How do I turn on DKIM for Amazon SES?

Lesedauer: 3 Minute
0

I want to turn on DomainKeys Identified Mail (DKIM) for the messages that I use Amazon Simple Email Service (Amazon SES) to send.

Resolution

Important: You can set DKIM authentication only at the domain level. When you send email from an address that uses a DKIM-verified domain, Amazon SES authenticates the email with the inherited DKIM properties from the domain. You can override these properties and send email without DKIM authentication. You can also turn on the properties later. Before you turn on DKIM, you must complete the verification process for an Amazon SES domain identity.

To sign your Amazon SES email with a 1024-bit or 2048-bit DKIM key, use one of the following methods:

  • Set up Amazon SES Easy DKIM
  • Use your own DKIM authentication
  • Manually add a DKIM signature

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Set up Easy DKIM

When you configure Easy DKIM for a domain identity, Amazon SES adds a 2048-bit DKIM key to every email that you send from that identity. To configure Easy DKIM, use the Amazon SES console or the API. For instructions, see Setting up Easy DKIM for a verified domain identity.

After Amazon SES verifies your DNS records, the DKIM Verification status in the Amazon SES console changes to verified.

To troubleshoot a failed verification status, see Why is my DKIM domain failing to verify on Amazon SES?

Use your own DKIM authentication

For email that you send from an Amazon SES verified domain, you can bring your own DomainKeys Identified Mail (BYODKIM). To configure BYODKIM, first install and configure the AWS CLI. Then, use Amazon SES API v2 to configure an Amazon SES verified domain with BYODKIM.

After you complete the steps to set up BYODKIM, it can take up to 72 hours for the DKIM status to change to SUCCESS.

If the DKIM status is FAILED, then review your public-private key pair and the TXT record. Check for the following issues:

  • There are errors in the updated key.
  • There are line breaks in the key.
  • The domain is listed twice.
  • The key is less 1024-bit RSA encrypted or more than 2048 bit.
    Note: The key must be at least 1024-bit RSA encrypted and no more than 2048 bit. You must also encode the key with base64 (PEM).

After you troubleshoot, try to configure BYODKIM again.

Manually add a DKIM signature

You can manually add DKIM signatures to your messages, and use Amazon SES to send the messages. For more information, see Manual DKIM signing in Amazon SES.

Note: When you sign your messages, it's a best practice to use a bit length of at least 1024.

AWS OFFICIAL
AWS OFFICIALAktualisiert vor 5 Monaten