AWS News Blog

Simple Email Service – Easy DomainKeys Identified Mail (DKIM) Support

The Amazon Simple Email Service (SES) gives you the power to send bulk and transactional emails, with a focus on ease of use and deliverability. After you sign up for Amazon SES, you simply verify your domain, request production access, send email, and monitor the results.

What’s Deliverability?
Deliverability refers to the likelihood that an email you send will actually end up where you want it to. One factor (of many) which affects deliverability is the receiving ISP’s overall perception of the quality of the sender, as indicated by email address and/or domain name. Because the SMTP protocol dates back to a happier and more innocent time when everyone knew and trusted everyone else online, it did not include robust features for authentication.

How is Email Authenticated?
A number of authentication methods have been developed over the past thirty years to address this increasingly problematic issue. These include SPF, Sender ID, and DKIM:

SPF, the Sender Policy Framework, allows an email message to be traced back to the system from which it was sent. When an ISP receives an email from a particular domain, it checks for a particular record in the domain’s DNS information. Amazon SES already supports SPF; read the documentation to learn more.

Sender ID is a descendant of SPF; it also relies on a record in the domain’s DNS information. Again, Amazon SES supports Sender ID and you can read all about it.

DKIM, DomainKeys Identified Mail, is the newest and the most advanced method for authenticating email. Using DKIM, a sender signs the message body and certain headers using the private part of a keypair. The signature (a hash code) is then transmitted along with the message. The receiver validates the message (and thus authenticates the sender and the integrity of the message) by fetching a public key from a TXT (or, in the case of Amazon SES, a CNAME) record in the sender’s DNS information.

Easy DKIM Signing
DKIM signing has been possible with SES for a while now, but it was fairly difficult to implement programmatically.

Today we are simplifying the process of DKIM signing with our new Easy DKIM support. You can now enable and configure DKIM signing for your sending domains from within the AWS Management Console or the Amazon SES API. After you have done this, Amazon SES will take care of DKIM-signing your email for you. If you use Route 53 to manage the DNS information for your domain, you can create the requisite CNAME records with a few mouse clicks.

Here’s how you do it through the AWS Management Console. First, you open up the console, select the Amazon SES tab, and click on Verified Senders:

Then you select the verified email address or domain for which you would like to configure Easy DKIM (you can also start by verifying a new domain) and generate the DKIM records using the button. The DKIM records will be displayed:

The next step is to update your domain’s DNS information with the displayed CNAME record. If the subject domain is hosted on Route 53, a click of the Use Route 53 button will walk you through this process:

Now you wait for Amazon SES to verify that the domain is set up to handle DKIM. This can take up to 72 hours. Once the domain has been verified, you will receive an email confirmation. At this point you can return to the Verified Senders list and email DKIM signing.

That’s all it takes to start sending DKIM-signed email!

Now What?

You can read the Amazon SES documentation on our new Easy DKIM support, or you can sign up for Amazon SES and start sending email.


Jeff Barr

Jeff Barr

Jeff Barr is Chief Evangelist for AWS. He started this blog in 2004 and has been writing posts just about non-stop ever since.