I am using AWS Simple Email Services (SES) and am trying to configure DKIM so as to add an extra layer of security to my emails. According to SES documentation, the procedure for setting up SES + DKIM with your DNS is:
- Generate DKIM CNAME records inside the SES UI/console
- Edit your DNS records by adding these (3) CNAME records
- Within 72 hours, SES will verify the DKIM records you added and begin adding DKIM-based authentication to your emails
I have followed these steps several times and each time I get failed validation errors inside SES:
However they don't give the reason for the failure/error each time this happens. I have checked and rechecked (and rechecked!) that I am adding CNAME records with the correct name + value that SES has generated for me.
I think I'm going to have to open an incident with AWS, but before I do, I'd like to see if I can use a reliable "DNS querying tool" to somehow confirm whether the CNAME records are added to my DNS configuration properly.
Does such a tool exist? If so, how could I use it to verify the CNAME records that are associated with my domain name?
Update:
Here is the output from my dig command:
dig <longstring>._domainkey.example.com CNAME
; <<>> DiG 9.10.3-P4-Ubuntu <<>> <longstring>._domainkey.example.com CNAME
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39150
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 8192
;; QUESTION SECTION:
;<longstring>._domainkey.example.com. IN CNAME
;; ANSWER SECTION:
<longstring>._domainkey.example.com. 7200 IN CNAME <longstring>.dkim.amazonses.com.
;; Query time: 132 msec
;; SERVER: 10.0.2.3#53(10.0.2.3)
;; WHEN: Fri Feb 16 20:15:39 UTC 2018
;; MSG SIZE rcvd: 145
Best Answer
Your domain isn't actually using Route 53 for its authoritative DNS hosting, so records created in a Route 53 hosted zone are invisible to the Internet, as well as to other AWS services.
You need to do one of two things: