More Info:

The DomainKeys Identified Mail (DKIM) be verified in your SES configuration.

Risk Level

High

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration of DKIM not being verified in AWS SES using the AWS console, follow these steps:
  1. Sign in to the AWS Management Console:
  2. Navigate to the Identity Management section:
    • In the AWS SES console, on the left-hand side, click on “Identity Management” and then click on “Email addresses”.
  3. Select the domain for which DKIM needs to be verified:
    • Click on the domain for which you want to verify DKIM.
  4. Verify DKIM for the selected domain:
    • Under the “Domain details” section, find the “Domain authentication” tab.
    • Click on the “Verify a new DKIM” button.
    • You will be provided with a set of CNAME records that you need to add to your domain’s DNS settings.
  5. Add DKIM CNAME records to your DNS settings:
    • Login to your domain registrar or DNS hosting provider where your domain is hosted.
    • Add the CNAME records provided by AWS SES to your DNS settings.
    • It may take some time for the DNS changes to propagate.
  6. Verify DKIM after adding CNAME records:
    • Go back to the AWS SES console.
    • Click on the “Verify this record set” button to confirm that the CNAME records have been added correctly.
    • Once verified, the DKIM status for your domain should show as “Verified”.
  7. Monitor DKIM status:
    • Regularly check the DKIM status in the AWS SES console to ensure that it remains verified.
    • If there are any issues, follow the instructions provided in the console to troubleshoot and resolve them.
By following these steps, you can remediate the misconfiguration of DKIM not being verified in AWS SES using the AWS console.

To remediate the misconfiguration of DKIM not being verified in AWS SES using AWS CLI, follow these steps:
  1. List your verified domains by running the following command:
aws ses list-identities --identity-type Domain
  1. Identify the domain for which you want to enable DKIM verification.
  2. Verify the domain by running the following command:
aws ses verify-domain-dkim --domain example.com
Replace example.com with your actual domain name.
  1. After verifying the domain, you will receive a set of CNAME records that you need to add to your DNS configuration. These records are used to verify the ownership of the domain.
  2. Add the CNAME records to your DNS configuration with the values provided by AWS SES.
  3. Once the DNS changes have propagated, you can enable DKIM verification for the domain by running the following command:
aws ses set-identity-dkim-enabled --identity example.com --dkim-enabled
Replace example.com with your actual domain name.
  1. Verify that DKIM verification is enabled for the domain by running the following command:
aws ses get-identity-dkim-attributes --identities example.com
Replace example.com with your actual domain name.By following these steps, you can remediate the misconfiguration of DKIM not being verified in AWS SES using AWS CLI.
To remediate the misconfiguration of DKIM not being verified for AWS SES using Python, follow these steps:
  1. Install the AWS SDK for Python (Boto3) by running the following command:
pip install boto3
  1. Create a Python script with the following code snippet to enable DKIM verification for your AWS SES domain:
import boto3

def enable_dkim_verification():
    ses_client = boto3.client('ses', region_name='us-east-1')  # Update the region as per your SES configuration
    domain_identity = 'your_domain_here.com'  # Update with your SES domain

    response = ses_client.verify_domain_dkim(
        Domain=domain_identity
    )

    print(response)

if __name__ == '__main__':
    enable_dkim_verification()
  1. Replace your_domain_here.com with your actual SES domain in the code snippet.
  2. Run the Python script using the command line or your preferred Python IDE.
  3. Verify that DKIM has been successfully enabled for your SES domain by checking the response from the verify_domain_dkim API call.
By following these steps, you can use Python and Boto3 to remediate the misconfiguration of DKIM not being verified for AWS SES.

Additional Reading: