How do I enable DKIM for Amazon SES?

Last updated: 2020-04-28

I want to enable DomainKeys Identified Mail (DKIM) for the messages that I send using Amazon Simple Email Service (Amazon SES). How can I do that?

Short Description

DKIM is a method that allows receiving mail servers to validate the authenticity of the received email. Using DKIM, senders digitally sign email using a private key, and the receiving mail servers validate email by matching the digital signature with the public key that's published in the sender domain's DNS records.

Important: Before you enable DKIM, you must complete the verification process for an Amazon SES identity.

Resolution

Use Amazon SES Easy DKIM, or Bring Your Own DKIM (BYODKIM) to sign your Amazon SES email with a 1024-bit DKIM key.

Set up Easy DKIM

Easy DKIM allows you to configure DKIM authentication for email sent using a certain Amazon SES verified identity (domain or email address). For instructions, see Setting Up Easy DKIM for a Domain or Setting Up Easy DKIM for an Email Address.

After Amazon SES verifies your DNS records, the DKIM Verification Status shown in the Amazon SES console changes to verified. To troubleshoot a failed verification status, see Why is my DKIM domain failing to verify on Amazon SES?

Provide your own public-private key pair (BYODKIM)

You can use your own DKIM authentication token for email sent using an Amazon SES verified domain. To configure BYODKIM, you must first install and configure the AWS Command Line Interface (AWS CLI). Then, using Amazon SES API v2, you can proceed with the steps to configure an Amazon SES verified domain with BYODKIM.

After you complete the steps to set up BYODKIM, it can take up to 72 hours for the DKIM status to change to SUCCESS.

If the DKIM status is FAILED, then review your public-private key pair and the TXT record and check for the following:

  • Look for any errors in the updated key.
  • Confirm that there aren't any line breaks in the key.
  • Confirm that your domain isn't listed twice.
  • Confirm that the key is 1024 bits.
    Note: If you need a key that's larger than 1024 bits, then consider setting up manual DKIM signing in Amazon SES.

After you correct any errors or confirm that there are no errors, you can retry the BYODKIM configuration process.

Manually add a DKIM signature

You can also manually add DKIM signatures to your messages, and then use Amazon SES to send the messages. For more information, see Manual DKIM Signing in Amazon SES.

Note: When you sign your messages, it's a best practice to use a bit length of at least 1024 bits.


Did this article help you?

Anything we could improve?


Need more help?