MailerMonk
    01Free tools
    02Backlink agent03How it works04Pricing
    Sign inStart free trial
    PrivacyTerms
    Chapter · DKIM for Amazon SES
    Revised 17 Jun 2026
    Guide · DKIM · Amazon SES

    How to set up DKIM for Amazon SES.

    Amazon SES (Simple Email Service) is the cheapest at-scale transactional ESP. Setup is more steps than the polished SaaS ESPs but the records are stable and well-documented.

    Afsan Rahmatullah
    Afsan RahmatullahMailerMonk

    DKIM (DomainKeys Identified Mail, RFC 6376) is the cryptographic signature attached to outgoing email so receivers can verify the message wasn't tampered with and that it actually came from a server authorized by your domain. To turn it on for Amazon SES, you publish one or more DNS records at `<selector>._domainkey.<your-domain>` containing the public key matching the private key Amazon SES uses to sign.

    Most ESPs (including Amazon SES) ask you to publish CNAME records that point at hosted keys they manage. This is preferable to publishing the raw key text yourself — when the provider rotates keys, your DNS keeps pointing to the rotated key and nothing breaks.

    Publish these DNS records

    Add the following record(s) to your domain's DNS zone. Most registrars (Cloudflare, Route 53, Namecheap, GoDaddy) accept values exactly as shown.

    Record · CNAME
    Type
    CNAME
    Host
    <token1>._domainkey
    Value
    <token1>.dkim.amazonses.com
    Record · CNAME
    Type
    CNAME
    Host
    <token2>._domainkey
    Value
    <token2>.dkim.amazonses.com
    Record · CNAME
    Type
    CNAME
    Host
    <token3>._domainkey
    Value
    <token3>.dkim.amazonses.com
    Why this matters
    • Easy DKIM mode publishes three CNAMEs — SES rotates keys across all three. Skipping any one will cause intermittent DKIM failures.
    • The `<tokenN>` values are issued per-domain when you verify the identity in the AWS console.
    • BYODKIM mode is also supported but more setup. Stick with Easy DKIM unless you have a specific compliance requirement.

    Where in Amazon SES

    The DKIM configuration lives in AWS Console → SES → Configuration → Verified identities → Create identity.

    Verify the records

    After the records propagate, run the DKIM Checker against your domain with each selector to confirm the public key resolves and parses correctly.

    From a terminal
    dig +short TXT <selector>._domainkey.your-domain.com
    Run the free DKIM checker

    Common pitfalls

    Pitfall
    • SES new accounts start in sandbox mode (200/day, verified-recipients-only). Production access is a manual approval — apply early.
    • SES regions are independent. A domain verified in `us-east-1` is not verified in `eu-west-1`. If you fail over regions, verify in both.
    • The custom MAIL FROM domain step is optional in the SES UI but functionally required for DMARC alignment. Don't skip it.
    After you publish

    Want to know if it actually keeps working?

    MailerMonk continuously watches your DKIM record, aggregate DMARC reports, and inbox placement — and pings you the moment something drifts. Free for the first domain.

    Start free trial

    About the author

    Afsan Rahmatullah
    Afsan Rahmatullah
    MailerMonk

    Building tools that keep cold email out of spam. Writes about deliverability, DMARC, and what actually moves inbox placement.

    Related · Amazon SES

    Other records for Amazon SES