Anthony Chambers

Engineer 81

Using DKIM with Amazon Simple Email Service and Route 53 and PHPMailer

Sending email via Amazon's SES will result in GMail stating that your email is from "You via amazonses.com" which is most likely not what you need. Using DKIM will remove this, as well as giving you an extra thumbs up against spam by email clients

Written by Anthony Chambers , and read7,944 times

We're currently migrating email services to Amazon's Simple Email Service and we found quite quickly that we were getting the dreaded "via amazonses.com" in GMail, which looks a little spammy. To get rid of this, as well as to apply additional verification to our emails by signing them, we're implementing DKIM. We use PHPMailer to send SMTP mail from our application, which is fortunate as it already has support for DKIM built in.

We already use Amazon's Route 53 service to manage our DNS, which makes this implementation so much simpler, also. This is how you can do the same:

So, first of all, you need to get an AWS account. You can get an account for free here. Once you have access, go to the AWS Console and if you've not already created your hosted zone (ie the domain that you want to manage) then you will need to click on the Route 53 option first. Click Create Hosted Zone at the top and add the domain details. Once you've done this you will have a zone record which contains NS and SOA records only. I don't want to get into full DNS management in this article, so we'll leave Route 53 for now.

We can now select SES from the Console Services menu. You will notice that the you will begin with access only to the sandbox, which means that you can only send email to and from email addresses that you verify in the console. Your limit will also be around 200 emails a day. You can apply for production access and I believe that the default sending limit will raise to 10,000 every 24 hours or 5 emails a second, though this may vary depending on your use case when you apply for production access.

Now, choose Domains from the menu on the left, and click to Verify a New Domain at the top. Check the Generate DKIM Settings box at the bottom and click Verify This Domain. You will now be presented with some DNS records to set which you can download in a CSV format. Keep this handy as we'll need one of the DKIM values later.

In the SES console, go to the domain and click on the magnifying glass icon to view details. If your domain is properly set up with Route 53 there will be a Use Route 53 button on this page. Click it to set the verification value. Now open the DKIM section and you'll see another Route53 button. Click this and follow the instructions. The DKIM records will be automatically set for you in Route 53.

SES will check your DNS records (may take a while, may be instant) to check for verification. Once this is complete and you have production access you can send emails from this domain to any recipient, so we're done in the AWS console. Time to switch to PHPMailer.

PHPMailer has support for DKIM (in the latest versions at least), so it's as simple as adding two lines to your existing code:

$mail->DKIM_domain = '_amazonses.yourdomain.com';
$mail->DKIM_selector = 'seeminglyrandomvaluefromcsv';

Now refer back to your CSV file that you generated earlier (or you can find this information in both Route 53 and SES) and pick out one of the DKIM record set record names. Look at the first segment of the URL (everything up to ._domainkey) and replace seeminglyrandomvaluefromcsv with this value.

That should be all that you need to do. Ensure that you have production access and that your domain has been verified, and you should now be able to send DKIM signed mail with PHPMailer via Amazon SES. You can verify that your mail is DKIM signed by viewing the original message (in GMail click the down arrow on the far right and select Show Original and look for a DKIM-Signature (it will be called exactly that).

That's it. DKIM enabled. I hope that helps a few people