By default after you verify an email address with Amazon SES, the outbound emails from Amazon SES do NOT contain DKIM signatures. This causes some of the corporate mail servers to mark the inbound email as spam and quarantine it. DKIM signatures provide additional validation to the origination domain of the emai. For more information, refer to -
DKIM "
DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication"
Mail servers enforcing DKIM signatures will throw a message similar to below when they do not find signatures in the incoming mail headers:
To configure DKIM signatures, you have to first enable DKIM settings for the verified email in Amazon SES. From AWS console, you click on "enable DKIM" for the particular verified email address:
The above CNAME entries have to be added to the DNS server. Once added, they can be verified using the below "dig" command:
$dig -t CNAME t2....sz._domainkey.mycompany.com @ns.mycompany.com
; <<>> DiG 9.7.1 <<>> -t CNAME t2...sz._domainkey.mycompany.com @ns.mycompany.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 858
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3
;; QUESTION SECTION:
;t2...sz._domainkey.mycompany.com. IN CNAME
;; ANSWER SECTION:
t2...sz._domainkey.mycompany.com. 3600 IN CNAME t2...sz.dkim.amazonses.com.
;; AUTHORITY SECTION:
mycompany.com. 3600 IN NS ns1.mycompany.com.
mycompany.com. 3600 IN NS ns2.mycompany.com.
mycompany.com. 3600 IN NS ns3.mycompany.com.
;; ADDITIONAL SECTION:
ns1.mycompany.com. 86400 IN A x.x.x.x
ns2.mycompany.com. 86400 IN A x.x.x.x
ns3.mycompany.com. 86400 IN A x.x.x.x
;; Query time: 250 msec
;; SERVER: 63.100.100.153#53(63.100.100.153)
;; WHEN: Sat Mar 15 19:06:17 2014
;; MSG SIZE rcvd: 235
The CNAME records on both DNS servers, mycompany.com and amazonses should match. Once both DNS servers have been updated, you will see DKIM as verified on the Amazon console like below:
Now you can send a test email from AWS console to see if DKIM-signature headers are being populated. The mail headers will look like
*************
Received: from mx-server.mycompany.com (x.x.x.x) by
mx-server.mycompany.com (x.x.x.x) with Microsoft SMTP Server (TLS) id
14.3.158.1; Fri, 7 Mar 2014 12:22:57 -0800
Received: from mx-app.mycompany.com (x.x.x.x) by mx-server.mycompany.com
(x.x.x.x) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 7 Mar2014 12:22:57 -0800
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ar...WD0
X-IPAS-Result: Ar...WD0
X-IronPort-AV: E=Sophos;i="4.97,610,1389772800";
d="scan'208";a="95665020"
Received: from a8-27.smtp-out.amazonses.com ([x.x.x.x]) by
mx-app.mycompany.com with ESMTP; 07 Mar 2014 12:22:57 -0800
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=t2...sz; d=mycompany.com; t=1394223775;
h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Date:Message-ID;
bh=yu...IY=;
b=Xp...Is=
Return-Path: 00000e1-7f74a-124-44-bf57-d80d3-000000@amazonses.com
From: <noreply@mycompany.com>
To: <test@gmail.com>
Subject: test DKIM header
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Date: Fri, 7 Mar 2014 20:22:55 +0000
Message-ID: <00000e1-7f74a-124-44-bf57-d80d3-000000@email.amazonses.com>
X-SES-Outgoing: 2014.03.07-54.240.8.27
X-MS-Exchange-Organization-SCL: -1
X-MS-Exchange-Organization-AuthSource: mx-server.mycompany.com
X-MS-Exchange-Organization-AuthAs: Anonymous
*************