AWS Messaging & Targeting Blog

DKIM Troubleshooting Series: Your DKIM Status is Pending

In the previous blog entry we started the process of setting up DKIM for a domain. We generated the DKIM records and succeeded in adding them to our DNS. We’re all set, right?

I have added the records to my DNS but my domain’s DKIM verification status is still Pending

After waiting for the 72 hours specified in the documentation, we haven’t received a DKIM setup confirmation email from SES and we see that our domain’s DKIM verification status still appears as Pending in the Amazon SES console. We need to confirm that the records that SES specified when setting up DKIM for our domain have been correctly added to our DNS. We can use any DNS lookup tool for this. For this example we’ll use the dig command on Linux:

$ dig TXT +short
$ dig TXT +short
$ dig TXT +short

There have been occasions where DNS providers automatically appended the domain name to the records that have been provided to them (in that case, try adding a period to the end of the domain name in the DNS record to indicate to your DNS provider that the record name is fully qualified), but it seems not to be the case here. All the records resolve successfully. We notice something odd about the record values though…

When I check the records in DNS, two out of three resolve to an empty string

In the dig output above, we discover that two of the records resolve to an empty string “”. We are wondering whether this is a problem with our setup. It isn’t. This is normal behavior and it is all part of the SES key rotation algorithm.

At any point in time, SES has one key active for our domain. When SES sets up a key rotation, it first generates the new private-public key pair and publishes the public part into DNS. SES then waits for a while, still signing with the old key, while the new key propagates across all servers. Note that, because we have added CNAME records that point to the SES-owned domain which hosts the actual keys, we don’t need to make any changes. SES updates the record that our CNAME is pointing at, and ISPs will automatically retrieve the new value from there. Once the new key has been propagated in DNS, SES starts signing with it, while keeping the old public key present in DNS, to allow ISPs to validate any delayed emails. Finally, SES removes the old key and leaves only the new active key. Again, no work is needed on our part; the CNAME records in our DNS point to SES-managed records and they will be automatically updated to the new value, “” (empty string). The “” record values tell ISPs that those keys have been revoked and no emails signed with them are to be considered DKIM-verified.

With the values correctly present in DNS, we wonder why SES is still not validating our DKIM setup.

Next steps

In the next entry of this blog series, we will see how to confirm that everything is fine with our DNS. We’ll also have a look at how intermittent networking issues can affect our DKIM setup with SES.