Amazon SES requires that you verify your email address or domain, to confirm that you own it and to prevent others from using it. When you verify an entire domain, you are verifying all email addresses from that domain, so you don't need to verify email addresses from that domain individually. This section discusses verifying entire domains. For example, if you verify the domain example.com, you can send email from [email protected], [email protected], [email protected], or any other user at example.com. Domain names are case-insensitive. If you verify example.com, you can send from EXAMPLE.com also.
Amazon SES has endpoints in multiple AWS regions, and domain verification applies to each AWS region separately. You must perform the entire domain verification procedure for each region in which you want to send from a given domain. For information about using Amazon SES in multiple AWS regions, see Regions and Amazon SES (p. 125).
Important
Any functionality (such as feedback notifications and Easy DKIM) that you set up for a domain will apply to all email addresses in that domain except for email addresses that you individually verified. Individually verified email addresses use separate settings.
For individual email address verification, see Verifying Email Addresses in Amazon SES (p. 38).
Important
Amazon SES only verifies fully qualified domain names (FQDNs). Even if you verify a domain, you have to verify subdomains of that domain. For example, if you want to send email from both example.com and newyork.example.com, you need to verify each of these FQDNs separately.
To verify a domain
1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses.
2. In the navigation pane, under Verified Senders, click Domains.
3. Click Verify a New Domain.
4. In the Verify a New Domain dialog box, enter the domain name, and then click Verify This Domain.
Amazon Simple Email Service Developer Guide Verifying Domains
Note
If you want to set up DKIM signing for this domain, select the Generate DKIM Settings option. For more information about DKIM signing, see Authenticating Email with DKIM in Amazon SES (p. 86).
5. In the Verify a New Domain dialog box, you will see a Domain Verification Record Set containing a Name, a Type, and a Value. (This information will also be available by clicking the Details Page icon (the icon with the magnifying glass, not the expansion icon) to the left of the domain name after you close the dialog box.)
6. To complete domain verification, you must add a TXT record with the displayed Name and Value to your domain's DNS settings. Note that some domain name providers use the term Host instead of Name. If your DNS provider does not allow underscores in TXT record names, you can omit the underscore before amazonses in the TXT record name.
How you update the DNS settings depends on who provides your DNS service. DNS service may be provided by a domain name registrar such as GoDaddy or Network Solutions, or by a separate service such as Amazon Route 53.
Important
DNS providers may append the domain name to the end of DNS records. Adding a record that already contains the domain name (such as _amazonses.example.com) may result in the duplication of the domain name (such as _amazonses.example.com.example.com). To avoid duplication of the domain name, add a period to the end of the domain name in the
Amazon Simple Email Service Developer Guide Verifying Domains
DNS record. This will indicate to your DNS provider that the record name is fully qualified (that is, no longer relative to the domain name), and prevent the DNS provider from appending an additional domain name.
If Amazon Route 53 provides the DNS service for the domain you are verifying, and you are logged in to Amazon SES with the same email address and password you use for Amazon Route 53, then Amazon SES will give you the option of updating your DNS settings immediately from within the Amazon SES Console.
Otherwise, update your DNS settings according to the procedure established by your DNS service provider. Ask your system administrator if you are not sure who provides your DNS service.
7. If you are not using Route 53, Amazon Web Services needs to verify that a TXT record with the specified Name and Value have been added to your DNS settings. This may take up to 72 hours.
When verification is complete, the domain's status in the Amazon SES console will change from
"pending verification" to "verified", and you will receive an Amazon SES Domain Verification SUCCESS confirmation email from Amazon Web Services. (Amazon Web Services emails are sent to the email address you used when you signed up for Amazon SES.)
8. You can now use Amazon SES to send email from any address in the verified domain. To send a test email, check the box next to the verified domain, then click Send a Test Email.
What if domain verification fails?
If the DNS settings are not correctly updated, you will receive an Amazon SES Domain Verification FAILURE email from Amazon Web Services, and the domain will display a status of "failed" in the Domains tab.
If this happens, please click the "retry" link next to the "failed" status notification. This will reinitiate the domain verification process. Add the new TXT record information to your DNS settings, and check with your DNS service provider to ensure that you have entered the TXT record information correctly.
To view your verified domains
1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses.
2. In the navigation pane, under Verified Senders, click Domains.
3. In the list of verified domains, you can expand one or more domains to view the details.
To remove a verified domain
1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses.
2. In the navigation pane, under Verified Senders, click Domains.
3. Check the box beside each domain that you want to remove, and then click Remove.
4. You will no longer be able to send email from the removed domain.
Domain revocation
Amazon Web Services periodically reviews domain verification status, and revokes verification in cases where it is no longer valid. If Amazon Web Services is unable to detect the TXT record information required to confirm ownership of a domain, you will receive an Amazon SES Domain Verification REVOCATION WARNING email from Amazon Web Services.
If you restore the TXT record information to your DNS settings within 72 hours, you will receive an Amazon SES Domain Verification REVOCATION CANCELLATION email from Amazon Web Services.
Amazon Simple Email Service Developer Guide Verifying Domains
If you do not restore the TXT record information to your DNS settings within 72 hours, you will receive an Amazon SES Domain Verification REVOCATION email from Amazon Web Services, the domain will be removed from the list of Verified Senders on the Domains tab, and you will no longer be able to send from the domain.
To reverify a domain for which verification has been revoked, you must restart the verification procedure from the beginning, just as if the revoked domain were an entirely new domain.
Using the Amazon SES API
You can also manage verified domains with the Amazon SES API. The following actions are available:
• ListIdentities
• VerifyDomainIdentity
• DeleteIdentity
• GetIdentityVerificationAttributes
You can use these API actions to write a customized front-end application for domain verification. For a complete description of API actions related to domain verification, go to the Amazon Simple Email Service API Reference.