Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Verifying Domains in Amazon SES

Amazon SES requires that you verify your email address or domain, to confirm that you own it and to prevent others from using it. When you verify an entire domain, you are verifying all email addresses from that domain, so you don't need to verify email addresses from that domain individually. For example, if you verify the domain example.com, you can send email from user1@example.com, user2@example.com, or any other user at example.com.

Important notes about domain verification are as follows:

  • Amazon SES has endpoints in multiple AWS regions, and domain verification applies to each AWS region separately. You must perform the entire domain verification procedure for each region in which you want to send from a given domain. If you want to verify the same domain in multiple regions and your DNS provider does not allow you to have multiple TXT records with the same name, see the workarounds in Common Domain Verification Problems.

  • If you verify a domain with Amazon SES, you can send from any subdomain of that domain without specifically verifying the subdomain. For example, if you verify example.com, you do not need to verify a.example.com or a.b.example.com. As specified in RFC 1034, each DNS label can have up to 63 characters and the whole domain name must not exceed a total length of 255 characters.

  • If you verify a domain, subdomain(s), and/or email address(es) that share a root domain, the verified identity settings (such as feedback notifications and Easy DKIM) apply at the most granular level you verified. That is:

    • Verified email address settings override verified domain settings.

    • Verified subdomain settings override verified domain settings, with lower-level subdomain settings overriding higher-level subdomain settings.

    For example, assume you verify user@a.b.example.com, a.b.example.com, b.example.com, and example.com. These are the verified identity settings that will be used in the following scenarios:

    • Emails sent from user@example.com (an address that is not specifically verified) will use the settings for example.com.

    • Emails sent from user@a.b.example.com (an address that is specifically verified) will use the settings for user@a.b.example.com.

    • Emails sent from user@b.example.com (an address that is not specifically verified) will use the settings for b.example.com.

  • Domain names are case-insensitive. If you verify example.com, you can send from EXAMPLE.com also.

  • You can verify as many as 1000 identities (domains and email addresses, in any combination) per AWS account.

This section discusses verifying entire domains. For individual email address verification, see Verifying Email Addresses in Amazon SES.

To verify a domain

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses.

  2. In the navigation pane, under Verified Senders, click Domains.

  3. Click Verify a New Domain.

  4. In the Verify a New Domain dialog box, enter the domain name, and then click Verify This Domain.

    Verify a New Domain

    Note

    If you want to set up DKIM signing for this domain, select the Generate DKIM Settings option. For more information about DKIM signing, see Authenticating Email with DKIM in Amazon SES.

  5. In the Verify a New Domain dialog box, you will see a Domain Verification Record Set containing a Name, a Type, and a Value. (This information will also be available by clicking the Details Page icon (the icon with the magnifying glass, not the expansion icon) to the left of the domain name after you close the dialog box.)

    to complete verification
  6. To complete domain verification, you must add a TXT record with the displayed Name and Value to your domain's DNS settings. Note that some domain name providers use the term Host instead of Name. If your DNS provider does not allow underscores in TXT record names, you can omit the underscore before amazonses in the TXT record name.

    How you update the DNS settings depends on who provides your DNS service. DNS service may be provided by a domain name registrar such as GoDaddy or Network Solutions, or by a separate service such as Amazon Route 53.

    Important

    DNS providers may append the domain name to the end of DNS records. Adding a record that already contains the domain name (such as _amazonses.example.com) may result in the duplication of the domain name (such as _amazonses.example.com.example.com). To avoid duplication of the domain name, add a period to the end of the domain name in the DNS record. This will indicate to your DNS provider that the record name is fully qualified (that is, no longer relative to the domain name), and prevent the DNS provider from appending an additional domain name.

    If Amazon Route 53 provides the DNS service for the domain you are verifying, and you are logged in to Amazon SES with the same email address and password you use for Amazon Route 53, then Amazon SES will give you the option of updating your DNS settings immediately from within the Amazon SES Console.

    Otherwise, update your DNS settings according to the procedure established by your DNS service provider. Ask your system administrator if you are not sure who provides your DNS service.

  7. If you are not using Route 53, Amazon SES needs to verify that a TXT record with the specified Name and Value have been added to your DNS settings. This may take up to 72 hours.

    When verification is complete, the domain's status in the Amazon SES console will change from "pending verification" to "verified", and you will receive an Amazon SES Domain Verification SUCCESS confirmation email from Amazon SES. (Amazon SES emails are sent to the email address you used when you signed up for Amazon SES.)

  8. You can now use Amazon SES to send email from any address in the verified domain. To send a test email, check the box next to the verified domain, then click Send a Test Email.

What if domain verification fails?

If the DNS settings are not correctly updated, you will receive an Amazon SES Domain Verification FAILURE email from Amazon SES, and the domain will display a status of "failed" in the Domains tab.

If this happens, please click the "retry" link next to the "failed" status notification. This will reinitiate the domain verification process. Add the new TXT record information to your DNS settings, and check with your DNS service provider to ensure that you have entered the TXT record information correctly.

To view your verified domains

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses.

  2. In the navigation pane, under Verified Senders, click Domains.

  3. In the list of verified domains, you can expand one or more domains to view the details.

To remove a verified domain

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses.

  2. In the navigation pane, under Verified Senders, click Domains.

  3. Check the box beside each domain that you want to remove, and then click Remove.

  4. You will no longer be able to send email from the removed domain.

Domain revocation

Amazon SES periodically reviews domain verification status, and revokes verification in cases where it is no longer valid. If Amazon SES is unable to detect the TXT record information required to confirm ownership of a domain, you will receive an Amazon SES Domain Verification REVOCATION WARNING email from Amazon SES.

If you restore the TXT record information to your DNS settings within 72 hours, you will receive an Amazon SES Domain Verification REVOCATION CANCELLATION email from Amazon SES.

If you do not restore the TXT record information to your DNS settings within 72 hours, you will receive an Amazon SES Domain Verification REVOCATION email from Amazon SES, the domain will be removed from the list of Verified Senders on the Domains tab, and you will no longer be able to send from the domain.

To reverify a domain for which verification has been revoked, you must restart the verification procedure from the beginning, just as if the revoked domain were an entirely new domain.

Using the Amazon SES API

You can also manage verified domains with the Amazon SES API. The following actions are available:

  • ListIdentities

  • VerifyDomainIdentity

  • DeleteIdentity

  • GetIdentityVerificationAttributes

You can use these API actions to write a customized front-end application for domain verification. For a complete description of API actions related to domain verification, go to the Amazon Simple Email Service API Reference.