Hi @uca,
A couple things to point out here:
- You can use two different DKIM keys only if the selectors are different. So for example your DKIM keys cannot both be default._domainkey.fwla.com. You’d need something like AmazonSES._domainkey.fwla.com. and the mail._domainkey.fwla.com that MIAB issues. You’ll need to add the Amazon SES DKIM records to your name server (likely MIAB?)
- You are likely failing to reliably deliver mail because the default MIAB DMARC settings are to reject email not delivered by the MIAB, which is not how SES is delivering it’s email. You’ll need to change the fwla.com SPF records to permit both the MIAB server and Amazon SES. That should look something like a TXT record with “v=spf1 include:amazonses.com include:box.fwla.com -all”. This will permit all SES and MIAB outgoing traffic to be authorized by DMARC. You should check your AWS Console to ensure there are not specific SPF records your SES instance requires (I’ve never used SES before, so I’m not sure if that’s the case. The guidance online seems to be that amazonses.com is the proper domain.)
P.S. You can use the DMARC Validator to help ensure the DKIM and SPF settings are correct. It’s a free service that provides an email address to which you send an email (send one from SES and one from MIAB) and it will analyze your DKIM, SPF, DNS, and email headers to ensure everything is right for your particular environment.