Adding DKIM Records in Route 53: AWS DNS Setup Guide
How to add DKIM DNS records in AWS Route 53. Step-by-step guide covering hosted zone configuration, TXT record setup, and DKIM verification.
Last updated: 2026-05-22
This guide is part of our Setup & Configuration resources.
Amazon Route 53 is the DNS service built into AWS. If your domain's nameservers point to Route 53, this is where you add DKIM records so receiving mail servers can verify that messages from your domain are legitimate. The process takes just a few minutes through the AWS Console, and Route 53 handles some of the trickier parts of DKIM records (like long TXT values) automatically. For a general introduction, see our complete DKIM guide.
Route 53 is commonly paired with Amazon SES for email sending. If you use SES, check our Amazon SES DKIM guide for SES-specific setup steps. This guide covers adding DKIM records directly in Route 53 for any email provider.
Before You Start
You will need:
- AWS Console access with permissions to manage Route 53 records
- A hosted zone in Route 53 for your domain
- A DKIM public key from your email provider or generated with DKIM Creator
- Your selector name (e.g.,
default,mail,s1, or one assigned by your email service) -- see how to find your DKIM selector if you are unsure
If you do not have a DKIM key pair yet, generate one with DKIM Creator before continuing. You will need the public key value (the string starting with v=DKIM1;) and the selector you chose.
Adding a DKIM TXT Record in Route 53
Most DKIM setups use a TXT record. This is the standard approach and works with virtually every email provider.
Open the Route 53 console
Sign in to the AWS Console and navigate to Route 53. You can find it by typing "Route 53" in the search bar at the top of the page, or by selecting it from the Networking & Content Delivery section.
Go to Hosted Zones
In the Route 53 dashboard, click Hosted zones in the left sidebar. This shows all the domains you manage through Route 53.
Select your domain
Click on the domain name you want to add the DKIM record to. This opens the list of DNS records for that hosted zone.
Click Create Record
Click the Create record button near the top of the records list. Route 53 will open the record creation form. If you see a toggle between "Quick create" and "Wizard," either option works. Quick create is slightly faster.
Enter the record name
In the Record name field, enter your selector followed by ._domainkey. For example, if your selector is mail, type mail._domainkey. Route 53 automatically appends your domain name, so do not include the domain portion.
Set the record type to TXT
Open the Record type dropdown and select TXT - Text. This is the standard record type for DKIM.
Paste the DKIM value
In the Value field, paste your full DKIM record value wrapped in double quotes. For example:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A..."
The quotes are required for TXT records in Route 53. If you paste the value without quotes, Route 53 may add them for you, but it is safer to include them yourself.
Set the TTL and create
Leave the TTL at the default of 300 seconds (5 minutes), or increase it to 3600 (1 hour) once you have confirmed everything works. Leave the Routing policy set to "Simple routing." Click Create records to save.
Need a DKIM key pair?
Generate DKIM keys in your browser. Copy the DNS record value and paste it straight into Route 53.
Route 53 Record Format Reference
Here is what your completed DKIM record should look like in Route 53:
| Field | Value |
|---|---|
| **Record name** | `selector._domainkey.yourdomain.com` |
| **Record type** | TXT |
| **Value** | `"v=DKIM1; k=rsa; p=MIIBIjANBgkq..."` |
| **TTL** | 300 (default) |
| **Routing policy** | Simple routing |
Handling Long DKIM Keys
2048-bit DKIM keys produce values longer than 255 characters, which is the maximum length for a single DNS TXT string. For more on this topic, see DKIM record too long. Route 53 handles this well. When your value exceeds 255 bytes, Route 53 can split it into multiple quoted strings automatically. You can also split it yourself by breaking the value into two quoted strings separated by a space:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..." "remaining-base64-characters-here"
Both approaches work. Route 53 will serve the concatenated result to any mail server that queries the record.
If you are unsure whether your key is too long, paste the full value as a single quoted string first. Route 53 will accept it and handle the splitting behind the scenes.
Using CNAME Records Instead of TXT
Some email providers (including Amazon SES and certain third-party services) give you CNAME records instead of TXT records. With a CNAME, the provider hosts the actual DKIM key on their own DNS and your record simply points to it.
To add a DKIM CNAME record in Route 53:
- Follow the same steps above, but select CNAME as the record type instead of TXT.
- In the Record name field, enter the name your provider gave you (usually something like
selector._domainkey). - In the Value field, paste the target hostname your provider supplied.
- Click Create records to save.
| Record Type | Best For | You Manage the Key |
|---|---|---|
| TXT | Self-hosted email, custom DKIM keys | Yes |
| CNAME | Providers that host the key for you (SES, Google, etc.) | No (provider manages it) |
Verifying Your DKIM Record
After creating the record, confirm it is live and correct:
Wait for propagation
With Route 53's default TTL of 300 seconds, changes usually propagate within a few minutes. You can check almost immediately, though some resolvers may take slightly longer.
Run a DNS lookup
Use a terminal or online DNS tool to query your record:
dig TXT selector._domainkey.yourdomain.com +short
You should see your DKIM value in the response. If nothing appears, wait a few more minutes and try again.
Send a test email
Send a message to a Gmail address and open the original message headers. Look for dkim=pass in the Authentication-Results header. This confirms your mail server is signing messages and the DNS record is correct.
Common Route 53 DKIM Issues
Missing quotes around the TXT value Route 53 requires TXT record values to be enclosed in double quotes. If your record is not resolving correctly, check that the value in Route 53 starts and ends with a quote character.
Record name includes the domain twice
Route 53 appends your domain automatically. If you enter mail._domainkey.example.com in the record name field, the actual record becomes mail._domainkey.example.com.example.com, which will not work. Enter only mail._domainkey and let Route 53 add the domain.
Wrong hosted zone If you manage multiple domains in Route 53, make sure you are adding the record to the correct hosted zone. Each domain has its own zone, and a record added to the wrong one will have no effect.
DNS is in Route 53, but email is elsewhere Adding the DNS record in Route 53 publishes the public key, but your mail server still needs to sign outgoing messages with the matching private key. If you use a third-party email provider, follow their instructions to enable DKIM signing on their side.
Changes not appearing Route 53 changes are usually fast, but if you recently changed nameservers or transferred the domain, older DNS caches may still hold stale data. Wait up to 48 hours in those situations.
If you use Amazon SES for sending email, SES provides its own DKIM CNAME records during the Easy DKIM setup process. Do not create separate TXT records for SES. Use the CNAME values SES gives you. See our Amazon SES guide for details.
Related Articles
References
- RFC 6376 — DomainKeys Identified Mail (DKIM) Signatures
- RFC 1035 — Domain Names — Implementation and Specification
- AWS Route 53 — Creating resource record sets
Route 53 makes DNS record management straightforward, and its support for long TXT values means DKIM setup is painless. Generate your keys, paste them in, and you are done.
Generate DKIM keys for Route 53
Create your DKIM key pair instantly. Copy the DNS record and add it to your Route 53 hosted zone.
Generate DKIM Keys