Email DNS Check

Amazon SES DKIM Not Working? Fix the 3 CNAME Records (2026)

You enabled DKIM for your domain in Amazon SES, but tests still show DKIM as failing or not present. With Easy DKIM, SES expects three separate CNAME records in DNS, and DKIM keeps failing when one of those records is missing, pointed at the wrong hostname, or never fully verified in the SES console.

If signatures fail, check the DKIM selector troubleshooting guide.

Learn the bigger picture in our Email Authentication Explained guide and compare SPF vs DKIM vs DMARC to understand how these protocols work together.

One-Minute Fix

In the AWS console, open Amazon SES, go to Verified identities, select your domain, enable Easy DKIM for that identity, and add all three DKIM CNAME records exactly as shown to your DNS provider. Wait for SES to mark the identity as verified before retesting.

Correct Amazon SES DKIM records
DNS
abcde12345._domainkey.example.com CNAME abcde12345.dkim.amazonses.com
fghij67890._domainkey.example.com CNAME fghij67890.dkim.amazonses.com
klmno54321._domainkey.example.com CNAME klmno54321.dkim.amazonses.com

In a real SES setup, the selector values are long, random-looking strings generated by AWS for your specific domain. All three CNAMEs must exist on the same domain you verified in SES, and each one must point exactly to the dkim.amazonses.com target provided in the console.

Re-check

Wrong vs correct setup

Wrong setup

Wrong setup
DNS
abcde12345._domainkey.example.com CNAME abcde12345.dkim.amazonses.com
fghij67890._domainkey.example.com CNAME fghij67890.dkim.amazonses.co
# third DKIM record missing

Here only two of the three DKIM CNAMEs exist, and one target contains a typo in the amazonses.com hostname. SES will continue to show DKIM as not fully configured, and receivers cannot reliably validate signatures on outbound mail.

Correct setup

Correct setup
DNS
abcde12345._domainkey.example.com CNAME abcde12345.dkim.amazonses.com
fghij67890._domainkey.example.com CNAME fghij67890.dkim.amazonses.com
klmno54321._domainkey.example.com CNAME klmno54321.dkim.amazonses.com

This matches what Amazon SES expects when Easy DKIM is enabled: all three CNAMEs are present, each pointing to the exact dkim.amazonses.com target. Once DNS has propagated and SES shows DKIM as verified, messages from this identity should pass DKIM.

Why this happens

Amazon SES generates three DKIM CNAME records for each domain to support key rotation and redundancy. DKIM fails when only one or two of those records are created, when they are added under the wrong domain, when the CNAME targets are mistyped, or when you test before SES has finished verifying the identity after DNS changes.

Why this is a problem

When DKIM is not working for an SES identity, your messages still send but lack a strong cryptographic signal that they came from an approved sender. DMARC policies that expect DKIM alignment can start to fail, and mailbox providers may treat your campaigns, notifications, and transactional messages as less trustworthy.

How this affects deliverability

For domains that rely on Amazon SES, a working DKIM configuration is a core requirement for production sending. Without it, SES mail can look indistinguishable from test traffic or misconfigured environments, which makes it harder to earn and maintain stable inbox placement at large providers.

Common causes

  • Only one or two of the three required DKIM CNAME records were added to DNS.
  • At least one CNAME target contains a typo or points to the wrong amazonses.com hostname.
  • The wrong domain or subdomain was verified in SES compared to what actually sends mail.
  • Recent DNS changes have not finished propagating to external resolvers.
  • DKIM was enabled in the console, but verification never reached a green, verified state.

What we checked

We looked for all three DKIM selector hostnames that Amazon SES expects for this identity and confirmed whether each one is a CNAME pointing to a dkim.amazonses.com target. If any selector record is missing or misconfigured, SES DKIM will not be fully active.

Live DNS lookup. No login. No saved domains. No tracking.

FAQ

Why does Amazon SES require three DKIM records?

SES uses three DKIM selectors to support key rotation and resilience. Having multiple keys available lets AWS rotate or replace keys without interrupting mail flow, but it only works if all three CNAMEs exist in DNS.

Do all three DKIM CNAME records need to exist?

Yes. For Easy DKIM to work reliably, all three CNAME records must be present and correctly pointed at the amazonses.com targets shown in the SES console.

How long does DKIM verification take in SES?

After you add the CNAMEs, SES usually verifies them within minutes once DNS has propagated. However, delays of a few hours are possible depending on your DNS provider’s TTL settings and caching.

What is Easy DKIM in Amazon SES?

Easy DKIM is SES’s managed DKIM feature. Instead of generating your own keys and TXT records, SES creates the keys for you and asks you to publish CNAME records that point to those keys, simplifying setup and rotation.

Next steps

  • Open Amazon SES in the AWS console and locate the Verified identity for your sending domain.
  • Make sure Easy DKIM is enabled and copy all three DKIM CNAME records exactly as shown.
  • Add or correct those CNAME records at your DNS provider on the same domain you verified.
  • Wait for SES to mark DKIM as verified for the identity.
  • Send a fresh test email and confirm that DKIM now shows as pass in your headers and DMARC reports.
  • Review the full troubleshooting guidance in the DKIM Hub.
  • Explore sender authorization issues in the SPF Hub.
  • Review alignment and policy issues in the DMARC Hub.

Related fixes

Explore more issues