Skip to main content
All CollectionsDNS recordsAmazon SES
Setting up DKIM in Amazon SES
Setting up DKIM in Amazon SES

Setting Up Easy DKIM for a Domain. Setting Up Easy DKIM for an Email Address. Managing Easy DKIM

Vladislav Podolyako avatar
Written by Vladislav Podolyako
Updated over 6 months ago

Table of contents

When you set up Easy DKIM for an identity, Amazon SES automatically adds a 1024-bit DKIM key to every email that you send from that identity. You can configure Easy DKIM by using the Amazon SES console or by using the API.

NOTE


To set up Easy DKIM, you have to modify the DNS settings for your domain. If you use Route 53 as your DNS provider, Amazon SES can automatically create the appropriate records for you. If you use another DNS provider, see your provider's documentation to learn more about changing your domain's DNS settings.

When you successfully configure Easy DKIM, you can start sending emails from the DKIM enabled domain, even if you haven't completed the procedures in Verifying a domain with Amazon SES.


Easy DKIM Considerations

When you use Easy DKIM to authenticate your email, the following rules apply:

  • You only need to set up Easy DKIM for the domain you use in your "From" address. You don't need to set up Easy DKIM for domains you use in "Return-Path" or "Reply-to" addresses.

  • Amazon SES is available in several AWS Regions. If you use more than one AWS Region to send an email, you have to complete the Easy DKIM setup process in each of those regions to ensure that all of your emails are DKIM-signed.

  • When you verify a domain, your Easy DKIM settings also apply to all subdomains of that domain, unless you set up Easy DKIM for specific subdomains.

  • If you set up Easy DKIM for a parent domain, a subdomain, and an email address, Amazon SES applies Easy DKIM settings in the following ways:

Setting Up Easy DKIM for a Domain

The procedure in this section shows you how to set up Easy DKIM for a domain. If you set up Easy DKIM for a domain, then you can start sending email from that domain, even if you haven't completed the procedure to verify a domain.

To set up Easy DKIM for a domain.

  1. Open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the navigation pane, under Identity Management, choose Domains.

  3. In the list of domains, choose the domain that you want to set up Easy DKIM for.

    If you haven't started the verification process for the domain yet, see the procedures at Verifying a domain with Amazon SES.

  4. Under DKIM, choose Generate DKIM Settings.

  5. Copy the three CNAME records that appear in this section. Alternatively, you can choose Download Record Set as CSV to save a copy of the records to your computer.

The last step is to add the CNAME records to the DNS configuration for your domain. To update the DNS records for your domain:

  • If you use Route 53 as your DNS provider – If you use Route 53 on the same account that you use when you send email using Amazon SES, choose Use Route 53 to update the DNS settings for your domain automatically. Otherwise, complete the procedures shown in Editing Records in the Amazon Route 53 Developer Guide.

  • If you use another DNS provider – Different providers have different procedures for updating DNS records. The following table lists links to the documentation for several common providers. This list isn't exhaustive, and inclusion in this list isn’t an endorsement or recommendation of any company’s products or services. If your provider isn't listed in the table, you can probably use the domain with Amazon SES.

DNS/Hosting Provider

Documentation Link

GoDaddy

Add a CNAME record (external link)

Dreamhost

Cloudflare

HostGator

Namecheap

Names.co.uk

Wix


NOTE

A small number of DNS providers don't allow you to include underscores (_) in record names. However, the underscore in the DKIM record name is required. If your DNS provider doesn't allow you to enter an underscore in the record name, contact the provider's customer support team for assistance.


Setting Up Easy DKIM for an Email Address

This section's procedure shows you how to set up Easy DKIM for a specific email address that you've already verified with Amazon SES. You can only configure Easy DKIM for email addresses that belong to domains you already own because you have to change the DNS settings for the domain to set up Easy DKIM for an email address.

IMPORTANT


You can't set up Easy DKIM for email addresses on domains that you don't own. For example, you can't set up Easy DKIM for a gmail.com or hotmail.com address.


If you already set up Easy DKIM for the domain that the email address belongs to, you don't need to set up Easy DKIM for the email address. When you set up Easy DKIM for a domain, Amazon SES automatically authenticates every email from every address on that domain. Easy DKIM settings for a specific email address automatically override the settings for the domain that the address belongs to.

To set up Easy DKIM for an email address.

  1. Open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the navigation pane, under Identity Management, choose Email Addresses.

  3. In the list of email addresses, choose the address you want to set up Easy DKIM.

  4. Under DKIM, choose Generate DKIM Settings.

  5. Copy the three CNAME records that appear in this section. Alternatively, you can choose Download Record Set as CSV to save a copy of the records to your computer.

  6. Add the CNAME records to the DNS configuration for your domain. To update the DNS records for your domain:

  • If you use Route 53 as your DNS provider – Complete the procedures shown in Editing Records in the Amazon Route 53 Developer Guide.

  • If you use another DNS provider – Different providers have different procedures for updating DNS records. See the documentation provided by your DNS provider for more information.

NOTE


A small number of DNS providers don't allow you to include underscores (_) in record names. However, the underscore in the DKIM record name is required. If your DNS provider doesn't allow you to enter an underscore in the record name, contact the provider's customer support team for assistance.


  • If you're not sure who your DNS provider is – Ask your system administrator for more information.

Amazon SES usually detects changes to your DNS configuration within 72 hours.

Managing Easy DKIM

There are two ways to manage the Easy DKIM settings for your identities: using the web-based Amazon SES console or using the Amazon SES API. You can use either of these methods to obtain the DKIM records for an identity or enable or disable Easy DKIM for an identity.


Obtaining Easy DKIM Records for An Identity

You can obtain the Easy DKIM records for your domain or email address at any time by using the Amazon SES console.

To obtain the Easy DKIM records for an identity by using the console.

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the navigation pane, under Identity Management, choose the type of identity that you want to obtain Easy DKIM records for.

  3. In the list of identities, choose the identity that you want to obtain Easy DKIM records for.

  4. In the DKIM section, copy the three CNAME records. The following image shows an example of the DKIM section.

You can also obtain the CNAME records for an identity by using the Amazon SES API. A common method of interacting with the API is to use the AWS CLI.

To obtain the Easy DKIM records for an identity by using the AWS CLI.

At the command line, type the following command:

aws ses get-identity-dkim-attributes --identities "example.com"

In the preceding example, replace example.com with the identity that you want to obtain Easy DKIM records for. You can specify either an email address or a domain.

The output of this command contains a DkimTokens section, as shown in the following example:

{ 
"DkimAttributes": {
"example.com": {
"DkimEnabled": true,
"DkimVerificationStatus": "Success",
"DkimTokens": [ "hirjd4exampled5477y22yd23ettobi", "v3rnz522czcl46quexamplek3efo5o6x",
"y4examplexbhyhnsjcmtvzotfvqjmdqoj"
]

}
}
}

You can use the tokens to create the CNAME records that you add to the DNS settings for your domain. To create the CNAME records, use the following template:

token1._domainkey.example.com CNAME token1.dkim.amazonses.com
token2._domainkey.example.com CNAME token2.dkim.amazonses.com
token3._domainkey.example.com CNAME token3.dkim.amazonses.com

Replace each instance of token1 with the first token in the list, you received when you ran the aws ses get-identity-dkim-attributes command, replace all instances of token2 with the second token in the list, and replace all instances of token3 with the third token in the list.

For example, applying this template to the tokens shown in the preceding example produces the following records:

hirjd4exampled5477y22yd23ettobi._domainkey.example.com CNAME hirjd4exampled5477y22yd23ettobi.dkim.amazonses.com
v3rnz522czcl46quexamplek3efo5o6x._domainkey.example.com CNAME v3rnz522czcl46quexamplek3efo5o6x.dkim.amazonses.com
y4examplexbhyhnsjcmtvzotfvqjmdqoj._domainkey.example.com CNAME y4examplexbhyhnsjcmtvzotfvqjmdqoj.dkim.amazonses.com


Disabling Easy DKIM for an Identity

You can quickly disable DKIM authentication for an identity by using the Amazon SES console.

To disable Easy DKIM for an identity.

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the navigation pane, under Identity Management, choose the type of identity that you want to disable Easy DKIM for.

  3. In the list of identities, choose the identity that you want to disable Easy DKIM for.

  4. In the DKIM section, next to DKIM: enabled, choose to disable, as shown in the following image.

You can also disable Easy DKIM for an identity by using the Amazon SES API. A common method of interacting with the API is to use the AWS CLI.

To disable Easy DKIM for an identity by using the AWS CLI

  • At the command line, type the following command:

aws ses set-identity-dkim-enabled --identity example.com --no-dkim-enabled
  • In the preceding example, replace example.com with the identity that you want to disable Easy DKIM for. You can specify either an email address or a domain.



Enabling Easy DKIM for an Identity

If you previously disabled Easy DKIM for an identity, you can enable it again by using the Amazon SES console.

To enable Easy DKIM for an identity.

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the navigation pane, under Identity Management, choose the type of identity that you want to enable Easy DKIM for.

  3. In the list of identities, choose the identity that you want to enable Easy DKIM for.

  4. In the DKIM section, next to DKIM: disabled, choose to enable, as shown in the following image.

You can also enable Easy DKIM for an identity by using the Amazon SES API. A common method of interacting with the API is to use the AWS CLI.


To enable Easy DKIM for an identity by using the AWS CLI.

  • At the command line, type the following command:

aws ses set-identity-dkim-enabled --identity example.com --dkim-enabled


In the preceding example, replace example.com with the identity that you want to enable Easy DKIM for. You can specify either an email address or a domain.

Did this answer your question?