AWS console walkthrough with exact DNS records to copy.
DKIM setup for Amazon SES is a required step before you can send authenticated email through AWS. DKIM stands for DomainKeys Identified Mail. It works by adding a cryptographic signature to every email you send. The receiving mail server uses a public key published in your DNS to verify that the message was not altered in transit and that it genuinely came from your domain. Without DKIM, receiving servers have no way to confirm your emails are legitimate, which significantly increases the chance of landing in spam.
Amazon SES uses a system called Easy DKIM that generates the signing keys for you and handles the signing automatically. Your job is to verify your domain in the SES console and add the DNS records that AWS provides. This guide walks through each step with the exact record format you will need to copy into your DNS provider.
Log into the AWS Management Console and navigate to the Amazon SES service. Make sure you are in the correct AWS region for your sending needs, as SES configuration is region specific. In the left sidebar, click "Verified identities" and then "Create identity." Select "Domain" as the identity type and enter the domain you want to send from. Keep the "Easy DKIM" option selected, which is the default. Choose RSA 2048 bit as the signing key length for stronger security. Click "Create identity" to proceed.
After creating the identity, SES generates three CNAME records that you need to add to your domain's DNS. Each record has a name (also called the host) and a value. The format looks like this:
Name: abc123._domainkey.yourdomain.com
Value: abc123.dkim.amazonses.com
AWS generates three of these CNAME records, each with a unique selector prefix. The selector is the part before ._domainkey in the record name. It acts as an identifier that tells receiving servers where to find the public key for verifying the DKIM signature. The value points to an AWS managed endpoint that serves the public key. Copy all three record names and values exactly as SES shows them. Do not modify the selector prefixes or add extra characters.
Log into your domain registrar or DNS hosting provider. For each of the three records, create a new CNAME record. Some DNS providers require you to enter only the subdomain portion as the host (for example, abc123._domainkey without the full domain appended), while others require the full name including your domain. Check how your provider handles this to avoid creating duplicate domain suffixes. Set the TTL to 3600 seconds if your provider asks. Save all three records.
After adding the DNS records, return to the SES console. The identity status will show "Pending" while AWS checks your DNS. Verification typically takes between 15 minutes and 72 hours depending on DNS propagation speed. Once verified, the status changes to "Verified" and the DKIM configuration shows "Enabled." At this point, every email you send through SES from this domain will be automatically signed with DKIM. You do not need to configure anything else in your application code because Easy DKIM handles the signing server side.
Send a test email from your SES verified domain to a Gmail account. Open the email, click the three dots menu, and select "Show original." Look for the DKIM line in the authentication results. It should show dkim=pass along with the selector and your domain name. If it shows fail, double check that all three CNAME records are published correctly and that DNS propagation has completed.
The most common mistake is entering the CNAME record name incorrectly. Many DNS providers automatically append your domain name to the host field. If you paste the full name from SES including your domain, you may end up with a record like abc123._domainkey.yourdomain.com.yourdomain.com, which will not resolve. Check your provider's documentation to understand whether you need the full name or just the subdomain portion.
Another issue is setting up DKIM in one AWS region but sending from a different region. SES treats each region independently, so your DKIM configuration must be set up in the same region where your application sends email. If you see DKIM failing despite correct DNS records, verify the region in both the SES console and your SMTP or API configuration.
Some senders forget to add all three CNAME records. AWS generates three records for key rotation purposes, and all three must be present for Easy DKIM to work correctly. If you only add one or two, DKIM verification in SES may eventually succeed but key rotation will fail later, which can cause intermittent DKIM failures that are difficult to diagnose.
EmailQo connects natively to Amazon SES and runs inbox health checks before every send. These checks include DNS record validation that verifies your DKIM records are properly published and resolving correctly. If a DKIM record is missing or misconfigured, the pre send check flags the issue before your campaign goes out. This is especially useful after making DNS changes or setting up new sending domains, when configuration errors are most likely to slip through.