Email and Domain Identity Verification in AWS SES

PublishedApril 02, 2025

In AWS SES, verified identity is a domain or email address that you use to send email. Before sending emails with Amazon SES, you must create and verify each identity used as the "From" address. Identity verification ensures ownership and prevents unauthorized use.

If your account is in the Amazon SES sandbox, you must verify all recipient email addresses before sending emails. For Product Access Request, you must verify Domain based Identity.

Email Address based Identity

Email based Identity verification is primarily used for testing, especially when you don't own a domain. Each sender email address must be verified individually before use. Follow the steps below to verify an email address:

• Navigate to Amazon SES console.
• From the navigation pane, choose Identities.
• Click on Create Identity.
• Under Identity details, choose Email address as the identity type.
• For Email address, enter the email address that you want to use. The email address must be an address that's able to receive mail and you have access.
• Click on Create Identity. After it's created, you should receive a verification email. Open the email from inbox and click the link to complete the verification process for the email address.

Domain based Identity

Domain based Identity verification is essential for sending emails from your domain. It's a one-time process that verifies your domain ownership. Follow the steps below to verify a domain:

• Navigate to Amazon SES console.
• From the navigation pane, choose Identities.
• Click on Create Identity.
• Under Identity details, choose Domain as the identity type.
• For Domain, enter the domain name that you want to use. You must have access to the domain's DNS settings to complete the domain verification process.
• To use custom MAIL FROM Domain, select the check box and complete the following steps:
  • Enter the subdomain name that you want to use as the MAIL FROM Domain.
  • Configure MX failure behavior to define how Amazon SES handles missing MX records at the time of sending. You can either allow SES to fallback to subdomain of amazonses.com or reject the message, triggering MailFromDomainNotVerified error.
  
• SES uses Easy DKIM with 2048 bit singing length by default. To customize, expand Advanced DKIM settings and choose the desired DKIM type. Ensure that the Enabled box is checked in the DKIM signatures field.
  • To use Deterministic Easy DKIM (DEED) in Amazon SES, you must first enable Easy DKIM for at least one domain. After that, DEED can be used for additional domains without requiring separate DKIM record configurations.
  • As an alternative to using Easy DKIM, you can instead configure DKIM authentication by using your own public-private key pair. This process is known as Bring Your Own DKIM (BYODKIM).
  To use Bring Your Own DKIM feature, you first have to create an RSA key pair. To generate a key pair, follow the steps below:
  • Open a terminal window and run the following command to generate the private key:
    openssl genrsa -f4 -out private.key 2048
  • Run the following command to generate the public key:
    openssl rsa -in private.key -outform PEM -pubout -out public.key
  Now that you've created a key pair, you have to add the public key as a TXT record to the DNS configuration for your domain. You You must include the p= prefix in the DNS record.Paste the private key you generated earlier and specify the selector name you used in the DNS settings. The selector is a string that uniquely identifies the public key in the DNS records.
• Click on Create Identity. Once created, you will see the required DNS records that you need to add to your domain's DNS settings.

To verify ownership of this identity, you must publish the DKIM records in your domain's DNS settings. To complete configuration of your custom MAIL FROM Domain, update the DNS settings using the MX record provided. Amazon SES will continue to use the default MAIL FROM Domain until the presence of this record has been verified.

After domain verification in Amazon SES, you can send emails using your domain as the "From" address (e.g., info@your-domain.com). However, if your SES account is still in sandbox mode, emails can only be sent to verified recipient addresses.

Amazon SES Production Access

To Request Production Access, navigate to Get Set Up from SES Console. Click on Request Production Access and fill out the form.

Once getting production access, you can send emails to any recipient without verifying the recipient email addresses. To test sending an email, navigate to a verified domain identity, click "Send Test Email" and fill in the required details.

References

• Verified identities in Amazon SES,https://docs.aws.amazon.com/ses/latest/dg/verify-addresses-and-domains.html
• Creating and verifying identities in Amazon SES,https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html
• Provide your own DKIM authentication token (BYODKIM) in Amazon SES,https://docs.aws.amazon.com/ses/latest/dg/send-email-authentication-dkim-bring-your-own.html