How to Set Up DKIM with Amazon SES
AWS console walkthrough with exact DNS records to copy.
What DKIM Does
DKIM (DomainKeys Identified Mail, RFC 6376) works by adding a cryptographic signature to every outgoing message. When SES sends an email from your domain, it attaches a DKIM-Signature: header containing a hash of the message body and selected headers, signed with a private key. The receiving server retrieves the corresponding public key from your DNS at selector._domainkey.yourdomain.com and uses it to verify the signature. If the signature checks out, DKIM passes. If the message was altered in transit or the key does not match, it fails.
Two tags in the signature header matter for understanding how it works. The d= tag is the signing domain — this is what DMARC uses for alignment. For DKIM to satisfy DMARC, the d= domain must match or be a parent of the From header domain. The s= tag is the selector, which tells the receiving server which DNS record to look up for the public key.
DKIM has an important practical advantage over SPF for cold email: it survives forwarding. SPF checks the sending server's IP, which changes when a message is forwarded. DKIM checks the signature against the original message content, which stays valid through most forwarding scenarios. For DMARC enforcement, having DKIM pass is more reliable than relying on SPF alignment alone.
Easy DKIM vs BYODKIM
SES offers two DKIM modes. Understanding the difference helps you choose the right one and avoid surprises later.
Easy DKIM is what most senders use. When you verify a domain in SES with Easy DKIM, AWS generates a keypair and gives you three CNAME records to publish in DNS. Each CNAME points to a SES-managed TXT record containing the public key for a specific selector. SES rotates signing keys automatically without any DNS changes on your end — when rotation happens, the new key is already live under a different selector, and SES switches to it seamlessly. You choose the key length when creating the identity (2048-bit RSA is the default and minimum recommended). You cannot choose the selector name. All three CNAME records must be published; SES needs all three for rotation to work.
BYODKIM (Bring Your Own DKIM) lets you manage the keypair yourself. You generate a 2048-bit RSA or Ed25519 keypair, upload the private key to SES via the console or API, and publish a single TXT record at your chosen selector: selector._domainkey.yourdomain.com with a value of v=DKIM1; k=rsa; p=<base64-encoded public key>. You choose the selector name, which matters if you want a consistent identifier across providers.
The tradeoff is that you own rotation. If you need to change keys, you generate a new pair, update SES, and update DNS. For most cold email senders, Easy DKIM is the right choice — it is simpler and AWS handles the operational burden. BYODKIM is worth considering for agencies managing keys on behalf of clients, or teams with compliance requirements around key custody.
Want every check on this page run automatically?
EmailQo runs SPF, DKIM, DMARC, blacklist, and content checks before every campaign — on your own Gmail, Outlook, or AWS SES sending account. Start the 7-day free trial, no card.
Start free trial →Step-by-Step Easy DKIM Setup
Step 1: Create a verified identity in SES
Log into the AWS Management Console and navigate to Amazon SES. Confirm you are in the correct region — SES configuration is region-scoped and does not carry over. In the left sidebar, click "Verified identities" then "Create identity." Select "Domain," enter your sending domain, and leave Easy DKIM selected. Set the DKIM signing key length to RSA 2048-bit. Click "Create identity."
Step 2: Copy the three CNAME records from SES
SES generates three CNAME records after identity creation. Each follows this format:
Name: abc123._domainkey.yourdomain.com
Value: abc123.dkim.amazonses.com
Copy all three name/value pairs exactly. Do not modify the selector prefix or add extra characters. The CNAME value points to an SES-managed endpoint that serves the public key for each selector.
Step 3: Add the records to your DNS
Log into your DNS provider and create three CNAME records. Whether you enter the full name or just the subdomain portion depends on your provider — some append your domain automatically. If you paste abc123._domainkey.yourdomain.com and your provider auto-appends the domain, you will end up with a doubled suffix that will not resolve. Check your provider's documentation. Set TTL to 3600 seconds and save all three records.
Step 4: Wait for SES verification
Return to the SES console. The identity status shows "Pending" while AWS polls your DNS. Verification typically takes 15 minutes to a few hours, though DNS propagation can occasionally take up to 72 hours. Once complete, the DKIM configuration shows "Enabled" and SES signs every outbound message from that domain automatically.
Common DKIM Failures
Doubled domain suffix in CNAME name. The most common mistake. If your DNS provider auto-appends your domain and you paste the full name from SES, the record resolves to abc123._domainkey.yourdomain.com.yourdomain.com. It will never verify. Enter only the subdomain portion if your provider appends the domain automatically.
Missing one or two of the three CNAMEs. All three records are required. If you add only one or two, DKIM may verify initially but key rotation will fail later, producing intermittent DKIM failures that are hard to diagnose because they appear weeks after setup.
Wrong AWS region. SES is region-scoped. DKIM configured in us-east-1 does not apply to eu-west-1. If DKIM fails despite correct DNS records, verify you are looking at the same region in both the SES console and your sending credentials.
Empty p= value. A DKIM selector that resolves but shows p= with nothing after the equals sign is a revoked key. Receiving servers treat this as an explicit failure. Regenerate the identity in SES and republish the CNAME records.
Message modified in transit. DKIM signs a hash of the message body and specific headers. If a relay, mailing list, or forwarding service appends a footer or rewrites a header after SES signs the message, the hash changes and the signature breaks. SES uses relaxed/relaxed canonicalization (the most forgiving mode), but heavy content modifications still invalidate it.
DKIM passes but DMARC alignment fails. DKIM can pass (the signature is cryptographically valid) while still failing DMARC if the d= tag domain does not match your From header domain. Check the DKIM-Signature header in a test message and confirm the d= value matches your From address domain.
How to Verify DKIM Is Working
Gmail's Show Original. Send a test email from your SES domain to a Gmail account. Open the message, click the three-dot menu, select "Show original." The authentication results should include dkim=pass (domain yourdomain.com). If it shows dkim=fail, check that all three CNAMEs are published and that the region matches.
dig command. Run dig CNAME abc123._domainkey.yourdomain.com (replacing the selector prefix with one from your SES console). The response should show a CNAME pointing to abc123.dkim.amazonses.com. If it returns NXDOMAIN, the record has not propagated or was entered incorrectly.
EmailQo's DKIM checker. The free tool at /dkim-checker looks up a selector and domain, validates the key type and length, and flags an empty p= value — all without sending a test email.
Pre-send checks. EmailQo validates the DKIM selector on the sending domain before every campaign. If the selector fails to resolve or returns a revoked key, the campaign is blocked at the gate with a specific error rather than a vague deliverability drop after sending.
Keep the guide close — get deliverability tips monthly
One short, useful email per month covering SPF/DKIM/DMARC pitfalls, warmup, and cold-email content. No spam. Unsubscribe anytime.
By subscribing you agree to receive occasional tips at this address. See our Privacy Policy. Unsubscribe anytime from any email or at /unsubscribe.
Keep reading