AWS Messaging & Targeting Blog

DKIM Troubleshooting Series: Where is My Signature?

9/15/16 Update: There has been a small simplification to the steps you use to set up Easy DKIM. See this forum announcement for details.

In this blog series so far, we have seen various problems that could prevent us from having Amazon SES verify the DKIM setup for our domain, and some possible causes (and solutions). Having the DKIM domain verified with SES is only the first step of the process. We have yet to see a signed email, and, more importantly, to see what good it does us. Let’s continue on our route to improved email security and deliverability!

My domain is now successfully set up for DKIM. How do I verify that my emails really are signed?

We have finally been able to verify our domain, we have received the Amazon SES DKIM Setup Successful confirmation email, and we see the DKIM Verification Status: verified message in the SES console for our domain. We also made sure to enable DKIM for our domain in the SES console. So how can we double-check that everything is really in order?

To test DKIM signing, we send an email via SES to an email address that is under our control and view the email headers (Click ‘Show original’ in Gmail, ‘View message source’ in Hotmail or equivalent).

We are looking for a header named DKIM-Signature. The header should look like this:

DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
s=xtk53kxcy4p3t6ztbrffs6d54rsrrhh6; d=ses-example.com;
t=1366720445;
h=From:To:Subject:MIME-Version:Content-Type:Content-Transfer-Encoding:Date:Message-ID;
bh=lcj/Sl5qKl6K6zwFUwb7Flgnngl892pW574kmS1hrS0=;
b=nhVMQLmSh7/DM5PW7xPV4K/PN4iVY0a5OF4YYk2L7jgUq9hHQlckopxe82TaAr64
eVTcBhHHj9Bwtzkmuk88g4G5UUN8J+AAsd/JUNGoZOBS1OofSkuAQ6cGfRGanF68Ag7
nmmEjEi+JL5JQh//u+EKTH4TVb4zdEWlBuMlrdTg=

DKIM is now enabled and set up for my domain but my emails still aren’t signed

The SES console is showing that our DKIM setup is verified and that DKIM signing is enabled for our domain, ses-example.com. In our email client we see from the message ID header that the email was indeed sent by SES and that the “From” address does indeed belong to our domain. We also double-checked that we’re using the right AWS account. So why is SES not adding the signature to our emails?

Below are the message headers we see in our email client. Why is the DKIM-Signature header missing?

Delivered-To: gmail-username@gmail.com
Received: by 10.114.22.33 with SMTP id a1csp97368ldf;
        Tue, 23 Apr 2013 05:34:07 -0700 (PDT)
X-Received: by 10.229.17.3 with SMTP id q3mr6499056qca.21.1366720447007;
        Tue, 23 Apr 2013 05:34:07 -0700 (PDT)
Return-Path: <0000013e36e2fb75-67d856d5-8718-4938-9e33-459e3ec3ac52-000000@amazonses.com>
Received: from a195-130.smtp-out.amazonses.com (a195-130.smtp-out.amazonses.com. [199.255.195.130])
        by mx.google.com with ESMTP id g10si19883148qab.3.2013.04.23.05.34.06;
        Tue, 23 Apr 2013 05:34:06 -0700 (PDT)
Received-SPF: pass (google.com: domain of 0000013e36e2fb75-67d856d5-8718-4938-9e33-459e3ec3ac52-000000@amazonses.com designates 199.255.195.130 as permitted sender) client-ip=199.255.195.130;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of 0000013e36e2fb75-67d856d5-8718-4938-9e33-459e3ec3ac52-000000@amazonses.com designates 199.255.195.130 as permitted sender) smtp.mail=0000013e36e2fb75-67d856d5-8718-4938-9e33-459e3ec3ac52-000000@amazonses.com;
Return-Path: 0000013e36e2fb75-67d856d5-8718-4938-9e33-459e3ec3ac52-000000@amazonses.com
From: ses-user@ses-example.com
To: gmail-username@gmail.com
Subject: Testing DKIM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Date: Tue, 23 Apr 2013 12:34:05 +0000
Message-ID: <0000013e36e2fb75-67d856d5-8718-4938-9e33-459e3ec3ac52-000000@email.amazonses.com>
X-SES-Outgoing: 199.255.195.130

What we need to do is make sure that DKIM is enabled for the signing identity most relevant to the emails we are sending. If we have verified both our domain and an email address from that domain, settings at an email address level override those on a domain level. We need to either enable DKIM for all verified addresses from that domain (where we would like emails to be signed), or delete the email addresses in cases where the domain is also verified, to allow domain settings to take effect.

For the purpose of this scenario, let’s assume that we have verified the email address ses-user@ses-example.com. We have also verified the domain ses-example.com and enabled DKIM signing for it. Because we didn’t remember to enable DKIM for our email address, all emails having ses-user@ses-example.com as the “From” address will not be DKIM-signed. To fix this we can either enable DKIM for ses-user@ses-example.com or delete the address completely, to allow domain-level settings to take authority.

For our scenario, we decide to enable DKIM signing for our sending address and try again. This time, the signature appears in emails in our email client. Does this mean we’re through? Not quite…

Next steps

The next entry in the series will cover signature validation problems by presenting two possible problems we’ve seen our customers having that manifested themselves in signature invalidation with the ISPs.