AWS Messaging & Targeting Blog

DKIM Troubleshooting Series: Your DKIM Status is Still Pending

In this blog series, we are following the path of an engineer trying to set up DKIM for a domain, and examining various issues that can appear along the way. So far, we have been able to add to our DNS the records that Amazon SES gave us, and we confirmed that they resolve to the correct values. But we’re still having problems…

I can now successfully resolve all the DNS records but my domain’s DKIM verification status is still Pending

SES is still refusing to validate our setup, and our domain’s DKIM verification status still appears as Pending in the SES console. Occasionally, network glitches get in the way of DNS resolution. As long as the networking issues are resolved in time, they will not impact the process of setting up DKIM with SES. But we already waited for the 72 hours specified in the documentation and still haven’t received an Amazon SES DKIM Setup Successful confirmation email. We need to dive deeper than simply querying for TXT records in DNS and we need to check the health of our DNS system.

First, let’s make sure our domain has its authoritative name servers properly set up. Here’s how we retrieve the list of name servers for our domain in Linux using the dig command. We can see the list of name servers in the ANSWER SECTION of the dig output. We can also see how each name server has a properly configured IP address in the ADDITIONAL SECTION :

$ dig NS                                                                                                                  
; <<>> DiG 9.4.2 <<>> NS
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57753
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 12

;               IN      NS

;; ANSWER SECTION:        900     IN      NS        900     IN      NS        900     IN      NS        900     IN      NS        900     IN      NS        900     IN      NS

;; ADDITIONAL SECTION:    2974    IN      A    73009   IN      AAAA     2001:502:f3ff::1    1258    IN      A    73009   IN      AAAA     2610:a1:1014::1    2974    IN      A    71368   IN      AAAA     2610:a1:1015::1    688     IN      A    71368   IN      AAAA     2001:502:4612::1   2974    IN      A   71368   IN      AAAA     2610:a1:1016::1  2974    IN      A  85530   IN      AAAA     2610:a1:1017::1

;; Query time: 63 msec
;; WHEN: Tue Apr 23 12:21:56 2013
;; MSG SIZE  rcvd: 468

After seeing that the name servers are properly set up for our domain, the next step is to verify that each of those servers can successfully resolve the domain keys. Here are example DNS queries directed against the name servers obtained in the previous step:

$ dig CNAME +short

$ dig CNAME +short

Common errors include record propagation issues or name server setup problems. Let’s assume that in our case, one of the name servers doesn’t respond to queries as it should:

$ dig CNAME +short
$ dig CNAME +short
$ dig CNAME +short

We fix our DNS setup and try again. Now we can see that our domain has properly configured name servers, and that each of them successfully resolves the CNAME records to the values indicated in the SES console. As indicated in the Developer Guide, we restart the DKIM verification process and now there is nothing in the way of SES verifying the setup for our domain. Indeed, a short while later, we get the confirmation email from Amazon, and we see our domain’s updated status in the SES console: DKIM is Verified! But the DNS issues we faced make us wonder…

My domain is now successfully set up for DKIM. But how does SES handle DNS errors caused by network glitches?

After seeing how fickle the network was in the previous step, we may be concerned about what happens when the records briefly become inaccessible.

SES repeatedly verifies that the DKIM CNAME records are still present in DNS and that the records resolve to the correct keys. SES does have degree of a tolerance to protect against network glitches, but if it repeatedly finds the records missing, it will disable DKIM signing for that domain’s emails. We will still be able to send, but our emails will no longer be signed.

The reasoning behind this is that if SES cannot resolve the DNS records, neither can ISPs. An email with a broken DKIM signature cannot be successfully associated with our domain, so ISPs may decide to send it to the Spam folder or even drop it all together in an effort to protect themselves and their customers against address spoofing and other fraudulent behavior. See the Developer Guide for more details on how SES revokes DKIM signing and how to reenable it.

Next steps

So far, these DKIM troubleshooting blog posts have focused on various problems we can encounter when trying to validate our DKIM setup with SES. The next entries in the series will focus on debugging issues with the DKIM signature itself and the usefulness of DKIM in general.