Why is my DKIM domain failing to verify on Amazon SES?

Last updated: 2020-04-27

My DomainKeys Identified Mail (DKIM) domain is failing to verify on Amazon Simple Email Service (Amazon SES). My DNS records for Easy DKIM were created successfully, but my DKIM status is pending or failed after 72 hours. How can I fix this?

Resolution

When you set up Easy DKIM for a domain on Amazon SES, your generated CNAME records must be added to your domain's DNS records and be publicly accessible.

To verify that each CNAME is publicly accessible and shows the correct record value, run a DNS test on each of the CNAME records generated by Amazon SES. On a Linux operating system, run the dig command, similar to the following:

dig CNAME +short hirjd4exampled5477y22yd23ettobiho._domainkey.example.com

On a Windows operating system, run the nslookup command, similar to the following:

nslookup -q=CNAME hirjd4exampled5477y22yd23ettobiho._domainkey.example.com

If the CNAME is configured correctly on your domain's DNS records, then the command output returns the record value followed by .dkim.amazonses.com:

hirjd4exampled5477y22yd23ettobiho.dkim.amazonses.com

If the command output is empty, then verify the following:

1.    Check the DNS settings for your domain.

2.    Confirm that the CNAME record names and values match the DKIM names and values generated by Amazon SES.

3.    Confirm that all the CNAME record names are entered correctly on your domain's DNS settings.

4.    When you check the record names, be sure to confirm that the domain isn't duplicated. Some DNS providers automatically append the domain to the record name. For example, if you enter hirjd4exampled5477y22yd23ettobiho._domainkey.example.com, some DNS providers might append example.com to the record name, which changes the record name to hirjd4exampled5477y22yd23ettobiho._domainkey.example.com.example.com. This causes your DKIM verification to fail.

If you don't see results when you use dig or nslookup against hirjd4exampled5477y22yd23ettobiho._domainkey.example.com, then run the check against hirjd4exampled5477y22yd23ettobiho._domainkey.example.com.example.com where the domain name is provided twice.

If you get a result when you run a check against hirjd4exampled5477y22yd23ettobiho._domainkey.example.com.example.com, then you must correct the record name with your DNS registrar. Contact your DNS provider for the specific requirements for entering the record name:

  • As one example, you might correct your record name by re-entering it with a period at the end:
    hirjd4exampled5477y22yd23ettobiho._domainkey.example.com.
  • As another example, you might correct your record name by re-entering it without the domain name:
    hirjd4exampled5477y22yd23ettobiho._domainkey

Note: Some DNS registrars don't support underscores (_) in the record name. If your DNS registrar doesn't support underscores, you must contact your registrar's support for assistance, because DKIM records with underscores are required.

After you verify that your CNAME records are correct, you can retry verification using the Amazon SES console.

Note: Amazon SES usually detects changes to your DNS configuration within 72 hours of the change.


Did this article help you?

Anything we could improve?


Need more help?