How to remove a verified domain from AWS SES?
Question
I want to remove company.in domain from the list of verified domains but want to continue sending emails using do-not-reply@company.in DKIM enabled+verified email identity. To achieve this, I have followed this guide which is pretty straightforward but haven't been successful in the sense that the domain gets removed from the list only for some days(~4) only to show up again in the list of verified domains somehow.
What could be the cause of this auto-magical verification and corresponding fix?
1 answers
solution1
1 2021-09-29 04:49:52
After corresponding with AWS premium support:
Started off by checking your verified identities in the "ap-south-1 - BOM" region of SES and I saw the following 2 identities:
- Domain = company.in (Introduction date: 2021-09-02 20:25)
- Email address = do-not-reply@company.in (Introduction date: 2020-10-23 13:29)
After pulling out CloudTrail logs for DeleteIdentity API in the region "ap-south-1" for the last 90 days. I could see a single API call on "2021-08-31" for the domain "company.in" (exactly as mentioned by you). Also, checking the VerifyDomainIdentity API in the CloudTrail logs for the past 90 days, I was not able to see any.
This confirmed that I deleted the domain successfully on "2021-08-31" and it got re-verified itself on "2021-09-02", 3 days after.
I did a DNS query on your domain "company.in" and was able to identify that Route-53 is the DNS provider. On checking your domain's DNS configuration in Route-53, I was able to see the following 3 DKIM CNAME records published:
-
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx._domainkey.company.in xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.dkim.amazonses.com -
yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy._domainkey.company.in yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.dkim.amazonses.com -
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz._domainkey.company.in zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz.dkim.amazonses.com
Now, coming to the reason for this strange behavior, I would like you to know that if there is a verified email identity of the same domain that was removed, and it has DKIM enabled+verified, then the domain will be automatically added to the verified identities even if you manually remove it. Reason being, one can only have DKIM for domains they own and adding the DKIM record proves ownership, a criteria to verify your domain(s) in SES. Therefore, SES assumes that you are the domain owner due to the DKIM CNAME records published in your domain's DNS records and thus, automatically adds the domain to your SES verified domains.
To mitigate this, there are 2 options:
- Either remove DKIM settings from the domain, which will mean disabling DKIM for the email address and removing the DKIM CNAME records from domain's DNS.
- If you require DKIM for sending and don't want to alter the DKIM settings, then the only way would be to add a policy on the SMTP/IAM user, to only allow sending from certain email addresses - https://docs.aws.amazon.com/ses/latest/DeveloperGuide/control-user-access.html
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.