Verifying domains - Amazon WorkMail

Verifying domains

You need to verify your domain after you add it in the Amazon WorkMail console. Verifying the domain confirms that you own the domain and use Amazon WorkMail as the email service for the domain.

You verify a domain by adding TXT and MX records to it in your DNS service. You use the Amazon SES console to create the TXT and MX records, and then you use the Amazon WorkMail console to add the records to your DNS service. Follow these steps.

To create TXT and MX records

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the navigation pane, choose Domains, then choose Verify a New Domain.

    The Verify a New Domain dialog box appears.

  3. In the Domain box, enter the name of the domain that you created in the previous section.

  4. Optionally, if you want to use DomainKeys Identified Mail (DKIM), choose the Generate DKIM Settings checkbox.

  5. Choose Verify This Domain.

    A screen appears and displays a list of TXT and MX records.

  6. Choose the Download Record Set as CSV link, located under the TXT listing.

    The Save As dialog box appears. Choose a location for the download, then choose Save.

  7. Open the downloaded CSV file and copy all the text. You'll use it next.

Once your create the TXT and MX records, you add them to your DNS provider. The following steps use Route 53. If you use a different DNS provider and you don't know how to add records, consult your provider's help.

  1. Sign in to the AWS Management Console and open the Route 53 console at https://console.aws.amazon.com/route53/.

  2. In the navigation pane, choose Hosted Zones, then choose the name of the domain that you need to verify. Don't choose the radio button next to the name, choose the name.

    A list of the records for you domain appears.

  3. Choose Import zone file.

  4. Under Zone file, paste the copied records into the text box.

    A list of the files appears below the text box.

  5. Scroll down to the end of the list as needed and choose Import.

Note

Allow 3 days for the verification process to complete.

Verifying TXT records and MX records with your DNS service

Confirm that the TXT record that verifies that you own the domain is added correctly to your DNS service. This procedure uses the nslookup tool, which is available for Windows and Linux. On Linux, you can also use dig.

To use the nslookup tool, you first find the DNS servers that serve your domain. Then you query those servers to view the TXT records. You query the DNS servers for your domain because those servers contain the most up-to-date information for your domain. This information can take time to propagate to other DNS servers.

  1. Find your domain's name servers:

    1. Open a command prompt (Windows) or terminal (Linux).

    2. Run the following command to list all of the name servers that serve your domain.

      nslookup -type=NS example.com

      You'll query one of these name servers in the next step.

  2. Verify that the WorkMail TXT record is correctly added.

    1. Run the following command, replacing example.com with your domain, and ns1.name-server.net with a name server from Step 1.

      nslookup -type=TXT _amazonses.example.com ns1.name-server.net
    2. Review the "text =" string shown in the output from nslookup. Confirm that this string matches the TXT value for your domain in the Verified Senders list in the Amazon WorkMail console.

      In the following example, you want to see a TXT record for _amazonses.example.com with a value of fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk=. If you update the record correctly, the command has the following output:

      _amazonses.example.com text = "fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk="
  1. Open a terminal or command prompt.

  2. Run the following command to list the TXT records for your domain.

    dig +short example.com txt
  3. Verify that the string that follows TXT matches the TXT value you see when you select the domain in the Verified Senders list of the Amazon WorkMail console.

  1. Find the name servers for your domain:

    1. Open a command prompt.

    2. Run the following command to list all of the name servers that serve your domain.

      nslookup -type=NS example.com

      You'll query one of these name servers in the next step.

  2. Verify that the MX record is correctly added:

    1. Run the following command using your domain and one of the name servers that you found in step 1.

      nslookup -type=MX example.com ns1.name-server.net
    2. In the output of the command, verify that the string that follows mail exchange = matches one of the following values:

      US East (N. Virginia) Region10 inbound-smtp.us-east-1.amazonaws.com

      Europe (Ireland) Region10 inbound-smtp.eu-west-1.amazonaws.com

      US West (Oregon) Region10 inbound-smtp.us-west-2.amazonaws.com

      Note

      10 represents the MX preference number or priority.

  1. Open a terminal window.

  2. Run the following command to list the MX records for your domain.

    dig +short example.com mx
  3. Verify that the string that follows MX matches one of the following values:

    US East (N. Virginia) Region10 inbound-smtp.us-east-1.amazonaws.com

    Europe (Ireland) Region10 inbound-smtp.eu-west-1.amazonaws.com

    US West (Oregon) Region10 inbound-smtp.us-west-2.amazonaws.com

    Note

    10 represents the MX preference number or priority.

Troubleshooting domain verification

For help troubleshooting domain verification, see the following suggestions:

Your DNS service does not allow underscores in TXT record names

Omit _amazonses from the TXT record name.

You want to verify the same domain multiple times and you can't have multiple TXT records with the same name

If your DNS service does not allow you to have multiple TXT records with the same name, use either of these workarounds.

  • (Recommended) If your DNS service allows it, assign multiple values to the TXT record. For example, if your DNS is managed by Amazon Route 53 , you can set up multiple values for the same TXT record as follows:

    1. In the Route 53 console, choose the _amazonses TXT record that you added when you verified your domain in the first Region.

    2. For Value, press Enter after the first value.

    3. Add the value for the additional Region, and save the record set.

  • If you only need to verify your domain twice, you can verify it once by creating a TXT record with _amazonses in the name, and then create another record without _amazonses in the record name.

The Amazon WorkMail console reports that domain verification failed

Amazon WorkMail cannot find the necessary TXT record for your DNS service. Verify that the required TXT record is correctly added to your DNS service by using the procedure in Verifying TXT records and MX records with your DNS service.

Your DNS provider appended the domain name to the end of the TXT record

Adding a TXT record that already contains the domain name, such as _amazonses.example.com, can result in the duplication of the domain name, such as _amazonses.example.com.example.com. To avoid duplicating the domain name in the record name, add a period to the end of the domain name in the TXT record. This indicates to your DNS provider that the record name is fully qualified and already has the domain name included in the TXT record.

Amazon WorkMail reports that the MX record is Inconsistent

When migrating from existing mail servers, the MX record might read Inconsistent. Update your MX record to point to Amazon WorkMail instead of pointing to your previous mail server. The MX record is also returned as Inconsistent when a third-party email proxy is used along with Amazon WorkMail. If this is the case, it is safe to ignore the Inconsistent warning.