Overriding inherited DKIM signing on an email address identity - Amazon Simple Email Service

Overriding inherited DKIM signing on an email address identity

The procedure in this section shows you how to override (disable or enable) the inherited DKIM signing properties from the parent domain on a specific email address identity that you've already verified with Amazon SES. You can only do this for email address identities that belong to domains you already own because DNS settings are configured at the domain level.

Important

You can't disable/enable DKIM signing for email address identities...

  • on domains that you don't own. For example, you can't toggle DKIM signing for a gmail.com or hotmail.com address,

  • on domains that you own, but have not yet been verified in Amazon SES,

  • on domains that you own, but have not enabled DKIM signing on the domain.

Understanding inherited DKIM signing properties

It's important to first understand that an email address identity inherits its DKIM signing properties from its parent domain if that domain was configured with DKIM, regardless of whether Easy DKIM or BYODKIM was used. Therefore, disabling or enabling DKIM signing on the email address identity, is in effect, overriding the domain's DKIM signing properties based on these key facts:

  • If you already set up DKIM for the domain that an email address belongs to, you do not need to enable DKIM signing for the email address identity as well.

    • When you set up DKIM for a domain, Amazon SES automatically authenticates every email from every address on that domain through the inherited DKIM properties from the parent domain.

  • DKIM settings for a specific email address identity automatically override the settings of the parent domain or subdomain (if applicable) that the address belongs to.

Since the email address identity's DKIM signing properties are inherited from the parent domain, if you're planning on overriding these properties, you must keep in mind the hierarchical rules of overriding as explained in the table below.

Parent domain does not have DKIM signing enabled Parent domain has DKIM signing enabled

You cannot enable DKIM signing on the email address identity.

You can disable DKIM signing on the email address identity.
You can re-enable DKIM signing on the email address identity.

It’s generally never recommended to disable your DKIM signing as it risks tarnishing your sender reputation, and it increases the risk of having your sent mail go to junk or spam folders or having your domain spoofed.

However, the capability exists to override the domain inherited DKIM signing properties on an email address identity for any particular use case or outlying business decision that you might have to either permanently or temporarily disable DKIM signing, or to re-enable it at a later time.

Overriding DKIM signing on an email address identity (console)

The following SES console procedure explains how to override (disable or enable) the inherited DKIM signing properties from the parent domain on a specific email address identity that you've already verified with Amazon SES.

To disable/enable DKIM signing for an email address identity using the console

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the navigation pane, under Configuration, choose Verified identities.

  3. In the list of identities, choose an identity where the Identity type is Email address and belongs to one of your verified domains.

  4. Under the Authentication tab, in the DomainKeys Identified Mail (DKIM) container, choose Edit.

    Note

    The Authentication tab is only present if the selected email address identity belongs to a domain that has already been verified by SES. If you haven't verified your domain yet, see Creating and verifying a domain identity.

  5. Under Advanced DKIM settings, in the DKIM signatures field, clear the Enabled checkbox to disable DKIM signing, or select it to re-enable DKIM signing (if it had been overridden previously).

  6. Choose Save changes.

Overriding DKIM signing on an email address identity (AWS CLI)

The following example uses the AWS CLI with a SES API command and parameters that will override (disable or enable) the inherited DKIM signing properties from the parent domain on a specific email address identity that you've already verified with SES.

To disable/enable DKIM signing for an email address identity using the AWS CLI

  • Assuming you own the example.com domain, and you want to disable DKIM signing for one of the domain's email addresses, at the command line, type the following command:

    aws sesv2 put-email-identity-dkim-attributes --email-identity marketing@example.com --no-signing-enabled
    1. Replace marketing@example.com with the email address identity that you want to disable DKIM signing for.

    2. --no-signing-enabled will disable DKIM signing. To re-enable DKIM signing, use --signing-enabled.