Verifying domains
You must verify your domain after you add it in the Amazon WorkMail console. Verifying the domain confirms that you own the domain and will use Amazon WorkMail as the email service for the domain.
You verify a domain by adding TXT and MX records to it in your DNS service. TXT records enable you to add notes to your DNS service. MX records specify the incoming mail server.
You use the Amazon SES console to create the TXT and MX records, and then you use the Amazon WorkMail console to add the records to your DNS service. Follow these steps.
To create TXT and MX records
-
Open the Amazon SES console at https://console.aws.amazon.com/ses/
. -
In the navigation pane, choose Domains, and then choose Verify a New Domain.
The Verify a New Domain dialog box appears.
In the Domain box, enter the name of the domain that you created in the Adding a domain section.
(Optional) If you want to use DomainKeys Identified Mail (DKIM), select the Generate DKIM Settings check box.
-
Choose Verify This Domain.
The console displays a list of TXT and MX records.
-
Choose the Download Record Set as CSV link, located under the TXT listing.
The Save As dialog box appears. Choose a location for the download, and then choose Save.
-
Open the downloaded CSV file and copy all of its contents.
Once your create the TXT and MX records, you then add them to your DNS provider. The following steps use Route 53. If you use a different DNS provider and you don't know how to add records, consult your provider's documentation.
Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/
. -
In the navigation pane, choose Hosted Zones. Then, choose the radio button next to the domain that you want to verify.
-
From the list of DNS records for your domain, choose Import zone file.
-
Under Zone file, paste the copied records into the text box. A list of the files appears below the text box.
Scroll down to the end of the list and choose Import.
Note
Allow up to 72 hours to complete the verification process.
Verifying TXT records and MX records with your DNS service
Confirm that the TXT record that verifies that you own the domain is added
correctly to your DNS service. This procedure uses the nslookup
To use the nslookup
tool, you must first find the DNS servers that
serve your domain. Then, you query those servers to view the TXT records. You can
query the DNS servers for your domain because those servers contain the most
up-to-date information for your domain. This information can take time to propagate
to other DNS servers.
-
Find your domain's name servers:
-
Open a command prompt (Windows) or terminal (Linux).
-
Run the following command to list all of the name servers that serve your domain. Replace
example.com
with your domain.nslookup -type=NS
example.com
You'll query one of these name servers in the next step.
-
-
Verify that the Amazon WorkMail TXT record is correctly added.
-
Run the following command, replacing
example.com
with your domain, andns1.name-server.net
with a name server from Step 1.nslookup -type=TXT _amazonses.
example.com
ns1.name-server.net
-
Review the
"text ="
string shown in the output from nslookup. Confirm that this string matches the TXT value for your domain in the Verified Senders list in the Amazon WorkMail console.In the following example, you want to see a TXT record for _amazonses.example.com with a value of
fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk=
. If you update the record correctly, the command has the following output:_amazonses.
example.com
text = "fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk="
-
-
Open a terminal session.
-
Run the following command to list the TXT records for your domain. Replace
example.com
with your domain.dig +short
example.com
txt -
Verify that the string that follows
TXT
in the command's output matches the TXT value you see when you select the domain in the Verified Senders list of the Amazon WorkMail console.
-
Find the name servers for your domain:
-
Open a command prompt.
-
Run the following command to list all of the name servers for your domain.
nslookup -type=NS
example.com
You'll query one of these name servers in the next step.
-
-
Verify that the MX record is correctly added:
-
Run the following command, replacing
example.com
with your domain andns1.name-server.net
with one of the name servers you identified in the previous step..nslookup -type=MX
example.com
ns1.name-server.net
-
In the output of the command, verify that the string that follows
mail exchange =
matches one of the following values:US East (N. Virginia) Region –
10 inbound-smtp.us-east-1.amazonaws.com
US West (Oregon) Region –
10 inbound-smtp.us-west-2.amazonaws.com
Europe (Ireland) Region –
10 inbound-smtp.eu-west-1.amazonaws.com
Note
10
represents the MX preference number or priority.
-
-
Open a terminal session.
-
Run the following command to list the MX records for your domain.
dig +short
example.com
mx -
Verify that the string that follows
MX
matches one of the following values:US East (N. Virginia) Region –
10 inbound-smtp.us-east-1.amazonaws.com
US West (Oregon) Region –
10 inbound-smtp.us-west-2.amazonaws.com
Europe (Ireland) Region –
10 inbound-smtp.eu-west-1.amazonaws.com
Note
10
represents the MX preference number or priority.
Troubleshooting domain verification
To troubleshoot common issues with domain verification, see the following suggestions:
- Your DNS service does not allow underscores in TXT record names
-
Omit
_amazonses
from the TXT record name. - You want to verify the same domain multiple times but can't have multiple TXT records with the same name
-
If your DNS service does not allow you to have multiple TXT records with the same name, use either of the following workarounds:
-
(Recommended) If your DNS service allows it, assign multiple values to the TXT record. For example, if your DNS is managed by Amazon Route 53, you can set up multiple values for the same TXT record as follows:
-
In the Route 53 console, choose the
_amazonses
TXT record that you added when you verified your domain in the first Region. -
For Value, press Enter after the first value.
-
Add the value for the additional Region, and save the record set.
-
-
If you only need to verify your domain twice, you can verify it once by creating a TXT record with
_amazonses
in the name, and then create another record without_amazonses
in the record name.
-
- The Amazon WorkMail console reports that domain verification has failed
-
Amazon WorkMail can't find the necessary TXT record for your DNS service. Verify that the required TXT record is correctly added to your DNS service by following the procedure in Verifying TXT records and MX records with your DNS service.
- Your DNS provider appended the domain name to the end of the TXT record
-
Adding a TXT record that already contains the domain name, such as _amazonses.example.com, can result in the duplication of the domain name, such as _amazonses.example.com.example.com. To avoid duplicating the domain name in the record name, add a period to the end of the domain name in the TXT record. This indicates to your DNS provider that the record name is fully qualified and already has the domain name included in the TXT record.
- Amazon WorkMail reports that the MX record is Inconsistent
-
When migrating from existing mail servers, the MX record might return a status of Inconsistent. Update your MX record to point to Amazon WorkMail instead of pointing to your previous mail server. The MX record is also returned as Inconsistent when a third-party email proxy is used along with Amazon WorkMail. If this is the case, it is safe to ignore the Inconsistent warning.