Domain verification problems Checking domain verification settings Email verification problems

Domain and Email address verification problems

To verify a domain or an email address with Amazon SES, you initiate the process using either the Amazon SES console or the Amazon SES API. This section contains information that may help resolve issues with the verification process.

Note

In the following procedures, the reference to DNS records could refer to either CNAME or TXT records depending on which form of DKIM you used. Easy DKIM uses CNAME records and Bring Your Own DKIM (BYODKIM) uses TXT records. Detailed verification procedures are provided for each of Easy DKIM or BYODKIM.

Common domain verification problems

If you attempt to verify a domain using the procedure in Verifying a DKIM domain identity with your DNS provider and you encounter problems, review the possible causes and solutions below.

You're attempting to verify a domain that you don't own – You can't verify a domain that you don't own. For example, if you want to send email through Amazon SES from an address on the gmail.com domain, you need to verify that email address specifically. You can't verify the entire gmail.com domain.
You're attempting to verify a private domain – You can't verify a domain if the DNS records can't be resolved over public DNS.
Your DNS provider doesn't allow underscores in the DNS record names – A small number of DNS providers don't allow you to include underscores (_) in record names. However, the underscore in the DKIM record name is required. If your DNS provider doesn't allow you to enter an underscore in the record name, contact the provider's customer support team for assistance.
Your DNS provider appended the domain name to the end of the DNS record – Some DNS providers automatically append the name of your domain to the attribute name of DNS record. For example, if you create a record where the attribute name is _domainkey.example.com, the provider might append the domain name, resulting in _domainkey.example.com.example.com). To avoid duplication of the domain name, add a period to the end of the domain name when you enter the DNS record. This step tells your DNS provider that it isn't necessary to append the domain name to the record.
Your DNS provider modified the DNS record value – Some providers automatically modify DNS record values to use only lowercase letters. Amazon SES only verifies your domain when it detects a verification record for which the attribute value exactly matches the value that Amazon SES provided when you started the domain verification process. If the DNS provider for your domain changes your DNS record values to use only lowercase letters, contact the DNS provider for additional assistance.
You want to verify the same domain multiple times – You might need to verify your domain more than once because you're sending in different regions, or because you're using the same domain to send from multiple AWS accounts. If your DNS provider doesn't allow you to have more than one DNS record with the same attribute name, you might still be able to verify two domains. If your DNS provider allows it, you can assign multiple attribute values to the same DNS record. For example, if your DNS is managed by Amazon Route 53, you can set up multiple values for the same CNAME record by completing the following steps:
1. In the Route 53 console, choose the CNAME record you created when you verified your domain in the first region.
2. In the Value box, go to the end of the existing attribute value, and then press Enter.
3. Add the attribute value for the additional region, and then save the record set.
If your DNS provider doesn't let you to assign multiple values to the same DNS record, you can verify the domain once with _domainkey in the attribute name of the DNS record, and another time with _domainkey removed from the attribute name. The downside of this solution is that you can only verify the same domain two times.

Checking domain verification settings

You can check that your Amazon SES domain verification DNS record is published correctly to your DNS server by using the following procedure. This procedure uses the nslookup tool, which is available for Windows and Linux. On Linux, you can also use dig.

The commands in these instructions were executed on Windows 7, and the example domain we use is ses-example.com configured with Easy DKIM which uses CNAME records.

In this procedure, you first find the DNS servers that serve your domain, and then query those servers to view the CNAME records. You query the DNS servers that serve your domain because those servers contain the most up-to-date information for your domain, which can take time to propagate to other DNS servers.

To verify that your domain verification CNAME records are published to your DNS server

Find the name servers for your domain by taking the following steps.
1. Go to the command line. To get to the command line on Windows 7, choose Start and then type cmd. On Linux-based operating systems, open a terminal window.
2. At the command prompt, type the following, where <domain> is your domain. This will list all of the name servers that serve your domain.
```
nslookup -type=NS <domain>
```
  If your domain was ses-example.com, this command would look like:
```
nslookup -type=NS ses-example.com
```
  The command's output will list the name servers that serve your domain. You will query one of these servers in the next step.
Verify that the CNAME records are correctly published by taking the following steps. Keep in mind that Amazon SES generates three CNAME records for Easy DKIM authentication, so repeat the following procedures for each of the three.
1. At the command prompt, type the following, where <random string> is the SES generated CNAME name, <domain> is your domain, and <name server> is one of the name servers you found in step 1.
```
nslookup -type=CNAME <random string>_domainkey.<domain> <name server>
```
  In our ses-example.com example, if a name server that we found in step 1 was called ns1.name-server.net, and the <random string> generated by SES is 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz, we would type the following:
```
nslookup -type=CNAME 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.ses-example.com ns1.name-server.net
```
2. In the output of the command, verify that the string that follows canonical name = matches the CNAME value you see when you choose the domain in the Identities list of the Amazon SES console.
  
  In our example, we are looking for a CNAME record under 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.ses-example.com with a value of 4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz.dkim.amazonses.com. If the record is correctly published, we would expect the command to have the following output:
```
4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz_domainkey.ses-example.com canonical name = "4hzwn5lmznmmjyl2pqf2agr3uzzzzxyz.dkim.amazonses.com"
```

Common email verification problems

The verification email didn't arrive – If you complete the procedures in Verifying an email address identity but you don't receive the verification email within a few minutes, complete the following steps:
- Check the spam or junk mail folder for the email address you're attempting to verify.
- Confirm that the address that you're trying to verify is able to receive email. Using a separate email address (such as your personal email address), send a test email to the address that you want to verify.
- Check the list of verified addresses in the Amazon SES console. Make sure that there aren't any errors in the email address that you're attempting to verify.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

General issues

DKIM problems