AWS Security ChangesHomeSearch

AWS ses medium security documentation change

Service: ses · 2025-09-28 · Security-related medium

File: ses/latest/dg/troubleshoot-dkim.md

Summary

Added note about Microsoft Outlook DKIM validation behavior and DNS resolution issues

Security assessment

Documents DKIM validation failures caused by third-party infrastructure issues (Microsoft Outlook), which could lead to email deliverability problems and potential spoofing risks if misinterpreted. Directly addresses security mechanisms (DKIM) and validation failures.

Diff

diff --git a/ses/latest/dg/troubleshoot-dkim.md b/ses/latest/dg/troubleshoot-dkim.md
index ec06a0a9a..5f856a70b 100644
--- a//ses/latest/dg/troubleshoot-dkim.md
+++ b//ses/latest/dg/troubleshoot-dkim.md
@@ -66,0 +67,4 @@ The extra DKIM signature, which contains `d=amazonses.com`, is automatically add
+###### Note
+
+Microsoft Enterprise Outlook randomly selects one DKIM signature for validation while ignoring the other. This behavior does not appear to correlate with the order in which signatures are arranged, making procedural workarounds ineffective. SES cannot discontinue signing emails with `amazonses.com` DKIM signatures because they are required for complaint feedback loops. Microsoft has acknowledged this as a known issue, attributing it to DNS resolution problems within their infrastructure. These DNS resolution failures would explain why DKIM signature validation appears to fail randomly, given that public keys are retrieved from DNS records.
+