Search code examples
amazon-web-servicesnslookup

Amazon SES domain verification always fails

I've been trying for months to verify my domain with Amazon Web Services so that I can use Amazon SES to send emails. Verification fails every time. I've retried about 35 times. Each time it fails.

I've added a TXT record to my DNS. It looks like:

enter image description here

When I run:

 nslookup -type=ns redmatterapp.com

I see:

redmatterapp.com    nameserver = ns-1546.awsdns-01.co.uk.
redmatterapp.com    nameserver = ns-692.awsdns-22.net.
redmatterapp.com    nameserver = ns-1471.awsdns-55.org.

When I run:

nslookup redmatterapp.com ns-692.awsdns-22.net

I see:

Server:     ns-692.awsdns-22.net
Address:    205.251.194.180#53

Name:   redmatterapp.com
Address: 52.27.95.103

When I run:

nslookup -type=TXT redmatterapp.com ns-692.awsdns-22.net

I see:

Server:     ns-692.awsdns-22.net
Address:    205.251.194.180#53

*** Can't find redmatterapp.com: No answer

Shouldn't I be able to see the TXT record?

Solution

  • You're creating the DNS record in a place where nobody but you can actually see it... on a set of name servers that you aren't actually using to host the DNS for this domain.

    Your domain is evidently registered with Register365, but your authoritative name servers are actually AWS Route 53 name servers (e.g. ns-692.awsdns-22.net).

    Any entries you make in the registrar's DNS record management console will have no effect at all if the registrar's DNS servers aren't the ones your domain is actually using... and that appears to be the case here.

    Registrars have, in my opinion, confused this issue for many people by bundling free authoritative DNS hosting with paid name regstration services, even though these are rightfully two independent service offerings.

    At some point, you switched your DNS hosting over to Route 53, and for this reason, Route 53 is where you need to create this new record. In the Route 53 console, find the Hosted Zone for this domain with matching name servers, and add this record there.

    Your nslookup should start working as expected and SES should have no trouble validating your record, after that.

    In the interest of not confusing future readers, the reason this entry goes in Route 53 is not because of any necessary connection between SES and Route 53. The fact that these are both AWS services is coincidental. The reason this is the fix is simply because Route 53 is who you have already -- at some point in the past -- chosen as your authoritative DNS hosting provider.