Email using business email address with amazon ses?

So if I use cloudflare, and my xf site (which sends mail via php) is hosted on AWS, and I use zoho for POP email, do I have this correct?:
cloudflare DNS:
-- for SPF: make sure record includes IPs for both AWS (domain) and zoho
-- for DKIM: per zoho, "You have to inform your Website hosting team to configure DKIM for your domain and don't configure DKIM for the return path of emails." .... so does this mean I need to get the DKIM for AWS? I don't know what is mean by "don't configure for the return path"

 

Thanks - but if I don't use ses and instead send from the server (xf setting / php), do i use the ec2 domain? I already include the IP.

 

Thank you! Your DKIM instructions (here) don't make any mentions of selectors, and I think that's my remaining problem. I can send no problem via SSH command line and XF-based emails sends fine, but the difference between the two are in the headers:
from ssh: includes "dkim=pass;"
from xf: does not include "dkim=pass;"
and when I try to test dkim specifically via mxtoolbox, I get the following:

 

It's very odd; everything passes checks, EXCEPT when I send a message from the xenforo platform (to gmail for example)... The note sends fine, but when I copy/paste the email header into the mxtoolbox header analyzer, I get the following result:



Indeed, I do not see a dkim=pass line item in the header... (nothing about dkim in the header, in fact). But everything else checks out. Specifically:

yes, the DKIM entry there appears to be correct.

Looks good, and when I send a test email via command line per your instructions, I do get the dkim=pass item, and everything checks out fine. It also works if I send via POP email, which aligns with my zoho account, and again, dkim=pass is in the header. The mxtoolbox results for mxtoolbox, dkim (per your instructions above; see result screen grab below), and spf seems to work everywhere (thanks to this post).



Here are the relevant entries; apologies for crude obfuscation but trying to give as much context as possible. Anything you see amiss here?

 

...it does have this, though... ? it's followed by my host.domain.com and some short string.

DKIM-Filter: OpenDKIM Filter v2.11.0

 

still can't determine why dkim=pass won't show up (except when sending from command line). When running from command line, I also get notice that "spf=none (zohomail.com: x.x.x.x is neither permitted nor denied by domain of host.domain.com)" ....

When sending from xenforo, or from POP mail spf=pass but there is no line for dkim. It's not dkim=fail, there's just no dkim.

 

When I turn off proxy for the host.domain.com A record (and I leave the domain.com A record itself on proxy/orange cloud), I get site monitor errors (i.e., I get alerts that says the site is down), even though domain.com itself seems to be fine.

On nginx, does my domain.com.conf file need to make any reference to host.domain.com? (It does not currently; it only has configurations for domain.com). Here is an excerpt - any issues here?

Code:

 server{
  listen 443 ssl http2;
  server_name domain.com;

ssl_certificate    /usr/local/nginx/conf/ssl/cloudflare/domain.com/domain.com.pem;
ssl_certificate_key   /usr/local/nginx/conf/ssl/cloudflare/domain.com/domain.com.key;
ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/domain.com/origin.crt;
ssl_verify_client on;
http2_max_field_size 16k;
http2_max_header_size 32k;

  # enable ocsp stapling
#  resolver 8.8.8.8 8.8.4.4 valid=10m;
#  resolver_timeout 10s;
#  ssl_stapling on;
#  ssl_stapling_verify on;
  ssl_trusted_certificate /usr/local/nginx/conf/ssl/cloudflare/cloudflare.crt;

 

uptime monitors

 

Uptime Robot in Slack. It is actually monitoring www.domain.com (my site is set up to redirect to domain.com).