DomainSecurityScanner
Amazon SESDKIM Checker →

How to Set Up DKIM for Amazon SES (Easy DKIM)

Enable Easy DKIM in Amazon SES by publishing three CNAME records that allow AWS to sign outgoing email with your domain.

Quick Answer — The Record You Need

Record Type

CNAME

Host / Name

abc123._domainkey

Value
abc123.dkim.amazonses.com

SES provides three unique CNAME records. The exact values are generated in your SES console.

Step-by-Step Setup

1

Open Amazon SES in the AWS Console

Navigate to Amazon SES in your sending region.

2

Create or select your domain identity

Under Verified identities, select your domain. Under the Authentication tab, find the DKIM section.

3

Enable Easy DKIM

SES will generate three CNAME records for DKIM. Easy DKIM uses 2048-bit keys by default.

4

Publish the three CNAME records

Add all three CNAME records to your DNS provider.

abc123._domainkey.yourdomain.com  CNAME  abc123.dkim.amazonses.com
def456._domainkey.yourdomain.com  CNAME  def456.dkim.amazonses.com
ghi789._domainkey.yourdomain.com  CNAME  ghi789.dkim.amazonses.com
5

Wait for verification

SES will automatically verify the CNAME records. The DKIM status will change to "Verified" once propagation is complete, typically within 72 hours.

Common Gotchas

  • You need ALL three CNAME records, not just one. SES will not enable DKIM until all three are detected.
  • The CNAME values are unique to your SES identity. You must copy them from the SES console -- they cannot be guessed.
  • Easy DKIM keys are rotated automatically by AWS. Because the records are CNAMEs, no DNS changes are needed during rotation.

Verify Your Setup

After adding your DNS records, use our free DKIM checker to verify everything is configured correctly. DNS changes typically propagate within minutes, but can take up to 48 hours.

Frequently Asked Questions

How many DKIM records does Amazon SES require?

Amazon SES Easy DKIM requires three CNAME records. All three must be published in your DNS for DKIM to activate.

Does Amazon SES rotate DKIM keys automatically?

Yes. Easy DKIM keys are rotated automatically by AWS. The CNAME records point to AWS-managed DNS, so no DNS updates are needed.

Can I use my own DKIM keys with Amazon SES?

Yes. SES supports "Bring Your Own DKIM" (BYODKIM) where you provide your own key pair. However, Easy DKIM is simpler and recommended for most users.

Related Guides

Amazon SES SPF GuideAmazon SES DMARC GuideAll Amazon SES GuidesAll Setup Guides →