AWS Messaging & Targeting Blog

How to check your domain verification settings

So you performed the domain verification steps listed in the Developer Guide but the domain status in the SES Console still says Pending? To validate that the domain verification steps were executed properly, you have to check that the validation token was published to DNS under the correct record. Let’s say that you’re validating the domain ses-example.com and that the verification token (TXT record) value you obtained from the SES Console is fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk=. Here are the steps you need to follow.

Finding the Name Servers for the Domain

Each domain is served by one or more name servers, which map the domain name to the IP address of the host computer. To find the name servers that serve our domain, we are going to use the nslookup tool, which you run from a command line. You can use nslookup on both Windows and Linux. The commands in this post were executed on Windows 7. To get to the command line on Windows 7, for example, click Start and then type cmd.  On Linux-based operating systems, open a terminal window. The output of nslookup might be a little bit different on your system.

Note that for troubleshooting purposes, it is best to query the DNS servers that are serving your domain because they contain the most up-to-date information. Sometimes, even if the DNS records look fine in your DNS server, it might still take time for that information to propagate to the SES DNS servers.

At the command prompt, type nslookup -type=NS ses-example.com to list all of the name servers that are serving ses-example.com. In the command’s output, we see that there are 6 dns servers, pdns2.ultradns.net, pdns3.ultradns.org and so on . Let’s pick pdns2.ultradns.net.

name server list

Verify TXT record publishing

The next step is to check that the verification token is published properly. We are looking for a TXT record under _amazonses.ses-example.com.  Note that the underscore before amazonses is optional. See the Developer Guide for more information.

At the command prompt, type nslookup -type=TXT  _amazonses.ses-example.com pdns2.ultradns.net, as shown in the screenshot below.

nslookup output

From the output of the command, you can see that the value published under _amazonses.ses-example.com is our token, fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk=, which means that the TXT record is published correctly.

Using dig

On Linux you can also use the dig command. To use dig, in a terminal window, type dig NS ses-example.com +short to list all of the name servers for your domain.

dig output

To check that the verification token is published properly, remember that we’re looking for a TXT record under _amazonses.ses-example.com.  As you can see in the output below, the verification token we are looking for is indeed present.

Published token

Now, let’s see what the output looks like for the most common mistakes.

Common mistakes

Always make sure that the published verification token is exactly the same as the one listed in the SES console.

Common mistakes:

  • The token is published directly under the domain (ses-example.com in our case)
  • The value being published is _amazonses.ses-example.com= fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk=.

Example nslookup output of these mistakes is below.

Common mistakes

  • Another common mistake is that the verification token is published under a record that contains the domain twice.  In this case the token would be published under _amazonses.ses-example.com.ses-example.com instead of _amazonses.ses-example.com.

I hope that you found this blog post helpful. Please feel free to browse or post on the SES forum if you have questions about domain verification.