By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Amazon SES - DKIM signing for my custom domain d=amazonses.com ?

0

I am absolutely bamboozled!

The business objective: Allow our webserver to use Amazon SES as a secure outbound 1.2 TLS email gateway.

Short story: I have everything configured and passing mxtoolbox.com with greenlights across the board, but amazon SES is signing the messages it sends with a "d=" selector of amazonses.com rather than my custom domain on which the DKIM is configured. I have removed and re-added the DKIM and domain and everything else works but mxtoolbox.com is just failing on the DKIM alignment check because my custom domain is sending the email (and matched my from address) but the "d=" selector is "amazonses.com"

Longer story: At this stage, I don't know what to do. I specifically configured a sub-domain when setting up SES so I have the following configuration:

  • subdomain.mydomain.com = my own business email, nothing to do with Amazon.
  • subdomain.mydomain.com = sub-domain applied to amazon specifically for SES.
  • mailfrom.subdomain.mydomain.com = specific sender domain (as Amazon SES seems to require this and not allow me to set up SPF and dmarc for the entire dub-domain).
  • I send emails from outbound (at) subdomain.mydomain.com

I've included more details from mxtoolbox.com below and I would be so please to get help from an expert on this because I am absolutely stuck after 6 hours of going around in circles. I'm half wondering if mxtoolbox.com is giving me duff information but I fear that this might be wishful thinking.

Thanks, Splinx

The ERROR Message from mxtoolb.com reads as follows: d = amazonses.com (SDID value) DKIM = v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=oovztaqzkyknbrqeeifugvu4e7zh66l3; d=amazonses.com; t....

DKIM Signature Alignment Signature domain not aligned.

More Information About Dkim Signature Alignment DKIM Alignment hinges the domain in your "FROM" header matching the domain used in the DKIM signature (d=domain.com). This uses a relaxed format by default which means that a sub-domain would align as well. If this value is changed to strict in your DMARC record then the domain must match exactly.

If there are multiple DKIM signatures, only one of them must align for DKIM alignment to be valid.

Topics
Networking & Content DeliveryFront-End Web & MobileBusiness Applications
Tags
Amazon Route 53Amazon Simple Email Service
Language
English
Splinx
asked 2 months ago73 views
1 Answer
3

Seems you are dealing with a DKIM alignment issue where Amazon SES is signing emails with its own domain (d=amazonses.com) instead of your custom domain. Please consider on below:

Verify DKIM Configuration:

  • Ensure that DKIM is enabled for your custom domain in the Amazon SES console. Navigate to the domain identity settings and confirm that DKIM is active.

  • Double-check the DNS records for your custom domain. Amazon SES requires specific CNAME records for DKIM verification. Make sure these records are correctly configured and propagated.

Mail From Domain Configuration:

  • Amazon SES uses the MAIL FROM domain for SPF and DMARC alignment. Ensure that the MAIL FROM domain matches your custom domain and is correctly configured in SES.

DMARC Policy:

  • Check your DMARC policy settings. If your DMARC policy is set to "strict," it requires an exact match between the FROM header domain and the DKIM signature domain. Consider switching to "relaxed" alignment if strict alignment is causing issues.

Troubleshooting Tools:

  • Use tools like dig or nslookup to verify that the DKIM CNAME records are correctly set up and publicly accessible.
EXPERT
Kidd Ip
answered 2 months ago
profile pictureAWS
EXPERT
Jordan Sandri
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content