When you use the AWS Management console to verify a new domain, you can also set up Easy DKIM at the same time.
These instructions are for new domains only. If you want to set up Easy DKIM for an email address or domain that you have already verified, see Setting Up Easy DKIM for an Existing Verified Identity (p. 90).
Important
Easy DKIM only works with fully qualified domain names (FQDNs). If you wanted to set up Easy DKIM for both example.com and newyork.example.com, you would need to set up Easy DKIM for each of these FQDNs separately.
To set up Easy DKIM for a new domain
1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses.
2. In the navigation pane, under Verified Senders, click Domains.
3. Click Verify a New Domain.
4. In the Verify a New Domain dialog box, enter your domain name, select the Generate DKIM settings check box, and then click Verify This Domain.
Amazon Simple Email Service Developer Guide Easy DKIM
In the resulting dialog box, you will see all of the DNS records that you need for setting up domain verification and Easy DKIM. This information will also be available by clicking the Details Page icon (the icon with the magnifying glass, not the expansion icon) to the left of the domain name after you close the dialog box.
5. To complete domain verification, you must update your domain's DNS settings with the TXT record information from the Domain Verification Record Set in the Verify a New Domain dialog box. Note that some domain name providers use the term Host instead of Name. If your DNS provider does not allow underscores in TXT record names, you can omit the underscore before amazonses in the TXT record name for domain verification. (You cannot, however, omit the underscore in the DKIM records, as described in the next step.)
Highlight and copy individual records, or select Download Record Set as CSV to download all of the records.
Amazon Simple Email Service Developer Guide Easy DKIM
Important
DNS providers may append the domain name to the end of DNS records. Adding a record that already contains the domain name (such as _amazonses.example.com) may result in the duplication of the domain name (such as _amazonses.example.com.example.com). To avoid duplication of the domain name, add a period to the end of the domain name in the DNS record. This will indicate to your DNS provider that the record name is fully qualified (that is, no longer relative to the domain name), and prevent the DNS provider from appending an additional domain name.
6. To set up DKIM, you must update your domain's DNS settings with the CNAME record information from the dialog box. Unlike for domain verification, you cannot omit the underscore from _domainkey in this case because the underscore is required by RFC 4871.
Highlight and copy individual CNAME records, or select Download Record Set as CSV to download all of the records.
a. If Amazon Route 53 provides the DNS service for the domain you are verifying, and you are logged in to Amazon SES console with the same email address and password you use for Amazon Route 53, then you will have the option of immediately updating your DNS settings for both domain verification and DKIM from within the Amazon SES Console.
b. If you are not using Amazon Route 53, you will need to update your DNS settings according to the procedure established by your DNS service provider. (Ask your system administrator if you are not sure who provides your DNS service.) Amazon Web Services will eventually detect that you have updated your DNS records; this detection process may take up to 72 hours.
When verification is complete, the domain's Status in the Amazon SES console will change from pending verification to verified, and you will receive an Amazon SES Domain Verification SUCCESS confirmation email from Amazon Web Services. (AWS emails are sent to the email address you used when you signed up for Amazon SES.)
When Amazon SES has successfully detected the changes to your DNS records, the DKIM Verification Status for that domain in the Amazon SES console will change from in progress to success, and you will receive an Amazon SES DKIM Setup Successful confirmation email from Amazon Web Services.
7. To sign your messages using a DKIM signature, you must enable Easy DKIM for the appropriate verified sending identity. To enable Easy DKIM for a verified sender, click the Details page icon (the icon with the magnifying glass, not the expansion icon) to the left of an email address or domain in the Verified Senders list. On the Details page for the email address or domain, expand DKIM, and then click enable to enable DKIM.
8. You can now use Amazon SES to send email that is signed using a DKIM signature from any enabled address in the verified domain. To send a test email, check the box next to the verified domain, and then click Send a Test Email.
Important
How you update the DNS settings depends on who provides your DNS service. DNS service may be provided by a domain name registrar such as GoDaddy or Network Solutions, or by a separate service such as Amazon Route 53.
What if Easy DKIM fails?
If your DNS settings are not correctly updated, you will first receive an Amazon SES DKIM FAILURE email from Amazon Web Services, and you will see a status of failed in the Domains area when you click on the DKIM tab.
Note
If this happens, Amazon SES will still send your email, but it will not be signed using a DKIM signature.
Amazon Simple Email Service Developer Guide Easy DKIM