How to Set Up DKIM in Amazon SES (Easy DKIM vs BYODKIM)

If your Amazon SES emails show “Delivered” but still land in spam, your DKIM configuration may be incomplete or misaligned.

By default, Amazon SES can sign emails using an amazonses.com DKIM signature if domain-level DKIM is not configured. While this technically authenticates the message, it does not authenticate your domain.

Without domain alignment, mailbox providers cannot build a reputation for your domain, and DMARC may fail. 

Since 2024, Gmail and Yahoo require aligned authentication for bulk senders. If you are configuring DKIM for a domain using the amazon simple email service, your goal is to protect inbox placement and build domain reputation. Most teams only discover DKIM issues after emails start landing in spam or failing DMARC alignment.

In this article, you will learn how to choose between easy DKIM and BYODKIM, configure them properly, verify they are working, troubleshoot common failures, and understand why authentication alone does not guarantee inbox placement.

Amazon SES DKIM Options: Which Method Should You Use?

When configuring DKIM signing in Amazon SES, you have three options.  The right choice determines how DKIM signing is handled. It defines who generates and manages the DKIM keys and where the message signing happens. In Amazon SES, AWS can manage the keys and signing process (Easy DKIM), or you can control the public-private key pair and signing configuration yourself (BYODKIM).

*Note: Manual signing is less common in typical Amazon SES workflows. In most cases, Amazon SES signs outgoing messages automatically once DKIM is enabled. Manual signing is mainly used in advanced setups where applications sign messages before sending or when organizations use a custom Mail Transfer Agent (MTA) outside of SES.

Easy DKIM

Easy DKIM is the default and recommended option for most Amazon SES users because it simplifies DKIM configuration and ongoing key management.

When you enable Easy DKIM, Amazon SES automatically generates the DKIM public-private key pair and provides the required CNAME records that must be published in your domain’s DNS. After the records are added, SES handles DKIM signing for outgoing messages and manages key rotation internally.

You only need to publish the generated CNAME records in your DNS and enable DKIM in the Amazon SES console. Once verification completes, SES automatically signs emails sent from your domain.

BYODKIM (Bring Your Own DKIM)

BYODKIM is a more advanced option that lets you use your own DKIM keys instead of the ones generated by Amazon SES. Most users do not need this approach, but it can be useful for organizations that require centralized key management, specific compliance or security policies, or already operate their own DKIM infrastructure.

With BYODKIM, you generate your own public-private key pair, publish the public key as a TXT record in your domain’s DNS, and configure signing through the SES API or the AWS CLI. This provides full control over the DKIM signing key and how key rotation is handled.

Managing DKIM across regions can become repetitive and error-prone because Amazon SES identities are configured separately in each AWS region. This issue typically appears in multi-region deployments where organizations send email from multiple AWS regions, implement regional failover for reliability, or run distributed infrastructure.

In these setups, DKIM must normally be enabled and verified in each region individually. Amazon SES addresses this limitation with a specialized variant of Easy DKIM.

Deterministic DKIM (DEED)

Deterministic Easy DKIM lets you replicate the same DKIM configuration across multiple Amazon SES regions without generating new DKIM records in each region. It simplifies multi-region deployments by ensuring that the same DKIM selectors and DNS records can be reused across regions.

Importantly, Deterministic Easy DKIM is still SES-managed. Amazon SES continues to generate the DKIM keys, manage the signing process, and handle key rotation automatically. This means it retains the operational simplicity of Easy DKIM while making multi-region setups easier to maintain.

With DEED, you do not have to create separate CNAME records for every region. Instead, the same DNS records can work across multiple SES regions.

This approach is useful when:

• You send email from multiple AWS regions
• You want consistent DKIM selectors across regions
• You are implementing regional failover or disaster recovery
• You run distributed email infrastructure across regions

This keeps DKIM configuration consistent while avoiding the complexity of managing separate records for each region.

Multi-Region considerations in Amazon SES

In Amazon SES, identities are regional.

When you verify a domain in one AWS region, that verification does not automatically apply to another region. Each region maintains its own:

• Verified identities
• DKIM configuration
• MAIL FROM settings
• Sending quotas

If you send from both us-east-1 and eu-west-1, DKIM must be configured separately in each region unless you use Deterministic Easy DKIM.

How to Set Up Easy DKIM in Amazon SES (Step-by-Step)

Easy DKIM is the recommended option for most Amazon SES users because key generation and signing are handled by SES. You only need to publish DNS records.

Here are the prerequisites you must have before setup.

• A verified domain identity
• Access to your domain’s DNS settings
• Control of your dns hosting provider

Step 1: Open verified identities

Log into the AWS management console, then:

• Open the Amazon SES dashboard
• Navigate to Identity management
• Select your domain

Review existing DKIM settings.

Step 2: Select easy DKIM

Under the DKIM section, choose Easy DKIM as the signing method.

If DKIM was previously configured using another method, review migration implications before switching.

Step 3: Choose key length (Select 2048-bit)

Select 2048-bit unless you have a legacy DNS limitation.

• 2048-bit keys provide stronger cryptographic security
• 1024-bit keys are supported but no longer recommended for long-term use

Some DNS providers may have record-length limits. Modern providers typically support 2048-bit without issues.

Step 4: Enable DKIM and generate CNAME records

After enabling Easy DKIM, SES generates three CNAME records.

These records:

• Publish the public key
• Allow SES to manage signing automatically
• Enable automatic key rotation

Step 5: Add CNAME records to Your DNS

Copy the three CNAME records exactly as provided.

Common configuration mistakes include:

• Modifying the record name
• Adding duplicate domain suffixes
• Truncating the value field
• Incorrect TTL formatting

Enter the records at your DNS provider and save changes.

Step 6: Wait for verification

Amazon SES periodically checks your DNS records and automatically verifies DKIM once the CNAME records are detected.

Typical propagation time:

• Often within minutes
• Sometimes a few hours
• Rarely up to 72 hours depending on DNS TTL and provider caching

If you want to confirm the records before SES detects them, you can check them yourself using DNS lookup tools or command-line utilities such as dig or nslookup.

Once the records are detected and validated, the DKIM status will show “Successful” in the SES console.

How to Set Up BYODKIM in Amazon SES

BYODKIM (Bring Your Own DKIM) lets you use your own RSA key pair instead of keys generated by Amazon SES. This approach is commonly used by organizations that want to maintain consistent DKIM selectors and keys across multiple email platforms or email service providers.

By managing the keys yourself, you can reuse the same DKIM configuration across different sending systems while maintaining centralized control over the signing keys.

When to use BYODKIM

Use BYODKIM if:

• You need the same DKIM key across multiple ESPs.
• Your organization has compliance or key-management requirements.
• You want consistent selectors across providers and regions.
• You manage centralized cryptographic control.

For most teams, Easy DKIM is sufficient. BYODKIM is typically chosen for infrastructure standardization or regulatory reasons. For example, organizations sending from multiple ESPs (such as SES, SendGrid, and Mailgun) often use BYODKIM so every provider signs emails using the same domain selector.

Step 1: Generate an RSA key pair

You will publish the public key in DNS. The private key remains secure and is provided to SES.

Step 2: Prepare the public key for DNS

Open the DKIM_public.pem file and:

• Remove the header and footer lines
• Remove all line breaks
• Keep only the Base64-encoded key string

Step 3: Configure BYODKIM in Amazon SES (API v2)

BYODKIM configuration is performed using the SES v2 API.

Here’s what you must do:

• Specify the selector name
• Provide the Base64-encoded private key
• Enable signing for the domain identity

Step 4: Publish the TXT Record in DNS

Step 5: Verify DKIM status

Return to the SES console and check DKIM status for the identity.

Status should move from Pending to Successful after DNS propagation.

Troubleshooting BYODKIM issues

1. Base64 formatting errors

• Remove -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----
• Remove all line breaks
• Ensure no extra spaces are included

Incorrect formatting is the most common cause of validation failure.

2. Line break issues in DNS

DNS TXT records must contain the public key on a single logical line. Some DNS providers split long values automatically. Confirm the final published record is intact.

3. Key length validation

SES supports 1024-bit and 2048-bit keys.
2048-bit is recommended for modern authentication standards.

If SES rejects the key:

• Confirm correct key length
• Confirm RSA format
• Ensure private and public keys match

BYODKIM provides full control over DKIM signing but requires careful key handling and DNS precision.

Next, we verify whether SES is signing correctly and whether mailbox providers are recognizing the signature.

How to Verify Your Amazon SES DKIM Is Working

Enabling DKIM is not the same as confirming it works in production. Verification requires checking both SES status and live email behavior.

Use the checklist below to verify that DKIM signing is functioning correctly.

Check 1: Confirm DKIM status in SES

In the Amazon SES console, open your domain under Verified Identities.

The DKIM status must show: Successful

If it shows Pending, DNS validation is not complete.
If it shows Failed, review DNS formatting.

This confirms that Amazon SES recognizes your DNS records. However, it does not confirm mailbox-providers recognize the DKIM signature.

Check 2: Inspect email headers

Send a test email to Gmail or another mailbox and open the full message headers.

Look for:

• DKIM-Signature
• d=yourdomain.com

If you only see:

• d=amazonses.com

then your custom DKIM signature is not being applied.

Also confirm:

• DKIM=pass
• header.d=yourdomain.com

If DKIM fails or is missing, authentication alignment will break under DMARC.

Check 3: Validate DNS records publicly

Even if SES shows “Successful,” confirm the records are publicly visible.

Use MailReach’s DKIM checker to:

• Validate record formatting
• Confirm selector visibility
• Detect truncation issues
• Identify DNS propagation gaps

Check 4: Run a deliverability test

SES reporting “Delivered” only means the receiving server accepted the message. It does not indicate inbox placement.

Authentication passing does not guarantee inbox placement.

Run an email deliverability test to see:

• Inbox vs spam placement
• Gmail classification
• Outlook and Yahoo placement
• Authentifizierungsergebnisse
• Blacklist indicators

This is where many teams discover that DKIM passes but reputation signals push messages into spam. Tools like MailReach’s spam test help surface these issues by showing how mailbox providers classify your emails and where fixes are needed.

Verification ensures:

1. SES recognizes your DKIM setup
2. Mailbox providers validate your signature
3. Your domain is properly aligned
4. Your emails reach the inbox, not just the receiving server

Next, we address the most common DKIM failures in Amazon SES and how to resolve them.

Troubleshooting Common Amazon SES DKIM Issues

Even when configured correctly, DKIM issues in Amazon SES usually fall into a few predictable patterns. Use the scenarios below to isolate the root cause.

Issue 1: DKIM stuck in “pending”

If DKIM status remains Pending in the Amazon SES console, SES cannot validate your DNS records.

Common causes:

• DNS propagation delay
• Incorrect CNAME hostname
• Duplicate domain suffix added by DNS provider
• Record published as TXT instead of CNAME
• Old conflicting DKIM records still present

Solution:

• Confirm all three CNAME records match SES exactly
• Check that your DNS provider did not auto-append the domain name
• Use a public DNS lookup tool to confirm visibility
• Verify TTL settings

If records are visible publicly but SES still shows Pending after extended time, open a support case with AWS.

Issue 2: Emails not being DKIM-signed

DKIM shows “Successful,” but outgoing emails do not contain your domain signature.

Common causes:

• DKIM enabled on domain identity but sending from a different subdomain
• Email identity overriding domain identity
• DKIM not enabled at the correct identity level
• Sending from a different AWS region
• Application configured to use the wrong SES endpoint

In Amazon SES, identities are regional. If you send from us-east-1 but only configured DKIM in eu-west-1, messages from the unconfigured region will not use your domain signature.

Verify:

• The sending region
• The exact From domain
• Identity-level DKIM configuration

Issue 3: DKIM passes but emails still go to spam

This is the most common misunderstanding.

DKIM proves message integrity and domain authenticity. It does not guarantee inbox placement.

Mailbox providers evaluate additional signals, including:

• Absenderreputation
• Engagement-Raten
• Complaint rates
• Domain age
• IP reputation
• Volume spikes
• Content patterns
• SPF alignment
• DMARC policy

A domain with valid DKIM but weak reputation can still land in spam.

If DKIM passes but inbox placement is unstable, run a spam test to diagnose:

• Authentifizierungs-Übereinstimmung
• Spam-trigger patterns
• Inbox placement across Gmail, Outlook, and Yahoo

This separates authentication problems from reputation problems.

Issue 4: Multi-region DKIM configuration

Amazon SES does not share DKIM settings across regions.

If you verify and configure DKIM in one region only:

• Emails from that region will sign correctly
• Emails from other regions may fall back to default signing

This creates inconsistent authentication behavior and can weaken domain trust over time.

Audit all active sending regions and confirm DKIM is configured intentionally in each one.

Issue 5: DKIM revocation email from SES

Amazon SES periodically checks DNS records.

If the required CNAME or TXT records are removed or altered:

• DKIM status changes
• Signing may stop
• You may receive a revocation notification

This can happen after:

• DNS migrations
• Provider changes
• Accidental record cleanup
• Domain transfers

If revocation occurs:

1. Re-publish the correct records
2. Wait for verification
3. Confirm signing in email headers

Always re-verify DKIM after DNS infrastructure changes.

These troubleshooting steps isolate configuration errors from reputation-related inbox issues.

Next, we complete the authentication stack with SPF and DMARC.

Completing the Stack: DKIM + SPF + DMARC for Amazon SES

Authentication works as a system. Each protocol has a distinct role:

Passing DKIM and SPF individually is not enough. DMARC requires alignment between the visible From domain and the authenticated domain.

If SPF uses an Amazon MAIL FROM domain and DKIM is not aligned, DMARC can fail even when authentication technically passes.

For a full step-by-step implementation process covering SPF setup, Custom MAIL FROM configuration, and DMARC enforcement strategy, refer to the MailReach SPF, DKIM, and DMARC implementation guide.

With authentication aligned, the remaining factor is reputation and inbox placement. 

Why Authentication Alone Won’t Fix Your Deliverability

Authentication is foundational. It is not a ranking factor for the inbox.

DKIM, SPF, and DMARC confirm that you are authorized to send. They do not tell mailbox providers whether users want your emails.

When you start sending from a new domain in Amazon SES, that domain has no reputation history. Mailbox providers evaluate behavioral signals before deciding placement.

They assess:

• Sending history consistency
• Engagement signals such as replies
• Bounce-Raten
• Complaint rates
• Volume spikes
• IP reputation

A fully authenticated domain with poor engagement or aggressive volume increases can still land in spam.

Authentication gets you considered. Reputation determines placement.

Before scaling campaigns, establish sending history gradually, monitor engagement metrics, and track inbox placement across major providers. Without reputation management, authentication alone will not stabilize deliverability.

Turning SES Authentication Into Inbox Stability

Once DKIM, SPF, and DMARC are properly configured, the next focus is reputation management.

To stabilize inbox placement:

• Email warmup new domains gradually
• Avoid sudden volume spikes
• Monitor inbox placement regularly
• Test before launching major campaigns

New SES domains begin with no historical trust. Mailbox providers evaluate behavior over time. Gradual volume increases and consistent engagement signals reduce spam classification risk.

Authentication proves legitimacy. Consistent sending behavior builds credibility.

MailReach helps Amazon SES users move from “authenticated” to “consistently landing in the inbox” by:

• Warming up SES domains safely
• Generating positive engagement signals
• Monitoring inbox placement across 35+ inbox providers
• Detecting spam issues early before they affect revenue

If you are sending through Amazon SES, do not stop at authentication. Build and monitor reputation before scaling with MailReach.