Troubleshooting DKIM problems in Amazon SES - Amazon Simple Email Service


Troubleshooting DKIM problems in Amazon SES

本節列出您在 Amazon SES 中設定 DKIM 驗證時可能會遇到的一些問題。如果您嘗試設定 DKIM 卻遇到問題,請檢閱下方的可能原因和解決方案。

You set up DKIM successfully, but your messages aren't being DKIM-signed

如果您使用 Easy DKIMBYODKIM 來設定網域的 DKIM,但您傳送的郵件未經過 DKIM 簽署,請執行下列動作:

  • Make sure that DKIM is enabled for the appropriate identity. To enable DKIM for an identity in the Amazon SES console, choose the email domain in the Identities list. On the details page for the domain, expand DKIM, and then choose Enable to enable DKIM.

  • Make sure that you're not sending from a verified email address on the same domain. If you set up DKIM for a domain, then all of the messages that you send from that domain are DKIM-signed, except for email addresses that you verified individually. Individually verified email addresses use separate settings. For example, if you configured DKIM for the domain, and you separately verified the email address (but didn't configure DKIM for the address), then emails that you send from are sent without DKIM authentication. You can resolve this issue by deleting the email address identity from the list of identities for your account.

  • If you use the same identity in more than one AWS Region, you have to configure DKIM for each region separately. Similarly, if you use the same domain with more than one AWS account, you have to configure DKIM for each account. If you remove the necessary DNS records for a specific region or account, Amazon SES disables DKIM signing in that region or account. If DKIM signing becomes disabled, Amazon SES sends you a notification by email.

Your domain's DKIM details in the Amazon SES console show DKIM: waiting on sender verification... DKIM Verification Status: pending verification.

如果您完成 Easy DKIM提供您自己的 DKIM 驗證字符 中的程序來設定網域的 DKIM,但 Amazon SES 主控台仍指出 DKIM 驗證擱置中,請執行下列動作:

  • Wait up to 72 hours. In rare cases, it can take time for the DNS records to become visible to Amazon SES.

  • Confirm that the CNAME record (for Easy DKIM) or the TXT record (for BYODKIM) uses the correct name. Some DNS providers automatically append the domain name to records that you create. For example, if you create a record with a Name of, your DNS provider might add the name of your domain to the end of this string, resulting in For more information, see the documentation for your DNS provider.

You receive an email from Amazon SES that says your DKIM setup has been (or will be) revoked.

這表示 Amazon SES 不再能在您的 DNS 伺服器上找到需要的 CNAME 記錄 (如果您使用 Easy DKIM) 或需要的 TXT 記錄 (如果您使用 BYODKIM) 記錄。通知電子郵件將通知您,在 DKIM 設定狀態遭撤銷且 DKIM 簽署遭停用前,您還有多長時間必須重新發佈 DNS 記錄。如果您的 DKIM 設定被撤銷,您必須從頭開始 DKIM 設定程序。

When attempting to set up BYODKIM, the DKIM verification process fails.

確定您的私密金鑰使用正確的格式。私密金鑰必須採用 PKCS #1 格式,並使用 1024 位元 RSA 加密。此外,私密金鑰必須是 base64 編碼。

While setting up BYODKIM, you receive a BadRequestException error when you try to specify a public key for the domain.

如果您收到 BadRequestException 錯誤,請執行下列動作:

  • Make sure that the selector that you specify for the public key contains at least 1 and less than or equal to 63 alphanumeric characters. The selector can't include periods or other symbols or punctuation.

  • Make sure that you've removed the header and footer lines from the public key, and that you've removed all of the line breaks from the public key.

When using Easy DKIM, your DNS servers successfully return the Amazon SES DKIM CNAME records, but return SERVFAIL for the domain verification TXT record.

您的 DNS 提供者可能無法重新導向 CNAME 記錄。Amazon SES 和 ISP 會查詢 TXT 記錄。為了符合 DKIM 規格,您的 DNS 伺服器必須能夠回應 TXT 記錄查詢以及 CNAME 記錄查詢。如果您的 DNS 提供者無法回應 TXT 記錄查詢,另一種方法是使用 Route 53 做為您的 DNS 託管提供者。

Your emails contain two DKIM signatures

包含 的額外 DKIM 簽章,會由 Amazon SES 自動新增。您可以忽略。