Where do I publish the DKIM record for Amazon SES?

You publish DKIM as a TXT record at selector._domainkey.yourdomain.com, where selector is the name given by Amazon SES.

How do I know if DKIM is working?

Send a message to a Gmail inbox and look at Show original. If DKIM shows PASS for your domain, the record is working.

Can I use more than one DKIM selector?

Yes. Many providers support multiple selectors to rotate keys or support several sending systems.

How to set up DKIM on Amazon SES

Step by step DKIM setup for Amazon SES: complete instructions, examples, verification commands, and common pitfalls.

Want to check your domain while following this guide?

Run a free SPF, DKIM and DMARC check on your domain to see exactly what is passing and what needs fixing.

No signup required. Works on any domain.

search Run a Free Domain Check notifications_active Monitor my domain

This is a reference guide for configuring DKIM on Amazon SES. Use it while editing DNS or when troubleshooting deliverability.

Tip: Avoid common mistakes: follow these steps to add DKIM on Amazon SES. Then verify everything with the InboxGreen Free Checker.

Provider-specific notes for Amazon SES

Amazon SES uses CNAME-based DKIM (Easy DKIM), not a plain TXT key. AWS generates three CNAME records - all three must be published for DKIM to pass.
SES requires domain identity verification before sending. SPF via the mail-from subdomain is optional when Easy DKIM is active, but both are recommended for DMARC alignment.
AWS Console → Amazon SES → Identities → Domain → DKIM and Authentication.

What you’ll need

Access to Amazon SES to generate a DKIM key and selector.
DNS provider access to publish a TXT record at selector._domainkey.

Generate your DKIM key

In Amazon SES, generate a DKIM key and note the selector. Providers often suggest something like auto-generated by AWS (CNAME-based, not a plain TXT key).

AWS Console → Amazon SES → Identities → Domain → DKIM and Authentication.

Publish the record

Create a TXT record at host selector._domainkey (replace selector with your actual selector name).
Paste the full value starting with v=DKIM1; k=rsa; p= and save.
Wait for DNS propagation.

Verify DKIM

Send a test email to a Gmail address and use “Show original” to confirm “DKIM: PASS”.

Or run:

dig TXT selector._domainkey.yourdomain.com +short

Common mistakes

Using the wrong host so the record becomes selector._domainkey.yourdomain.com.yourdomain.com.
Breaking the value by wrapping or truncating the TXT string.
Publishing a record for the wrong selector and then validating on another.

Related for Amazon SES

quick_reference_all Set up SPF on Amazon SES quick_reference_all Set up DMARC on Amazon SES quick_reference_all Set up List-Unsubscribe on Amazon SES

Pro tip: Turn on InboxGreen Monitoring to check these records daily and get alerts if something breaks.

Free Deliverability Scan

Check SPF, DKIM, DMARC and List-Unsubscribe for your domain in seconds.

Useful tools

tune SPF Generator tune DMARC Generator verified Badges