Help & Support Center
Search:  
Contents
:
IndexPrintBookmark

Home > FAQs > How Does Amazon SES Validation Work

How Does Amazon SES Validation Work

Need Help on this Topic? Email Support


 

Amazon SES is used for the email delivery from the Cloud version of Cyber Recruiter.  AmazonSES's format validates the emails coming out of Cyber Recruiter on our network using the company email address extension and says ‘yes they are real’. This change is more secure and is intended to reduce the likelihood of the emails being caught in SPAM and Junk filters. AmazonSES is our preferred SMTP service because of the additional validation. Whoever manages the company website domain needs to create one TXT record and three CNAME records. This file needs to be saved into the root of DNS for the domain.

 

When in place only one key will be validating if the customer checked. The single public key is expected and they'll rotate it out between the other entries for security. Here is their full reply for reference:

  

When you enable easy DKIM for your domain (Eg: 'test.com') in SES, we ask you to create following CNAME records.

xvvj77hbufxfl2cee6bhdit2v3jlaqb._domainkey.test.com             CNAME         3xvvj77hbufxfl2cee6bhdit2v3jlaqb.dkim.amazonses.com.

tsouce4geeg2toors24gebvzoybygbm7._domainkey.test.com        CNAME        tsouce4geeg2toors24gebvzoybygbm7.dkim.amazonses.com.

3ewj6qovyivyecze3vzyl5u6ckw5zo24._domainkey.test.com         CNAME         3ewj6qovyivyecze3vzyl5u6ckw5zo24.dkim.amazonses.com.      

 

Records that you create are CNAME instead of TXT records. This allows SES to host the signing keys (public-private key pair) and publish public key counterpart in DNS TXT record.

 

The way DKIM authentication works is, SES adds DKIM-Signature header field (using the private key) that contains a cryptographically signed representation of the email you sent. A receiving SMTP server wanting to verify the authenticity of email performs a DNS TXT record lookup for public key and then proceeds to decode the signature. This verifies that the messages weren't modified by a third party while in transit.

 

That being said, SES hosts one pair of signing credentials (public-private key pair) at a time for your domain and publishes corresponding public key counterpart in DNS TXT record as you noticed:

dig txt +short 3ewj6qovyivyecze3vzyl5u6ckw5zo24._domainkey.test.com

3ewj6qovyivyecze3vzyl5u6ckw5zo24.dkim.amazonses.com.

 

"p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCHSriycBU7CA2Kxi+oK0t9gvVnri3QEp6wKylcOJ2tV4rTke6WfWzHiaSt9rHgW1bqJSLB02GjLLjQb7CmCkEhqYimXZ1a9zraCrctz0KccTHiGMGbljzNbDgDMn37Wsd+XSqeXrb9WnZyH6NNdHDzDDtPbIEg4YqSP2yxKJvfhQIDAQAB"

 

This is expected, as SES automatically rotates among signing credentials and utilize other records to publish public key counterpart periodically. This is to mitigate the risk of any key leak.

 

Also included is an external article provided more details into how DKIM signing works: https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

 

Minimum Validation: Authorizes the Cyber Recruiter system on our network to send out emails using the company domain extension. (aka TXT record)

 

Preferred Validation: Add “signing” for the domain. This ensures that the emails going out of the system appear with the company email addresses instead of the email address “sent via amazoneses”. You may not see it in the header but it is in the message header (in the background) and SPAM filters see that as a potential spoof. So, this additional layer helps with SPAM issues.  (aka CNAME records)

 

There is also yet another level of validation to help with email delivery. We have a dedicated IP address for the AmazonSES server so this IP address can also be white listed.