SES Domain Identity DNS confirmation failures when multi-region, multi-value MX, active-active

The DNS validation business logic AWS SES uses to verify a domain identity with a custom MAIL FROM gets a bit tripped up when finding a multi-valued record result. Starting from a working and validated SES domain identity with custom mail from identity in us-east-1, when I attempt to add one in us-east-2 and likewise update global Route53 MX records for inbound and feedback smtp endpoints, the SES validation logic declares a failure to find the correct MX records and marks both regions' SES identity domains as not verified. Even though both are listed in the multi-valued records, it fails. (It feels like it's using string.equals versus string.contains.)

This is some example Terraform HCL which demonstrates the core issue of multiple MX records causing SES to fail verification, but would need a bit more structure to be standalone:

resource "aws_sesv2_email_identity" "default" {
  email_identity         = "example.com"
}

resource "aws_sesv2_email_identity_mail_from_attributes" "default" {
  email_identity         = "example.com"
  mail_from_domain       = "mail.example.com"
}

resource "aws_route53_record" "inbound" {
  name     = "example.com"
  ttl      = "86400"
  type     = "MX"
  zone_id  = "Z0123456789"

  records = [
    "10 inbound-smtp.us-east-1.amazonaws.com",
    "10 inbound-smtp.us-east-2.amazonaws.com”,
  ]
}

resource "aws_route53_record" "feedback" {
  name     = "mail.example.com"
  ttl      = "86400"
  type     = "MX"
  zone_id  = "Z0123456789"

  records = [
    "10 feedback-smtp.us-east-1.amazonses.com",
    "10 feedback-smtp.us-east-2.amazonses.com”,
  ]
}

Making these MX records multi-valued seems to be the trigger here, even though I have configured what ought to be a perfectly acceptable MAIL FROM MX record—heck it should be preferred since I am giving customers trying to reach me multiple avenues to connect, even in the face of region-wide failure—it is rejected by the SES DNS validator.

I sincerely hope I have got something silly wrong here, otherwise it implies that NO_ONE using AWS SES has an active-active setup for email receiving for any given single mail destination (as AWS SES will mark it as unverified and unavailable for use in all regions). I find that too difficult to believe. Will someone please spot my error? I’m really stuck.

Thank you.

Topics

Front-End Web & Mobile Business Applications

Relevant content

Bug in SES custom MAIL FROM suggested DNS records
kraig
asked 10 months ago
SES doesn't verify domain identity
virshu
asked 2 years ago
SES Verified Identities: Emails vs Domains
Dash V
asked 9 months ago
SES Email identity not verifying after verifying the Domain identity
Deepak
asked 2 years ago
Why is my DKIM domain failing to verify on Amazon SES?
AWS OFFICIALUpdated 2 years ago
Can I verify my domain for Amazon SES in multiple accounts or AWS Regions?
AWS OFFICIALUpdated a year ago
How do I add and verify a domain to use with WorkMail?
AWS OFFICIALUpdated 2 years ago
How do I verify an email address or domain in Amazon SES?
AWS OFFICIALUpdated 2 years ago
How to build a unified authorization layer for identity providers with Amazon Verified Permissions
EXPERT
JohnT
published 17 days ago
Integrating an Amazon Connect Customer Profiles Domain with Amazon Connect by API
EXPERT
taylauna
published 2 months ago