AWS SES DKIM & Route 53 Integration Guide

1. Purpose

This document explains how to configure DKIM (DomainKeys Identified Mail) for a domain using:

• AWS Simple Email Service (SES)

• Amazon Route 53 (DNS provider)

DKIM improves email deliverability and prevents emails from being marked as spam by verifying that messages are authorized by the domain owner.

---

2. Prerequisites

• AWS account with access to:

  • SES

  • Route 53

• A domain name (example: sendproperty.com)

• Domain hosted in Route 53 Hosted Zone

• SES configured in the correct region (ex: us-east-1)

---

3. What is DKIM?

DKIM adds a digital signature to outgoing emails.
Receiving mail servers (Gmail, Outlook, Yahoo, etc.) validate this signature using DNS records published for your domain.

AWS SES provides 3 CNAME records for DKIM authentication.

---

4. Step 1: Verify Domain in AWS SES

1. Login to AWS Console

2. Go to Simple Email Service (SES)

3. Select the correct region

4. Navigate to:

   Configuration → Verified identities
   

5. Click Create identity

6. Choose:

   • Identity type: Domain

   • Enter your domain (example: sendproperty.com)

7. Enable:
   ✅ DKIM authentication

8. Click Create identity

---

5. Step 2: Get DKIM CNAME Records from SES

After creating the identity, SES generates 3 DKIM CNAME records:

Example:

Record Name	Type	Value
abc123._domainkey.sendproperty.com	CNAME	abc123.dkim.amazonses.com
def456._domainkey.sendproperty.com	CNAME	def456.dkim.amazonses.com
ghi789._domainkey.sendproperty.com	CNAME	ghi789.dkim.amazonses.com

These records must be added in Route 53.

---

6. Step 3: Add DKIM Records in Route 53

1. Open AWS Console → Route 53

2. Go to:

   Hosted zones → yourdomain.com
   

3. Click Create record

4. For each DKIM record:

Record 1

• Record name: abc123._domainkey.sendproperty.com

• Record type: CNAME

• Value: abc123.dkim.amazonses.com

• TTL: Default

• Routing policy: Simple

Click Create record

Repeat the same for all 3 records.

---

7. Step 4: Verify DKIM Status

1. Go back to:

   SES → Verified identities → your domain
   

2. Check DKIM status

It should change from:

Pending → Verified

This may take:

• 5 to 30 minutes (sometimes up to 24 hours)

---

8. (Optional but Recommended) Add SPF Record

Add this TXT record in Route 53:

• Type: TXT

• Name: @

• Value:

  v=spf1 include:amazonses.com ~all
  

This allows SES servers to send emails on behalf of your domain.

---

9. (Optional) Enable DMARC

Add TXT record:

• Type: TXT

• Name: _dmarc.yourdomain.com

• Value:

  v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com;
  

DMARC improves security and reporting.

---

10. Common Issues & Troubleshooting

❌ DKIM stuck in Pending

Possible causes:

• Records not added correctly

• Wrong SES region

• Domain added twice in record name

• Not using CNAME type

• DNS propagated delay

✅ Check using dig/nslookup

nslookup abc123._domainkey.yourdomain.com

Should return:

abc123.dkim.amazonses.com

---

11. Best Practices

• Always enable DKIM for production domains

• Use a dedicated subdomain for sending emails (example: mail.yourdomain.com)

• Configure SPF + DKIM + DMARC together

• Monitor bounce and complaint notifications in SES

---

12. Architecture Flow

Application → AWS SES → Recipient Mail Server
                  ↓
           DKIM verified via Route53 DNS

---

13. Conclusion

After successful configuration:

• SES can sign emails with DKIM

• Mail servers trust your domain

• Email deliverability improves

• Spam probability reduces

---

If you want, I can generate this same document in:
✅ PDF format
✅ Word document (.docx)
✅ Confluence / Wiki style
✅ Short version (1-page checklist)

Just say which format you want:

PDF / Word / Wiki / Checklist