Amazon SES DKIM setup: Easy DKIM, BYODKIM, and per-region signing
Set up Amazon SES DKIM with Easy DKIM CNAMEs, understand when to pick BYODKIM or DEED, and avoid the per-region signing trap that breaks DMARC.
DKIM is the most reliable path to DMARC alignment for Amazon SES. SPF breaks the moment a recipient’s mailbox forwards your mail; DKIM signatures usually survive that. And because SES customers often send from more than one AWS region, DKIM has region-specific gotchas that a regular ESP “publish two CNAMEs and you are done” guide misses.
This walks through the three real options: Easy DKIM, DEED (Deterministic Easy DKIM), and BYODKIM. If you need a refresher on the protocol, see the DKIM overview and DMARC alignment fundamentals.
Choosing the right option
| Situation | Pick |
|---|---|
| Single AWS region, no key-management policy | Easy DKIM |
| Multiple AWS regions, want one signature everywhere | DEED |
| Compliance or HSM requires you to control the keypair | BYODKIM |
| You already operate a DKIM signer outside SES | Manual signing in SendRawEmail |
Easy DKIM is the right default for most teams. DEED was added so you do not have to rotate keys in two places when you fail over from us-east-1 to us-west-2. BYODKIM is for regulated environments where SES cannot hold your private key.
Before you start
You need:
- Admin access to the AWS account that owns the SES identity.
- DNS access for the sending domain.
- A verified domain identity in SES (set up via the standard SES domain verification flow).
- A clear list of regions you actually send from. Pick the parent identity’s region first.
Step 1: enable Easy DKIM in the SES console
In the SES console, open Configuration > Identities, choose your domain, then DomainKeys Identified Mail (DKIM) > Edit.
- Identity type: Easy DKIM.
- DKIM signing key length: 2048-bit (the default; recommended). Drop to 1024-bit only if a downstream DNS provider truncates the longer public key.
- Tick Enabled.
Save and SES will display three CNAME records.
Step 2: publish the three CNAME records
The records use a token-based selector pattern. Each token is unique to your account and region, generated when you enable DKIM. In most regions they look like this:
{token1}._domainkey.example.com. CNAME {token1}.dkim.amazonses.com
{token2}._domainkey.example.com. CNAME {token2}.dkim.amazonses.com
{token3}._domainkey.example.com. CNAME {token3}.dkim.amazonses.com
Three records exist so SES can rotate keys without breaking signing. Publish all three.
Do not copy these tokens or targets from this article. The values shown in your SES console are the only correct ones for your domain. AWS notes that not every SES region uses the default dkim.amazonses.com target, so copy the exact CNAME names and values SES gives you. Some DNS UIs want the leading host as {token}._domainkey only (without the .example.com suffix); check the preview before saving so you do not produce {token}._domainkey.example.com.example.com.
Step 3: wait for SES to mark the identity Verified
SES polls DNS for the CNAMEs. The DKIM status flips from Pending to Successful once all three resolve. AWS waits up to 72 hours; CloudFlare or Route 53 usually take minutes.
Step 4: repeat per region, or use DEED
This is the SES-specific gotcha. SES identities are scoped to an AWS region. DKIM keys are per region. If you call the SES API from us-east-1 and us-west-2, each region produces a different signature, and each region needs its own three CNAMEs in DNS, unless you use DEED.
Deterministic Easy DKIM (DEED) solves this. You configure DKIM on a parent identity in one region and create replica identities in other regions that inherit the same signing material. Mail signed in any of those regions has the same d= and the same selector, and you publish one set of CNAMEs.
If you skip DEED and forget to set up DKIM in a secondary region, mail from that region will be unsigned and DMARC will fail unless SPF aligns through your custom MAIL FROM. Combine this with the SES SPF guide so you have a fallback.
Step 5: BYODKIM (optional path)
BYODKIM lets you generate the keypair yourself and hand SES the private key. Reach for it when compliance requires HSM-backed keys, when you already operate a key-rotation process, or when you want one signing key shared across SES and a non-SES sender.
The key has to be between 1024 and 2048 bits. You publish a single TXT record at {your-selector}._domainkey.example.com containing the public key in standard DKIM format (v=DKIM1; k=rsa; p=...), and you wire the private key into SES through the PutEmailIdentityDkimSigningAttributes API in SESv2.
Unlike Easy DKIM, you pick the selector yourself.
Step 6: verify DKIM and DMARC alignment
Send a real test message from each region, then read the headers:
dkim=pass header.d=example.com. The signature passed and the signing domain is yours.dmarc=pass. Alignment held.
Then check SES DKIM and DMARC for your domain and watch real DMARC reports flow in. SES should show up as an authorized source with DKIM consistently passing. If you operate ESPs alongside SES, the ESP subdomains and DKIM alignment article covers the alignment edge cases.
Common mistakes
DKIM in one region, sending from another. Mail from the unconfigured region is unsigned. Either set up DKIM in every region you send from or use DEED.
Rotating Easy DKIM key length too quickly. AWS limits key-length switches to once per 24 hours and refuses no-op switches. If a rotation fails, wait it out rather than retrying.
BYODKIM key under 1024 bits. SES rejects it. The supported range is 1024 to 2048.
Disabling DKIM at the email-address identity level by accident. DKIM signing inherits from the parent domain to subdomains and email addresses. An override on a specific address can silently turn signing off. If a single sender’s mail is unsigned while everything else passes, check identity-level overrides.
Treating DKIM as a substitute for SPF. Modern bulk-sender requirements from Google and Yahoo expect both SPF and DKIM authentication, plus DMARC alignment with either the SPF domain or the DKIM domain. Set up the SES custom MAIL FROM for SPF too so SPF can align when the message is not forwarded.
FAQ
What is the SES DKIM selector?
With Easy DKIM, SES generates the selectors as opaque tokens. You do not pick them. There are three per identity so SES can rotate keys without re-publishing all your CNAMEs at once. With BYODKIM you choose the selector yourself.
Do I need DKIM if I already set up custom MAIL FROM with SPF?
Yes. SPF breaks the moment a recipient forwards your mail; DKIM survives most forwarding paths. Major receivers also evaluate both for deliverability scoring, not just DMARC.
Why does my SES email DKIM-pass in one region but fail in another?
DKIM is per region in SES. You either need to repeat the DKIM setup in each sending region, or use DEED replica identities so one signing key applies everywhere.
