What can I do if my domain is stuck in the "pending verification" status or in the "failed" verification status in Amazon SES?

Last updated: 2020-07-10

I added a TXT record to my domain's DNS server that matches the specified name and value of the domain that I want to verify on Amazon Simple Email Service (Amazon SES). However, the Amazon SES verification status is still in "pending verification," or is in the "failed" verification status. How can I fix this?

Short description

Amazon SES domain verification might be stuck in "pending verification" or in the "failed" verification status for one or more of the following reasons:

  • The TXT record contains additional characters or is missing characters.
  • Your DNS provider automatically adds the apex domain to the end of DNS records.
  • The TXT record hasn't been added to the delegated name servers.

After you confirm that your records don't have any of these issues, then you can retry the domain verification on Amazon SES.

Resolution

Check if the TXT record contains additional characters or is missing characters

Test your TXT record using a DNS tool such as dig or nslookup. On macOS or a Linux operating system, run the dig command:

Note: Replace _amazonses.example.com with your TXT record name in Amazon SES. 

$ dig TXT _amazonses.example.com +short

On the Windows operating system, run the nslookup command:

Note: Replace _amazonses.example.com with your TXT record name in Amazon SES.

C:\>nslookup -type=TXT _amazonses.example.com

Review the output of the dig or nslookup command. For example, the following output shows additional characters (spaces): 

$ dig TXT _amazonses.example.com +short
" 9kFNbWDLzxvzYgPg1lUSTkUudKR1dDtzzCPuWmYhZro= "

As another example, the following output shows a TXT record that's missing the "=" character: 

C:\>nslookup -type=TXT _amazonses.example.com
Server: dns.example.com
Address:  192.168.1.1

Non-authoritative answer:
_amazonses.example.com   text = "9kFNbWDLzxvzYgPg1lUSTkUudKR1dDtzzCPuWmYhZro"

When you create your TXT record, it's a best practice to copy the values directly from the Amazon SES console. Be sure to include the exact values provided. Don't exclude any necessary characters (for example, "="), and don't include any additional characters, such as spaces.

Check if your DNS provider automatically adds the apex domain to the end of DNS records

Some DNS providers automatically append the apex domain to the end of a DNS record. For example, if you enter _amazonses.example.com, then some DNS providers might append .example.com to the record name, which changes the record name to _amazonses.example.com.example.com.

To check if the apex domain is duplicated in the DNS record, run a DNS tool such as dig or nslookup on your TXT record with the apex domain duplicated. On macOS or a Linux operating system, run the dig command:

$ dig TXT _amazonses.example.com.example.com +short
"9kFNbWDLzxvzYgPg1lUSTkUudKR1dDtzzCPuWmYhZro="

On the Windows operating system, run the nslookup command:  

C:\>nslookup -type=TXT _amazonses.example.com.example.com
Server: dns.example.com
Address:  192.168.1.1

Non-authoritative answer:
_amazonses.example.com   text = "9kFNbWDLzxvzYgPg1lUSTkUudKR1dDtzzCPuWmYhZro="

If the command returns the value of the TXT record that you created, then your DNS provider added the apex domain to the end of the name field of your DNS records. To resolve this, edit the TXT record and remove the apex domain from the text that you entered for the name field. For example, replace _amazonses.example.com with only _amazonses.

Check if the TXT record hasn't been added to the delegated name servers

Use a DNS tool such as dig or nslookup to get the delegated name servers of the domain that you're trying to verify on Amazon SES. On macOS or a Linux operating system, run the dig command:

Note: Replace example.com with the domain that you're trying to verify on Amazon SES.

$ dig -t NS example.com
;; ANSWER SECTION:
example.com.   172800  IN    NS    ns1.example.com.
example.com.   172800  IN    NS    ns2.example.com.
example.com.   172800  IN    NS    ns3.example.com.

On the Windows operating system, run the nslookup command:

Note: Replace example.com with the domain that you're trying to verify on Amazon SES. 

C:\>nslookup -type=NS example.com
Non-authoritative answer:
example.com     nameserver = ns3.example.com
example.com     nameserver = ns4.example.com
example.com     nameserver = ns1.example.com
example.com     nameserver = ns2.example.com

Then, go to the DNS service where you created your TXT record to get the name servers. For example, if you created your TXT record in Amazon Route 53, then open the Route 53 console. When you view your TXT records in the Route 53 console, the name servers appear in the Value column.

If the delegated name servers of the domain that you want to verify don't match the name servers that have the TXT record, then do one of the following:

  • Add the TXT record in the delegated name servers.
  • Configure the name servers that have the TXT record as the new delegated name servers in your DNS registrar.

Retry the domain verification on Amazon SES

After you correct any issues on your records, you can retry the domain verification on Amazon SES.

Follow these steps to retry domain verification when the status is "pending verification":

  1. Open the Amazon SES console.
  2. From the AWS Region selector in the navigation bar, select the Region that your domain is in.
  3. From the list of Domain identities, select the domain that's stuck in "pending verification." Then, choose Remove.
  4. In the Remove Identities dialog box, choose Yes, Delete Identity.
  5. Choose Verify a New Domain. Then, re-enter the domain that's stuck in "pending verification."
  6. Choose Verify This Domain.
  7. Wait for the domain's Verification Status to change to "verified."

Follow these steps to retry domain verification when the status is "failed":

  1. Open the Amazon SES console.
  2. From the AWS Region selector in the navigation bar, select the Region that your domain is in.
  3. From the list of domains, select the domain that has the "failed" verification status.
  4. Choose retry.
  5. Wait for the domain's Verification Status to change to "verified."

Did this article help?


Do you need billing or technical support?