Amazon SES domain verification TXT DNS record

amazon-sesdomain-name-systemdomainkeystxt-record

I currently am trying to get my domain verified on Amazon's SES and running int a problem that google searches are not helping me get any closer to solving.

According to SES, I have to create a TXT record in my DNS for the domain I'm trying to verify. Amazon gives you the following (value changed for security purposes);

 TYPE: TXT
 NAME: _amazonses.somedomain.com
VALUE: M2sXTycXkgZXXuMuWI8TczngaPIDDMToPefzGhZ3uYA=

I have tried numerous entries in my registrar's DNS manager, but SES still fails to find what it's looking for. I am not a DNS guru, so, I have tried to construct the TXT record from very sparse examples, at best, to try to get this right.

My present TXT record is this;

"v=DKIM1 s=_domainkey d=_amazonses.somedomain.com p=M2sXTycXkgZXXuMuWI8TczngaPIDDMToPefzGhZ3uYA="

Is this how you would make the TXT record properly? Am I doing something incorrect?

Thanks

Best Answer

Your present TXT record looks strikingly similar to those of the DKIM Core specification, which is is a simplified subset of DKIM. I'm not quite sure how you could reach that result by following the instructions within Authenticating Email with DKIM, thus might misunderstand what you are trying to achieve, but here's how these records would look by simply following the steps documented within Setting Up Easy DKIM for a New Domain, i.e. that's what the Amazon SES automation backend configured for our respective Amazon Route 53 managed domain, and what you'll need to replicate yourself with an external registrar accordingly:

  • Domain Verification Record Set - Has nothing to to with DKIM actually, rather is the method for Verifying Domains, i.e. confirm that you own it and to prevent others from using it and enabling anyone with an email address at this domain to send via SES.

    TYPE: TXT
    NAME: _amazonses.example.com
    VALUE: "M2sXTycXkgZXXuMuWI8TczngaPIDDMToPefzGhZ3uYA="

    NOTE: the quotes are significant for TXT records, please check my answer to How to properly set up DNS SPF records? for details regarding this common pitfall.

  • DKIM Record Set - This are the actual DKIM related records, i.e. those which allow SES to handle DKIM signing automatically on your behalf.

    TYPE: CNAME
    NAME: TycXkgZXXuMuWI8TczngaPIDDMToPefzGhZ3u._domainkey.example.com.
    VALUE: TycXkgZXXuMuWI8TczngaPIDDMToPefzGhZ3u.dkim.amazonses.com

    [2 more CNAME records like this one ...]

    NOTE: I just partially copied the hash above, these will all be different when generated by SES.

Finally, To sign your messages using a DKIM signature, you must enable Easy DKIM for the appropriate verified sending identity, see step 8 within Setting Up Easy DKIM for a New Domain for details.

Related Topic