AWS Messaging & Targeting Blog

DKIM Troubleshooting Series: Introduction to DKIM and First DNS Hurdles

DKIM is an industry standard designed to confirm an association between an email and a domain. Amazon SES supports an easy way to set up DKIM and sign outgoing emails, but sometimes things don’t go exactly as planned. This seven part blog series covers several common problems that you may encounter when you set up and use EasyDKIM with SES. In this series, we follow a scenario in which we try to set up and use DKIM for a particular domain, and hit a variety of hurdles along the way, so that you can see how to tackle them.

First Steps

For this exercise, let’s suppose that we use the domain ses-example.com and have already verified it successfully. The first step we take in setting up DKIM is to go to the console and ask SES to generate the CNAME records which we will need to use. So far, so good.

Below are the three CNAME records that SES wants us to add to our DNS to confirm the verification of EasyDKIM for our domain.

xtk53kxcy4p3t6ztbrffs6d54rsrrhh6._domainkey.ses-example.com
xtk53kxcy4p3t6ztbrffs6d54rsrrhh6.dkim.amazonses.com

zxfo5z4dqr44uztwz5io2b4j4mwlrquj._domainkey.ses-example.com
zxfo5z4dqr44uztwz5io2b4j4mwlrquj.dkim.amazonses.com

5aws6ez5cxrf4hvt6w2qrip6pr4voupo._domainkey.ses-example.com
5aws6ez5cxrf4hvt6w2qrip6pr4voupo.dkim.amazonses.com

I have generated the records but I cannot add them to my DNS

We now go to our DNS provider’s interface to publish the records in DNS. We add the records provided by the SES console, only to see a red error message: “Underscore is not allowed in CNAME records”. What is this all about?

The way DKIM works is to add a digital signature to emails using a private key, whose public counterpart is available to everyone as a DNS record. The public key record’s name must respect a specific format: <selector>._domainkey.<signing-domain>. SES implements EasyDKIM by generating a series of three such records, each with a name that respects the DKIM format. The selector is randomly generated for each record, and the signing domain is the domain for which we want to enable signing (in our case, ses-example.com).

The records that SES creates are CNAME instead of TXT records so that SES can host the signing keys. By hosting the signing keys, SES can automatically rotate signing credentials and mitigate the risk of any key leak.

Some DNS providers don’t support adding CNAME records that contain underscores, although the RFC specifically allows that. However, the DKIM specification requires the underscore in the record’s name, so dropping the underscore is not an option. The underscore is the only part of the record’s name that is not under the control of either SES or its customers.

One possible solution is to change DNS providers. Amazon Web Services offers a scalable domain name service called Amazon Route 53 that does respect the RFC-imposed standard and allows the CNAME records that SES generates. It could also be interesting to know that SES integrates with Route 53. If you set up your domain name on Route 53 under the same AWS account that you use for SES, you can set up domain verification and DKIM with a one-click process.

A second alternative is to use a subdomain (such as sales.ses-example.com in our case) for email sending and to delegate that to a DNS provider, such as Amazon Route 53, that correctly allows underscores in CNAME records. You can then perform the domain verification and DKIM verification processes on the subdomain, using the same steps as you did on the main domain. Emails will be DKIM signed, but the “From” address will contain the subdomain (in our case, the “From” address will be <any-local-part>@sales.ses-example.com).

A third option is to perform the signing yourself. This would give you complete control over the keys and signing process, but it would take more effort to implement and maintain.

Finally, you could pester the DNS provider until they properly add support for underscore in CNAME records, as allowed by the RFC.

For our domain, let’s assume that our DNS provider has graciously enabled support for underscores in CNAME records, and now we can safely add the required DNS entries as specified in the DKIM documentation. With this step out of the way, we now wait for SES to send us a confirmation email and change the domain’s DKIM verification status from Pending to Verified in the SES console, which would confirm that the CNAME records are there as they should be.

Next Steps

In the next entry in this series, we will see what to do if the domain’s DKIM verification status still appears as Pending even after we added the records to our DNS. We’ll also have a look at the SES DKIM key rotation algorithm.