AWS Messaging & Targeting Blog
Simplify Multi-Region Email Sending with Simple Email Service’s Deterministic Easy DKIM
Introduction
Amazon Simple Email Service (SES) provides customers with a robust, scalable email solution to send large-scale, global email communications. The service offers customers many benefits, including scalability, high deliverability rates, cost effective pay-as-you go pricing, availability in over a dozen AWS regions, and tight integration with other AWS services.
We’ve heard from customers who want to synchronise domain identities across multiple AWS regions that it can be difficult to configure and maintain. These customers have shared that establishing and maintaining AWS region specific domain verifications can be confusing, time-consuming, and that it’s difficult to coordinate the many details across their users, customers and service providers.
In this post, we’ll explore the newly introduced SES feature called Deterministic Easy DKIM (aka “DEED”), which solves critical challenges in multi-region email identity management for SES customers. DEED generates consistent DKIM tokens across multiple AWS Regions based on a Parent (domain) Identity that is configured with SES Easy DKIM. DEED uses the Parent Identity’s Easy DKIM configuration to automatically provide the same DKIM signing configuration for a Replica (domain) Identity in a AWS Replica Region. With DEED, you only need to publish DNS records once for the Parent Identity. The Replica Identity will automatically use these same DNS records to verify domain ownership and manage DKIM signing. DEED streamlines multi-region email operations by simplifying DNS management and ensuring consistent DKIM signing across AWS regions, maintaining best-practice email authentication while reducing operational complexity.
Background and key challenges
SES introduced Easy DKIM over a decade ago as an innovative, streamlined solution to help customers create, verify, and manage domain identities with automated DKIM signing. Easy DKIM is simple to set-up, and works by generating pre-determined tokens that customers add to their DNS configurations. Once Easy DKIM is enabled, SES generates a public/private signing key for each domain identity and updates the verified identity’s CNAME public key. SES’ Easy DKIM simplifies email authentication by managing and rotating DKIM keys on behalf of customers.
Before DEED, customers who wanted to expand their SES email infrastructure across multiple regions faced complexity, operational challenges and a substantial administrative burden configuring and maintaining DKIM across AWS regions. This made it very difficult for customers to scale their email infrastructure efficiently, and often dissuaded customers from fully leveraging the potential of a multi-region email sending strategy. These challenges are more pronounced for Independent Software Vendors (ISVs) and email service providers using SES. Frequently these organizations don’t own or control the domains used by their end-customers, who must manually update their DNS entries each time the ISV expanded or shifted their SES sending infrastructure between AWS regions.
Solution Overview
Deterministic Easy DKIM (DEED) allows SES customers to set up email identities across multiple regions, leveraging an existing domain identity configuration in a single region without the need to make companion DNS changes in all other regions. This innovative approach eliminates the manual overhead of creating region-specific DNS entries, and provides a streamlined solution to configure and maintain global email infrastructure for organizations and ISVs alike.
The key benefits of using DEED include:
- Simplified DNS Management – Publish DNS records once for the Parent Identity and the replica identity is automatically synced.
- Easier Multi-Region Operations – Simplifies the process of expanding email sending operations to new AWS regions.
Reduced Administrative Overhead – Manage DKIM configurations centrally from the Parent Identity.
Terminology:
To understand DEED, let’s explore the key terminology that underpins this innovative approach:
- Deterministic – a process or system where the same input will always produce the same output, with no randomness or unpredictability involved. In other words, if all the starting conditions are known, the outcome can be precisely predicted or determined.
- Parent Region – The original AWS Region where the primary email identity is initially established.
- Parent Identity – A verified email identity configured with Easy DKIM that serves as the authoritative source for DKIM configuration across regions.
- Replica Region – An AWS Region where an identical email identity is replicated without additional configuration.
- Replica Identity – An identity that shares identical DNS configuration and DKIM signing configuration of a parent identity.
- DEED Identity – Any identity that is used as either a parent identity or a replica identity. (When a new identity is created, it is initially treated as a regular (non-DEED) identity. However, once a replica is created, the identity is then considered a DEED identity.)
How DEED works
DEED is built on the existing Easy DKIM framework:
- Using Easy DKIM, SES generates a public-private key pair and automatically adds a DKIM signature to every message sent from a SES verified identity in the Parent Region.
- To accommodate authenticated SES sending from multiple AWS regions, DEED automatically synchronizes the signing keys from the Parent Region and Parent Identity to the Replica Region and Replica Identity.
- This automated process ensures that both the Parent and Replica Identities receive and use identical keys for DKIM signing, maintaining consistent authentication across different AWS regions.
- SES manages the complex process of key rotation across Parent Identity and Replica Identities, further simplifying email infrastructure management across multiple AWS regions.
- Replica Identities inherit the DKIM signing configuration of the parent identity. Because of this dependency, you cannot delete a Parent Identity until all Replica Identities are deleted.
- The receiving email server/service validates DKIM from DNS.
We recommend customers take advantage of DEED for single-Region sending, as this new capability is included, at no additional cost, in the base SES pricing.
Steps to setup SES DEED Replica in a second AWS region
These steps assume that you are already using SES in the Parent Region, and have a fully verified domain identity that is configured to use Easy DKIM. You can also use the AWS CLI.
Step 1 – Update the Parent Identity
- Login to the AWS SES Console in the Parent Region
- Click on the Identities link in the SES navigation panel (far left) and click on the verified identity you want to use in other AWS regions.
- The Parent Identity must have Easy DKIM enabled.
- You cannot create Replicas of Identities that use BYODKIM or self-signed identities.
- Click on the Authorization tab
- Click Create Policy and select Create custom policy from the drop-down menu.
- Name the policy (for example, DEED-example_com)
- Modify the IAM policy (below) with your AWS account ID and AWS region, and paste it into the IAM Policy document to grant permission on the Parent Identity to allow the desired Replica Region to replicate the Parent Identity’s DKIM Signing Attributes:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDKIMReplication",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::YOUR_ACCOUNT_ID:root"
},
"Action": "ses:ReplicateEmailIdentityDKIMSigningKey",
"Resource": "arn:aws:ses:us-east-1:123456789124:identity/example.com",
"Condition": {
"ForAllValues:StringEquals": {
"ses:ReplicaRegion": ["us-west-2", "eu-west-1"]
}
}
}
]
}
Note – Use consistent IAM policies that all allow for DKIM replication across intended Replica Regions.
Step -2 – Setup DEED Replica Identity
- Login to the AWS SES Console in the Replica Region
- Click on the Identities link in the SES navigation panel (far left) and click Create identity
- Under Identity details, Identity type, click Domain
- Type the domain name exactly as it appears in the Parent Identity
- Under Verifying your domain, click Deterministic Easy DKIM
- Select the Parent Region in the Parent region drop-down
- Ensure DKIM Signature is Enabled
- Click Create identity
- The Replica Identity in the Replica Region will now automatically synchronize DKIM with the Parent Identity in the Parent Region and your apps/services can be configured to use either Parent or Replica Region & Identity to send DKIM authenticated email.
- Repeat the process if you want to create additional Replica Regions.
You can verify that the replica identity was configured correctly with the parent identity’s DKIM signing configuration by using the get-email-identity
command and specifying the Replica’s domain name and region:
`aws sesv2 get-email-identity --email-identity [example.com](http://example.com/) —region us-west-2`
The response will include the value of the Parent Region in the DomainSigningAttributesOrigin
parameter, signifying that the Replica Identity has been successfully configured with the Parent Identity’s DKIM signing configuration:
{
"DkimAttributes": {
"SigningAttributesOrigin": "AWS_SES_US_EAST_1"
}
}
Conclusion
Deterministic Easy DKIM (DEED) represents a significant leap forward in multi-region email management for Amazon SES users. By eliminating the need for manually configured region-specific DNS configurations, DEED streamlines the process of expanding email operations across multiple AWS regions. This innovation not only reduces administrative overhead but also opens up new possibilities for organizations and ISVs to implement robust, globally distributed email infrastructures. With DEED, businesses can now leverage the full potential of Amazon SES across regions, ensuring consistent authentication, improved disaster recovery, and optimal performance without the previous complexities of multi-region setup.
Call to Action
Are you ready to simplify your multi-region email strategy with Amazon SES and DEED? Take the next step in optimizing your email infrastructure:
- Explore the DEED feature in your Amazon SES console today.
- Set up a test environment to experience the seamless multi-region configuration firsthand.
- For more detailed information, check out our comprehensive documentation on implementing DEED.
- Have questions or need assistance? Reach out to our AWS support team or join the AWS community forums to connect with other users.
Don’t let regional boundaries limit your email capabilities. Embrace the power of Deterministic Easy DKIM and transform your global email strategy with Amazon SES. Start your DEED journey today and unlock new levels of efficiency and scalability in your email operations.