In the AWS SES console, navigate to Configuration > Identities, click Create identity, select Domain, and enter your domain name; SES will generate DNS records needed for verification and DKIM.
Under the Authentication tab for your new identity, find the DomainKeys Identified Mail section, click Edit, select Easy DKIM, choose RSA_2048_BIT as the signing key length, enable DKIM signatures, and save.
SES provides three CNAME records (the exact values are shown in the console); publish all three in your DNS provider. If you use Route 53, SES can publish them automatically via the Publish DNS records button.
Wait for SES to show the identity status as Verified (can take up to 72 hours); SES polls DNS until all three CNAMEs resolve to the SES-managed keys.
With Easy DKIM, SES automatically rotates the underlying 2048-bit keys periodically; because your DNS holds CNAMEs pointing to SES-managed records, rotation is transparent and requires no DNS changes on your part.
If regulatory requirements demand key ownership, use BYODKIM instead: generate your own 2048-bit RSA key pair, provide the private key to SES via the PutEmailIdentityDkimSigningAttributes API, and publish your public key as a TXT record.
Known gotchas
SES sandbox accounts can only send to verified addresses; request production access through the SES console before sending to external recipients at scale.
Easy DKIM CNAMEs are region-specific; if you configure identities in multiple AWS regions, each region generates its own set of three CNAMEs—add all sets to DNS if you send from multiple regions.
If you delete and recreate a SES domain identity, SES generates new CNAME target values; the old CNAMEs become invalid and must be replaced in DNS, so plan identity lifecycle carefully in production.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp