Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Amazon SES - DKIM signing for my custom domain d=amazonses.com ?

0

I am absolutely bamboozled!

The business objective: Allow our webserver to use Amazon SES as a secure outbound 1.2 TLS email gateway.

Short story: I have everything configured and passing mxtoolbox.com with greenlights across the board, but amazon SES is signing the messages it sends with a "d=" selector of amazonses.com rather than my custom domain on which the DKIM is configured. I have removed and re-added the DKIM and domain and everything else works but mxtoolbox.com is just failing on the DKIM alignment check because my custom domain is sending the email (and matched my from address) but the "d=" selector is "amazonses.com"

Longer story: At this stage, I don't know what to do. I specifically configured a sub-domain when setting up SES so I have the following configuration:

  • subdomain.mydomain.com = my own business email, nothing to do with Amazon.
  • subdomain.mydomain.com = sub-domain applied to amazon specifically for SES.
  • mailfrom.subdomain.mydomain.com = specific sender domain (as Amazon SES seems to require this and not allow me to set up SPF and dmarc for the entire dub-domain).
  • I send emails from outbound (at) subdomain.mydomain.com

I've included more details from mxtoolbox.com below and I would be so please to get help from an expert on this because I am absolutely stuck after 6 hours of going around in circles. I'm half wondering if mxtoolbox.com is giving me duff information but I fear that this might be wishful thinking.

Thanks, Splinx

The ERROR Message from mxtoolb.com reads as follows: d = amazonses.com (SDID value) DKIM = v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=oovztaqzkyknbrqeeifugvu4e7zh66l3; d=amazonses.com; t....

DKIM Signature Alignment Signature domain not aligned.

More Information About Dkim Signature Alignment DKIM Alignment hinges the domain in your "FROM" header matching the domain used in the DKIM signature (d=domain.com). This uses a relaxed format by default which means that a sub-domain would align as well. If this value is changed to strict in your DMARC record then the domain must match exactly.

If there are multiple DKIM signatures, only one of them must align for DKIM alignment to be valid.

Topics
Front-End Web & MobileBusiness ApplicationsNetworking & Content Delivery
Tags
Amazon Route 53Amazon Simple Email Service
Language
English
asked a year ago477 views
2 Answers
3

Seems you are dealing with a DKIM alignment issue where Amazon SES is signing emails with its own domain (d=amazonses.com) instead of your custom domain. Please consider on below:

Verify DKIM Configuration:

  • Ensure that DKIM is enabled for your custom domain in the Amazon SES console. Navigate to the domain identity settings and confirm that DKIM is active.

  • Double-check the DNS records for your custom domain. Amazon SES requires specific CNAME records for DKIM verification. Make sure these records are correctly configured and propagated.

Mail From Domain Configuration:

  • Amazon SES uses the MAIL FROM domain for SPF and DMARC alignment. Ensure that the MAIL FROM domain matches your custom domain and is correctly configured in SES.

DMARC Policy:

  • Check your DMARC policy settings. If your DMARC policy is set to "strict," it requires an exact match between the FROM header domain and the DKIM signature domain. Consider switching to "relaxed" alignment if strict alignment is causing issues.

Troubleshooting Tools:

  • Use tools like dig or nslookup to verify that the DKIM CNAME records are correctly set up and publicly accessible.
EXPERT
answered a year ago
EXPERT
reviewed a year ago
0

Amazon SES will sign with d=amazonses.com whenever the identity that sent the email is verified only as an email address or when custom DKIM signing for the verified domain is not activated. For domain alignment under DMARC, SES must DKIM‑sign with your own domain—for example, d=subdomain.mydomain.com—which happens only after you enable Easy DKIM or upload your own DKIM keys for that domain identity. In the SES console, open Verified identities, select your sending domain (not just the email address), choose DKIM, and confirm that “Easy DKIM” is enabled and shows three CNAME records published in Route 53 (or your DNS). —Taz

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content