DKIM for Amazon SES: Easy DKIM Setup Guide
How to set up DKIM for Amazon SES. Step-by-step guide covering Easy DKIM configuration, DNS CNAME records, and verification for reliable email delivery.
Last updated: 2026-04-08
This guide is part of our Transactional and API series.
Amazon SES (Simple Email Service) is one of the most popular services for sending transactional and marketing email at scale. Setting up DKIM is essential for reliable delivery - without it, emails sent through SES are more likely to be flagged as spam or rejected by receiving mail servers. SES makes DKIM setup straightforward with two options depending on how much control you need.
Amazon SES offers two DKIM methods: Easy DKIM (AWS manages your keys automatically) and BYODKIM (you provide your own keys). Most users should start with Easy DKIM. BYODKIM is useful when you need control over key generation, rotation, or use the same keys across multiple sending services.
Easy DKIM vs BYODKIM
Before diving into setup, it helps to understand the difference between the two approaches.
| Feature | Easy DKIM | BYODKIM |
|---|---|---|
| Key generation | AWS generates keys for you | You generate your own keys |
| Key rotation | Automatic (managed by AWS) | Manual (you handle rotation) |
| DNS record type | 3 CNAME records | 1 TXT record |
| Key size | 2048-bit (default) | 1024-bit or 2048-bit |
| Setup difficulty | Simpler | Requires key generation tool |
| Best for | Most users and use cases | Multi-service setups, compliance needs |
Easy DKIM Setup (Recommended)
Easy DKIM is the fastest way to get DKIM signing working with Amazon SES. AWS generates the key pair, provides CNAME records for your DNS, and handles key rotation automatically.
Open the SES console
Sign in to the AWS Management Console and navigate to Amazon SES. Select your AWS region - this should match the region you use for sending email.
Add or select your domain
Go to Verified Identities and click Create Identity. Choose "Domain" as the identity type and enter your sending domain (e.g., example.com). If your domain is already verified, select it from the list instead.
Enable Easy DKIM
Under the Authentication section, select Easy DKIM. Choose a signing key length - 2048-bit is recommended for stronger security. Leave the DKIM signing status set to "Enabled."
Copy the CNAME records
After creating the identity, SES generates three CNAME records. Each record has a unique name and value. Copy all three - you'll add them to your domain's DNS in the next step.
Add CNAME records to your DNS
Log in to your DNS provider (Route 53, Cloudflare, GoDaddy, etc.) and create three new CNAME records using the names and values from the SES console. See the DNS records section below for the format.
Wait for verification
SES periodically checks for your DNS records. Verification usually completes within a few minutes if you use Route 53, or up to 72 hours with other DNS providers. The identity status in SES will change from "Pending" to "Verified" once complete.
DNS Records for Easy DKIM
SES generates three CNAME records with randomly generated selector names. The records follow this pattern:
| Field | Record 1 | Record 2 | Record 3 |
|---|---|---|---|
| Type | CNAME | CNAME | CNAME |
| Name | `abc123._domainkey.example.com` | `def456._domainkey.example.com` | `ghi789._domainkey.example.com` |
| Value | `abc123.dkim.amazonses.com` | `def456.dkim.amazonses.com` | `ghi789.dkim.amazonses.com` |
The selector names (like abc123) are unique random strings generated by AWS for your domain. Always copy the exact values from the SES console - do not construct them manually.
If your DNS provider is Amazon Route 53 and your domain is hosted there, SES can publish the records automatically. Look for the "Publish DNS records to Route 53" option during setup.
Need DKIM keys for a non-SES setup?
Generate DKIM key pairs for services that don't manage keys for you. Free, instant, and private.
BYODKIM: Bring Your Own DKIM Keys
BYODKIM lets you supply your own DKIM key pair instead of using AWS-managed keys. This is useful when you need the same DKIM keys across multiple email services, when your organization requires control over key material, or when you want to manage your own rotation schedule.
Generate a 2048-bit DKIM key pair
Use DKIM Creator to generate a 2048-bit RSA key pair. You'll get a private key (to upload to SES) and a public key DNS record (to add to your domain's DNS). Keys are generated locally in your browser - the private key never leaves your machine.
Choose a selector
Pick a selector name for your key. Something descriptive like ses, ses2026, or awsmail works well. This becomes part of the DNS record hostname (e.g., ses._domainkey.example.com).
Create the identity with BYODKIM
In the SES console, go to Verified Identities and click Create Identity. Choose "Domain" and enter your domain. Under Authentication, select Provide DKIM authentication token (BYODKIM). Paste your private key and enter your chosen selector.
Add the TXT record to DNS
Unlike Easy DKIM's three CNAME records, BYODKIM uses a single TXT record. Add the public key DNS record from DKIM Creator to your domain's DNS:
- Name:
selector._domainkey.example.com(using the selector you chose) - Type: TXT
- Value: The public key record from DKIM Creator
Verify in SES
Wait for SES to verify the DNS record. Once verified, SES will use your private key to sign outgoing emails with the selector you specified.
When to choose BYODKIM
BYODKIM is the better choice if you send email from multiple services (SES, a self-hosted server, another ESP) and want to use consistent DKIM keys across all of them. It also gives you full control over key rotation timing.
Verifying DKIM Is Working
After SES shows your domain as verified, confirm that DKIM signing is active:
Check identity status in SES
Go to Verified Identities in the SES console. Select your domain and check the Authentication tab. The DKIM status should show "Successful."
Send a test email
Use the SES console's "Send test email" feature or send an email through your application. Send it to a Gmail or Outlook address for easy header inspection.
Check email headers
Open the received email and view the full headers. Look for:
Authentication-Results: ... dkim=pass header.d=example.com
The dkim=pass result confirms SES is signing your emails correctly.
Troubleshooting
DKIM status stuck on "Pending"
- Verify all three CNAME records (Easy DKIM) or the TXT record (BYODKIM) are published correctly
- Check for typos in the record names and values - copy them directly from the SES console
- Some DNS providers require you to omit the domain suffix from the hostname (e.g., enter
abc123._domainkeyinstead ofabc123._domainkey.example.com) - Allow up to 72 hours for DNS propagation with non-Route 53 providers
DKIM failing after initial success
- Confirm DNS records haven't been accidentally deleted or modified
- For BYODKIM, check that the private key in SES still matches the public key in DNS
- Verify you're sending from the correct AWS region where the domain is verified
Emails not being signed
- Make sure the sending domain or email address matches a verified identity in SES
- Check that DKIM signing is enabled (not just verified) in the identity settings
- If sending from a subdomain, verify that the parent domain's DKIM configuration covers subdomains
"Email address is not verified" error
- This is a separate issue from DKIM. In SES sandbox mode, both sender and recipient addresses must be verified. Request production access to remove recipient restrictions.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- Amazon SES official documentation — Easy DKIM and BYODKIM setup
Using Amazon SES with your own DKIM keys? Generate a secure key pair in seconds.
Generate DKIM keys for Amazon SES
Create DKIM key pairs for BYODKIM setup. Free, secure, and generated locally in your browser.
Generate DKIM Keys