Amazon Simple Email Service
Developer Guide

Manual DKIM Signing in Amazon SES

If you prefer not to use Easy DKIM, you can still sign your email messages using a DKIM signature and send them using Amazon SES. To do this, you must use the SendRawEmail API and self-sign your message content according to the specifications provided at If you use this approach, be aware that Amazon SES does not validate the DKIM signature that you construct. If there are any errors in the signature, you will need to correct them yourself. If you DKIM-sign your own email messages, we recommend that you use keys that are at least 1024 bits.

Whether or not you DKIM-sign your messages, Amazon SES automatically adds a DKIM header with, which you can ignore. If you do DKIM-sign your messages, it is expected that there will be two DKIM headers: one for your domain, and one for


To ensure maximum deliverability, do not sign any of the following headers using a DKIM signature:

  • Message-ID

  • Date

  • Return-Path

  • Bounces-To


If you are using the Amazon SES SMTP interface to send email, and your client software automatically performs DKIM signing, you should check to ensure that your client does not sign any of the headers listed above. We recommend that you check the documentation for your software to find out exactly what headers are signed with DKIM.

For more information about the Amazon SES SMTP interface, see Using the Amazon SES SMTP Interface to Send Email.