AWS Messaging & Targeting Blog

Easy DKIM is here! But why should I care?

Yes, folks, it’s true! Easy DKIM is live. Amazon Simple Email Service has always supported DKIM signing, but before today, you had to sign the messages yourself. This could be challenging depending on what email sending client you’re using and your ability to customize which headers are included in the signature disposition.

You may be wondering what all the fuss is about with DKIM. As with all authentication protocols (such as DomainKeys, SPF, SenderID, etc.), DKIM is an industry-standard way of telling ISPs that your mail is authoritatively linked to your domain. In simple terms, it proves you are really sending the email. Many ISPs accept DKIM as a valid way to express that you own a domain and further that the email you sign is related to your domain. Prior to domain-based authentication (of which DKIM is most widely accepted by ISPs), you could only assert or delegate ownership of an IP address.

In recent times, ISPs have become more sensitive to whether email is really coming from where it says it is because many spammers send from forged addresses to trick recipients into opening and clicking or senders have increasingly complex business networks.

By using Easy DKIM through the Amazon SES API, the AWS Management Console, or the easy Amazon Route 53 integration, you can begin using this authentication almost instantly. Some benefits of using DKIM:

  • If you have reputation built up on your domain from previous sending, you can carry that reputation over to your use of Amazon SES by signing the mail with the same domain (“d=” value) you’ve been using.
  • If you’re building up a new sending program, you can ensure that reputation data is collected now at participating ISPs.
  • If you’re sending from multiple email sources (e.g., your internal email system, Amazon SES and through a 3rd party), as long as you use the same domain in the signature, your cumulative email reputation will be collected and maintained by the ISPs so you don’t have to build up reputation at each new source separately.
  • Recipients will be further protected from spammers and phishers trying to impersonate you (or send on behalf of your domain when not authorized).
  • You will reap the benefit of domain reputation, which is good because many ISPs use this as the first line of defense, and fall back to IP reputation only when domain authentication isn’t present.
  • Even if you haven’t sent DKIM-signed mail before, you can start now. There is no downside to switching mail over to DKIM.
  • It’s super easy to set up, so why not? See our documentation for step-by-step instructions.


We hope you find using DKIM as useful as we expect. As always, please let us know your thoughts and experiences by commenting here on the blog, the customer forum or in the Twitterverse.

For more detailed information about the adoption of DKIM in the industry, see the latest Online Trust Alliance report.