Can I verify my domain for Amazon SES in multiple accounts or AWS Regions?

3 minute read
0

Can I verify my domain for Amazon Simple Email Service (Amazon SES) in multiple AWS accounts or AWS Regions?

Short description

Amazon SES now uses DomainKeys Identified Mail (DKIM) to verify and manage your domain identity. If you set up your domain through DKIM, then you can verify your identity across multiple accounts or Regions through DKIM-based verification. For domains that are verified by DKIM and managed by Amazon Route 53, Amazon SES automatically updates the DNS server with the necessary records. For more information, see Creating and verifying identities in Amazon SES.

If your domain is verified by DKIM but isn't managed by Route 53, then you must configure three DKIM CNAME records to your DNS provider.

Domains that are verified with TXT records must manually add accounts or Regions to the record in order to verify them. If you created your domain with a TXT record and use Route 53 as your DNS service, then follow these steps.

Resolution

Follow these steps to verify your domain in multiple accounts or Regions through your domain's TXT record:

1.    Verify your domain in the first account or Region.

2.    Open the Route 53 console.

3.    From the navigation pane, choose Hosted zones.

4.    Choose the TXT record that you created when you verified your domain in the first account or Region.

5.    In the Value box, go to the end of the existing attribute value, and then press Enter.

6.    Add the attribute value for the additional account or Region.

7.    Save the record set. Note that some DNS providers don't allow you to assign multiple values to the same TXT record. In this case, first verify the domain once with _amazonses in the TXT record's attribute name. Then, verify the domain again with _amazonses removed from the attribute name. In the following example, the domain is example.com:

_amazonses.example.com    TXT    "TokenValue"
example.com               TXT    "TokenValue"

Warning: For this use case where you must add _amazonses to the attribute name, you can verify the same domain only two times.

8.    After you update the record set, validate the record. On a Linux operating system or on macOS, you can run a dig command:

$dig TXT _amazonses.example.com +short

On a Windows operating system, you can run the nslookup command:

$nslookup -type=TXT  _amazonses.example.com

The expected output for either the dig command or the nslookup command is the value of the TXT record. Along with your existing TXT records, the output should include the recently added TXT record, similar to the following:

"amSXqexampleyqEPQy+jkMfF63uB9y6MG1FA/Du3x8Q="
"0biRnexample5QDj43bNpT5Z+gQfdpfKqaP2tm8x4NE="

9.    After the correct record is added and is resolving, Amazon SES shows the domain as verified. If the domain isn't verified within 72 hours, you can retry the verification process.


Related information

Domain and email address verification problems