPERT
    10 months ago

    I'm sorry but it does. You do not have any control over the domain abc.awsapps.com. So you will not be able to verify this domain in other SES regions as you will not be able to create the required domain records to verify this domain in other regions.

    Its best to use a 'custom' domain you own to test your set-up.

    Kind regards, Robin

0

Hello.

I tested it with my AWS account and the SES validation was automatic and marked as verified.
I checked with "us-east-1" and "us-west-2".
There may be some restrictions on your AWS account, so I recommend that you open a case with AWS Support under "Account and billing".
Inquiries under "Account and billing" can be made free of charge.
https://docs.aws.amazon.com/awssupport/latest/user/case-management.html

EXPERT
answered 10 months ago
  • adam-mkts
    10 months ago

    Thanks for responding! Could you clarify if you did ANY additional actions as part of your test? For example, did you have to touch the NS record (or even any of the DNS records at all), or change any domain identity setting from the default values?

  • Riku_Kobayashi EXPERT
    10 months ago

    There is no need to edit any NS records on the "awsapps.com" domain. "awsapps.com" itself is managed by AWS, so if you look at it on the SES screen, the verification should complete automatically after some time.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content