D
DKIM Test

How to Set Up DKIM for Amazon SES

Step-by-step guide to configure DKIM (Easy DKIM) for Amazon SES. Learn how to verify your domain, add CNAME records, and authenticate your AWS email sending.

Last updated: 2026-01-28

Amazon Simple Email Service (SES) is a scalable email platform used by businesses of all sizes. Amazon SES offers "Easy DKIM," which automatically signs your emails with DKIM using keys that Amazon manages for you.

Why Use Easy DKIM with Amazon SES

Without DKIM:

  • Emails may be treated as suspicious
  • Deliverability can suffer
  • You're not leveraging SES's full capabilities

With Easy DKIM:

  • Amazon automatically signs all outgoing emails
  • Keys are managed and rotated by AWS
  • Better inbox placement
  • Compliance with authentication requirements

Amazon SES offers "Easy DKIM" which handles key management automatically. You just add CNAME records, and Amazon handles the rest.

Before You Start

You'll need:

  • An AWS account with Amazon SES access
  • Access to your domain's DNS settings
  • Your domain added as a verified identity in SES

Step-by-Step Setup

1

Access Amazon SES

Log into the AWS Console. Navigate to Amazon SES (search for "SES" in the services search).

Make sure you're in the correct AWS region for your SES setup.

2

Verify your domain

Go to ConfigurationVerified identitiesCreate identity.

Select Domain and enter your domain name (e.g., example.com).

3

Enable Easy DKIM

In the identity configuration, under Advanced DKIM settings:

  • Identity type: Choose "Easy DKIM"
  • DKIM signing key length: Select 2048-bit (recommended) or 1024-bit
  • Publish DNS records to Route 53: If your domain uses Route 53, you can auto-publish
4

Copy the CNAME records

Amazon SES generates three CNAME records:

[token1]._domainkey.example.com → [token1].dkim.amazonses.com
[token2]._domainkey.example.com → [token2].dkim.amazonses.com
[token3]._domainkey.example.com → [token3].dkim.amazonses.com

The tokens are unique identifiers generated by Amazon.

5

Add CNAME records to DNS

If using Route 53, SES can add these automatically.

For other DNS providers, add three CNAME records:

  • Type: CNAME
  • Host/Name: The token value with ._domainkey
  • Value: The corresponding .dkim.amazonses.com value
6

Wait for verification

Amazon SES periodically checks for the DNS records. Status will change from "Pending" to "Verified" when complete. This usually takes a few minutes to a few hours.

Verify Your Setup

After Amazon SES shows your DKIM as verified, test the records publicly.

Test one of your three CNAME records to confirm it resolves correctly.

Why Three CNAME Records?

Amazon SES uses three DKIM records for redundancy and key rotation:

  • If one key needs to be rotated, the others continue working
  • Provides fault tolerance
  • Allows seamless security updates

All three records should be added and maintained.

Common Issues and Solutions

"Pending" status for a long time

Cause: DNS records haven't propagated or are misconfigured.

Solutions:

  • Wait up to 72 hours (though usually much faster)
  • Verify the CNAME records exist using a DNS lookup tool
  • Check that you copied the full token values without truncation
  • Ensure you're adding CNAME records, not TXT records

"Failed" DKIM status

Cause: Amazon SES couldn't find valid DKIM records.

Solutions:

  • Re-check all three CNAME records
  • Delete and recreate the records if needed
  • Verify no typos in the token values

Emails sent but DKIM shows "none"

Cause: DKIM might not be enabled for sending, or you're sending before verification completed.

Solutions:

  • Verify the identity shows "DKIM: Verified" status
  • Ensure DKIM signing is enabled (check identity settings)
  • Wait for full verification before sending production emails

BYODKIM alternative

If you need to use your own DKIM keys (Bring Your Own DKIM), Amazon SES supports this. You provide your own keys instead of using Easy DKIM. This is useful if you need consistent keys across multiple email providers.

Route 53 Integration

If you use Amazon Route 53 for DNS:

  1. When creating the verified identity, check Publish DNS records to Route 53
  2. Select the correct hosted zone
  3. SES will automatically create the CNAME records

This eliminates manual DNS configuration.

SES Sandbox Mode

New Amazon SES accounts start in "sandbox mode" with sending restrictions. DKIM setup works the same in sandbox mode, but you can only send to verified email addresses until you request production access.

To request production access: Go to Account dashboardRequest production access.

Complete Your Email Authentication

Amazon SES's Easy DKIM handles DKIM automatically. Also configure:

SPF: Add Amazon SES to your SPF record:

include:amazonses.com

Check at spfrecordcheck.com.

DMARC: Set up a DMARC policy. Check at dmarcrecordchecker.com.

Custom MAIL FROM domain: For SPF alignment, configure a custom MAIL FROM domain in SES.

Related Articles

Monitor Your DKIM Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.

Never miss a DKIM issue

Monitor your SPF, DKIM, DMARC and MX records daily. Get alerts when something breaks.

Start Monitoring