How to Set Up DKIM in Amazon SES?

DKIM (RFC 6376) signs email messages cryptographically, and unlike SPF, the signature survives email forwarding - which is why DMARC alignment via DKIM is more reliable than SPF alignment for forwarded mail.

DKIM is the authentication protocol that survives email forwarding, says Brad Slavin, General Manager of DuoCircle. When SPF fails because a forwarder’s IP isn’t in the original record, DKIM alignment is the only path to DMARC pass. That’s why we monitor DKIM alongside SPF in every DMARC Report dashboard.

					DMARC Report					

				

How to Set Up DKIM in Amazon SES?

					<button title="Play" aria-label="Play Episode" aria-pressed="false" class="play-btn">
						

Play Episode

					</button>
					<button title="Pause" aria-label="Pause Episode" aria-pressed="false" class="pause-btn hide">
						

Pause Episode

					</button>
					


				

				

					<audio preload="none" class="clip clip-13479">
						<source src="https://media.mailhop.org/dmarcreport/images/2024/06/How-to-Set-Up-DKIM-in-Amazon-SES.mp3">
					</audio>
					

						

					

					

						

							<button class="player-btn player-btn__volume" title="Mute/Unmute">
								

Mute/Unmute Episode

							</button>
							<button data-skip="-10" class="player-btn player-btn__rwd" title="Rewind 10 seconds">
								

Rewind 10 Seconds

							</button>
							<button data-speed="1" class="player-btn player-btn__speed" title="Playback Speed" aria-label="Playback Speed">1x</button>
							<button data-skip="30" class="player-btn player-btn__fwd" title="Fast Forward 30 seconds">
								

Fast Forward 30 seconds

							</button>
						

						

							<time class="ssp-timer">00:00</time>
							

/

							<!-- We need actual duration here from the server -->
							<time class="ssp-duration" datetime="PT0H2M12S">2:12</time>
						

					

				

			

								<nav class="player-panels-nav">
												<button class="subscribe-btn" id="subscribe-btn-13479" title="Subscribe">Subscribe</button>
																		<button class="share-btn" id="share-btn-13479" title="Share">Share</button>
										</nav>
						

	



		

						

				

					

					

				

				

					

																																																																								

					

						

RSS Feed

							<input value="https://dmarcreport.com/feed/podcast/dmarc-report" class="input-rss input-rss-13479" title="RSS Feed URL" readonly />
						

						<button class="copy-rss copy-rss-13479" title="Copy RSS Feed URL" aria-label="Copy RSS Feed URL"></button>
					

				

			

									

				

					

					

				

				

					

						Share						

					

						<a href="https://www.facebook.com/sharer/sharer.php?u=https://dmarcreport.com/blog/podcast/how-to-set-up-dkim-in-amazon-ses/&t=How to Set Up DKIM in Amazon SES?" target="blank" rel="noopener noreferrer" class="share-icon facebook" title="Share on Facebook">
							

						</a>
						<a href="https://twitter.com/intent/tweet?text=https://dmarcreport.com/blog/podcast/how-to-set-up-dkim-in-amazon-ses/&url=How to Set Up DKIM in Amazon SES?" target="blank" rel="noopener noreferrer" class="share-icon twitter" title="Share on Twitter">
							

						</a>
						<a href="https://media.mailhop.org/dmarcreport/images/2024/06/How-to-Set-Up-DKIM-in-Amazon-SES.mp3" target="blank" rel="noopener noreferrer" class="share-icon download" title="Download" download>
							

						</a>
					

				

				

					

						Link						

					

						<input value="https://dmarcreport.com/blog/podcast/how-to-set-up-dkim-in-amazon-ses/" class="input-link input-link-13479" title="Episode URL" readonly />
					

					<button class="copy-link copy-link-13479" title="Copy Episode URL" aria-label="Copy Episode URL" readonly=""></button>
				

				

					

						Embed						

					

/*! This file is auto-generated */ ’ title=“Embed Code” class=“input-embed input-embed-13479” readonly/>

					<button class="copy-embed copy-embed-13479" title="Copy Embed Code" aria-label="Copy Embed Code"></button>
				

			

				

To configure DKIM for Amazon SES, you have to modify the DNS settings of your domain . For Route 53 users, Amazon SES will take care of the process, but if you use another DNS provider, you need to follow some processes.

Here are rules that you need to abide by:

• You must set DKIM only for the domain that you use in the ‘From’ address and not for the one used in the ‘Return-Path’ or ‘Reply-to’ addresses.

• Amazon SES is available in multiple regions, and if you use more than one AWS region, you must set up DKIM for each one.

• Your DKIM settings also apply to all **subdomains of your domain unless you exclusively set them up for subdomains.

How Do You Configure DKIM for a Domain in Amazon SES?

Setting up DKIM for your domain ensures that only **authorized people send emails on your behalf while also letting you know if anyone tampered with email content in transit. Here’s what you need to follow to set it up in Amazon SES:

• Open the Amazon SES console.

• See the navigation pane, under which you will find ‘Identity Management,’ where you have to choose ‘Domains.’

• You will see a list of domains from which you need to choose the one for which you have to set up DKIM.

• Under DKIM, click on ‘Generate DKIM settings.’

• Copy the three CNAME records you will see in this section. You can also download the record set as CSV as an alternative**. This way you can save a copy of your records to your computer.

• Lastly, add the copied or downloaded CNAME records to your DNS configuration for your domain.

Steps to Add the CNAME Records to DNS

If you use Route 53 on the same account as the one you use for sending emails using Amazon SES, choose ‘Use Route 53’ to update the DNS settings for your domain automatically.

If you use another DNS providers, then check out their official websites to see the process. Here, we are listing down **documentation links for the common ones-

• GoDaddy- Add a CNAME Record

• Dreamhost- How do I Add Custom DNS Records?

• Cloudflare- How do I Add Custom CNAME Record?

• HostGator- Manage DNS Records with HostGator/eNom

• Namecheap- How do I Add TXT/SPF/DKIM/DMARC Records for My Domain?

• Names.co.uk- Changing Your Domain’s DNS Settings

• Wix: Adding or Updating CNAME Records in Your Wix Account

Please note that some **DNS providers do not allow underscores () in record names, but the DKIM record name requires an underscore. If your provider restricts this, contact their customer support for help.

How Do You Configure DKIM For an Email Address in Amazon SES?

Follow this process to set up DKIM for an email address that’s already verified with Amazon SES. Please note that you can set DKIM only for those email addresses that belong to the domain you already own. This is because you have to change the **DNS settings for the domain to configure DKIM.

• Open the Amazon SES console.

• See the navigation pane, under which you will find ‘Identity Management,’ where you have to choose ‘Email Addresses.’

• You will see a **list of email addresses from which you need to choose the one for which you have to set up DKIM.

• Under DKIM, click on ‘Generate DKIM Settings.’

• Copy the three CNAME records you will see in this section. You can also download the record set as CSV as an alternative. This way you can save a copy of your records to your computer.

• Lastly, add the copied or downloaded CNAME records to your DNS configuration for your domain.

How Do You Manage DKIM Records For an Identity Using Console?

You can manage DKIM records for your identities using two ways-

Web-Based Amazon SES Console

• Use your login credentials to sign in to your AWS Management Console and go to the Amazon SES console.

• Check the navigation pane. Under ‘Identity Management,’ you can choose the type of identity you want for your DKIM records.

• There will be a list of identities from which you choose the one you want to obtain the DKIM record for.

• Copy the three CNAME records you will find under the DKIM section.

Using AWS CLI

Type _aws ses get-identity-dkim-attributes –identities “example.com” _in the command line. Remember to replace ‘example.com’ with the identity for which you want to obtain the DKIM record. For this, you may mention an email address or domain. To set up DMARC in Amazon SES, please contact DMARCReport.

Disabling DKIM for an Identity

• Open the Amazon Management console and then the Amazon SES console in that.

• See the navigation pane, under which you will find ‘Identity Management,’ where you have to choose the type of identity for which you want to disable DKIM.

• You will see a list of identities from which you need to choose the one for which you have to disable DKIM.

• In the DKIM section, next to ‘DKIM: enabled,’ choose ‘disable.’

Alternatively, you can also disable DKIM for an identity using the AWS CLI by typing aws ses set-identity-dkim-enabled –identity example.com –no-dkim-enabled in the command line. Remember to replace ‘example.com’ with the identity for which you want to disable DKIM. For this, you may mention an email address or domain.

How Do You Deploy DKIM For an Identity?

If you disable DKIM for an identity, you can re-enable it using the Amazon SES console-

• Open the Amazon Management console and then the Amazon SES console in that.

• See the navigation pane, under which you will find ‘Identity Management,’ where you have to choose the type of identity you want to enable DKIM for.

• You will see a list of identities from which you need to choose the one for which you have to enable DKIM.

• In the DKIM section, next to ‘DKIM: disabled,’ choose ‘enable.’

Alternatively, you can also enable DKIM for an identity using the AWS CLI by typing aws ses set-identity-dkim-enabled –identity example.com -dkim-enabled in the command line. Remember to replace ‘example.com’ with the identity you want to enable DKIM for. For this, you may mention an email address or domain.

All this process requires technical expertise, and if you need a helping hand, then we are here.