How to set up DKIM for Amazon SES

DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Amazon SES, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Amazon SES uses to sign.

Most ESPs (including Amazon SES) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

Publish these DNS records

Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

• Easy DKIM mode publishes three CNAMEs — SES rotates keys across all three. Skipping any one will cause intermittent DKIM failures.
• The `<tokenN>` values are issued per-domain when you verify the identity in the AWS console.
• BYODKIM mode is also supported but more setup. Stick with Easy DKIM unless you have a specific compliance requirement.

Where in Amazon SES

The DKIM configuration lives in AWS Console → SES → Configuration → Verified identities → Create identity.

Verify the records

After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

Common pitfalls

• SES new accounts start in sandbox mode (200/day, verified-recipients-only). Production access is a manual approval — apply early.
• SES regions are independent. A domain verified in `us-east-1` is not verified in `eu-west-1`. If you fail over regions, verify in both.
• The custom MAIL FROM domain step is optional in the SES UI but functionally required for DMARC alignment. Don't skip it.