AWS DKIM Validation Broken Between V1 and V2 API

[ben851]

Description

Domain validation is broken when deploying a new environment. As per AWS:

My name is Duanne, here to assist with the domain verification pending issue you noted for domain dev.notification.cdssandbox.xyz. To set the context, SES currently runs two API versions, v1 and v2. The v2 API is newer and is what the SES Console is currently based on. There are also differences in how identities are verified for both versions of the API. The v2 API will verify a domain based on the existence of the DKIM DNS records, while the v1 API requires a TXT record to be added to complete identity verification.

Looking at the request to verify the domain dev.notification.cdssandbox.xyz, the request was made by Terraform using the v1 API call VerifyDomainIdentity. Cloudtrail link for this event, here[1]. As such, SES is now looking for the TXT record to complete verification, but can only find TXT records for other regions the domain is/was verified in. For this reason you see the message that the DNS record was found but the value of the DNS record is not what was expected.

There are two ways to resolve this -

Delete and re-add the domain using the v2 API:

• Remove the domain identity using the v1 API call DeleteIdentity (applicable CLI command https://docs.aws.amazon.com/cli/latest/reference/ses/delete-identity.html)
• Add the domain back using the SES Console or use Terraform if it can be updated to leverage the v2 SES API instead
• Once added using the v2 API, it should be verified under the already added DKIM DNS records

Add the TXT record required as part of the v1 API:

• Add a TXT record as per below

Name: _amazonses.dev.notification.cdssandbox.xyz (your DNS provider may automatically append the domain name, in which case you use only _amazonses as the name) Value: +mX5BSV/wAQEiD5VAh7JQ3xXOAdmLSoBvnFTcnvpsHE=

Once the TXT recorded is added and SES has been able to resolve it, the verification should complete.

I would recommend that you move over to using the v2 API.

[1] https://ca-central-1.console.aws.amazon.com/cloudtrail/home?region=ca-central-1#/events?StartTime=2024-10-19T11:47:50.102Z&EndTime=2024-10-22T11:47:50.102Z&EventSource=ses.amazonaws.com

If you have any further questions, please let me know and have a good day!

We value your feedback. Please share your experience by rating this and other correspondences in the AWS Support Center. You can rate a correspondence by selecting the stars in the top right corner of the correspondence.

WHY are we building?

We need to be able to programmatically recreate our environment as part of BCP and keeping dev environments clean.

WHAT are we building?

Review Duanne's recommendations and determine how to implement this by terraform

VALUE created by our solution

Our system will be able to be automatically deployed again.

Acceptance Criteria

• [x] New environment creation is fully automated again
• [x] Solution is implemented in terraform

QA Steps

• [x] After production release, verify that the SES identities are verified in the AWS console. NOTE: trvapply-vrtdemande.apps.cic.gc.ca was broken before this, and is still broken because the domain does not exist. This is not our fault and we should reach out to the owners of this domain to see if it's still needed.

[ben851]

AWS response: My name is Duanne, here to assist with the domain verification pending issue you noted for domain dev.notification.cdssandbox.xyz. To set the context, SES currently runs two API versions, v1 and v2. The v2 API is newer and is what the SES Console is currently based on. There are also differences in how identities are verified for both versions of the API. The v2 API will verify a domain based on the existence of the DKIM DNS records, while the v1 API requires a TXT record to be added to complete identity verification.

Looking at the request to verify the domain dev.notification.cdssandbox.xyz, the request was made by Terraform using the v1 API call VerifyDomainIdentity. Cloudtrail link for this event, here[1]. As such, SES is now looking for the TXT record to complete verification, but can only find TXT records for other regions the domain is/was verified in. For this reason you see the message that the DNS record was found but the value of the DNS record is not what was expected.

There are two ways to resolve this -

Delete and re-add the domain using the v2 API:

• Remove the domain identity using the v1 API call DeleteIdentity (applicable CLI command https://docs.aws.amazon.com/cli/latest/reference/ses/delete-identity.html)
• Add the domain back using the SES Console or use Terraform if it can be updated to leverage the v2 SES API instead
• Once added using the v2 API, it should be verified under the already added DKIM DNS records

Add the TXT record required as part of the v1 API:

• Add a TXT record as per below

Name: _amazonses.dev.notification.cdssandbox.xyz (your DNS provider may automatically append the domain name, in which case you use only _amazonses as the name) Value: +mX5BSV/wAQEiD5VAh7JQ3xXOAdmLSoBvnFTcnvpsHE=

Once the TXT recorded is added and SES has been able to resolve it, the verification should complete.

I would recommend that you move over to using the v2 API.

[ben851]

I migrated the ses domain identity to the V2 resource in Terraform, and this resolved the issue.

We will have to delete and recreate the identities in staging and production in order for this to work.

[ben851]

Production release scheduled tomorrow for 8am

[ben851]

Production released, all domains are still verified. Ready for QA/closure

[sastels]

Done, Jimmy will investigate the unverified domain. trvapply-vrtdemande.apps.cic.gc.ca