AWS Messaging – Simple Email Service


Simple Email Service

  • enables you to benefit from the years of experience and sophisticated email infrastructure. has built to serve its own large-scale customer base.

Sending Email with Amazon SES

  • When you send an email, you are sending it through some type of outbound email server.
  • That email server might be provided by your Internet service provider (ISP), your company’s IT department, or you might have set it up yourself.
  • The email server accepts your email content, formats it to comply with email standards, and then sends the email out over the Internet.
  • The email may pass through other servers until it eventually reaches a receiver
  • The receiver then delivers the email to the recipient.
  • The following diagram illustrates the basic email-sending process.


  • The following diagram shows where Amazon SES fits into the email sending process.


Amazon SES and Deliverability

  • You want your recipients to read your emails, find them valuable, and not label them as spam.
  • In other words, you want to maximize email deliverability—the percentage of your emails that arrive in your recipients’ inboxes.
  • To maximize email deliverability, you need to understand email delivery issues, proactively take steps to prevent them, stay informed of the status of the emails that you send, and then improve your email-sending program, if necessary, to further increase the likelihood of successful deliveries.

Sending Email with Amazon SES

  • The following sections review the concepts behind these steps and how Amazon SES helps you through the process.


  • Amazon SES Email-Sending Process

○The following figure is a high-level overview of the sending process.


  • If the sender’s request to Amazon SES succeeds, then Amazon SES sends the email and one of the following outcomes occurs:

○Successful delivery and the recipient does not object to the email


○Hard bounce


○Soft bounce




○Auto response


Email Format and Amazon SES

  • An email consists of a header, a body, and an envelope.
  • There is one header per email message.
  • When you read an email in an email client, the email client typically displays the values of the following header fields:

○To—The email addresses of the message’s recipients.

○CC—The email addresses of the message’s carbon copy recipients.

○From—The email address from which the email is sent.

○Subject—A summary of the message topic.

○Date—The time and date the email is sent.

  • The email body contains the text of the message. The body can be sent in HTML, plain text, or both HTML and plain text formats.

Setting up Email with Amazon SES

  • To set up email with Amazon SES, you need to perform the following tasks:

○Before you can access Amazon SES or other AWS services, you need to set up an AWS account.

○Before you send email through Amazon SES, you need to verify that you own the “From” address.

○If your account is still in the Amazon SES sandbox, you also need to verify your “To” addresses.

Using a Custom MAIL FROM Domain with Amazon SES

  • When an email is sent, it has two addresses that indicate its source:

○A “From” address provided by the email header.

○A MAIL FROM address that the sending mail server specifies to the receiving mail server to indicate the source of the message.

  • By default, messages that you send through Amazon SES use as the MAIL FROM domain.
  • Sender Policy Framework (SPF) authentication successfully validates these messages because the default MAIL FROM domain matches the sending mail server, Amazon SES.
  • You might want to set the MAIL FROM domain to a domain that you own to enable your emails to authenticate with Domain-based Message Authentication.

Using a Custom MAIL FROM Domain with Amazon SES

  • There are two ways to achieve DMARC validation:

○Using SPF

○Using DKIM

  • Setting up SPF Records for Amazon SES

○When you use Amazon SES, your decision about whether to publish an SPF record depends on whether you only require your email to pass an SPF check by the receiving mail server, or if you want your email to comply with the additional requirements needed to pass DMARC authentication based on SPF.

  • Moving Out of the Amazon SES Sandbox

○To help protect our customers from fraud and abuse and to help you establish your trustworthiness to ISPs and email recipients, we do not immediately grant unlimited Amazon SES usage to new users.

○New users are initially placed in the Amazon SES sandbox.

○In the sandbox, you have full access to all Amazon SES email-sending methods and features so that you can test and evaluate the service.

Authenticating Your Email in Amazon SES

  • Amazon SES uses the Simple Mail Transfer Protocol (SMTP) to send email.
  • Because SMTP does not provide any authentication by itself, spammers can send email messages that claim to originate from someone else, while hiding their true origin.
  • Most ISPs that forward email traffic take measures to evaluate whether email is legitimate.
  • One such measure that ISPs take is to determine whether an email is authenticated.

Authentication requires senders to verify that they are the owner of the account that they are sending from.

Complying with DMARC Using Amazon SES

  • DMARC is an email authentication protocol that uses Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to detect email spoofing.
  • An email can comply with DMARC through SPF or through DKIM.
  • For maximum deliverability, it is a best practice to set up your email-sending to comply with both methods.

Managing Your Amazon SES Sending Limits

  • Amazon SES account has a set of sending limits to regulate the number of email messages that you can send and the rate at which you can send them.
  • Sending limits benefit all Amazon SES customers because they help to maintain the trusted relationship between Amazon SES and ISPs.
  • Sending limits help you to gradually ramp up your sending activity and decrease the likelihood that ISPs will block your emails because of sudden, unexpected spikes in your email sending volume or rate.

Sending Authorization

  • Amazon SES enables you to authorize other users to send emails from your identities on your behalf.
  • This feature, called sending authorization.
  • It lets you to maintain control over your identities so that you can change or revoke the permissions at any time.
  • If you want to authorize someone to send emails on your behalf, then you are an identity owner.
  • If you have been authorized to send emails on behalf of someone else, then you are a delegate sender.

Identity Owner Tasks

  • Verifying an Identity for Amazon SES Sending Authorization
  • Setting Up Identity Owner Notifications for Amazon SES Sending Authorization
  • Getting Information from the Delegate Sender for Amazon SES Sending Authorization
  • Creating a Policy for Amazon SES Sending Authorization
  • Providing the Delegate Sender with the Identity Information for Amazon SES Sending Authorization
  • Managing Your Policies for Amazon SES Sending Authorization

Delegate Sender Tasks

  • Providing Information to the Identity Owner for Amazon SES Sending Authorization
  • Using Delegate Sender Notifications for Amazon SES Sending Authorization
  • Sending Emails for the Identity Owner for Amazon SES Sending Authorization

Using Dedicated IP Addresses with SES

  • SES sends your email from IP addresses (IPs) that you share with other Amazon SES customers.
  • When you choose whether to use dedicated IPs, shared IPs, or a mix, consider the following trade-offs.


○Email Volume

○Sending Pattern

○Reputation Isolation

○Knowledge of the IP Addresses

○Engaging Amazon SES

  • How to Warm up Dedicated IPs

○When determining whether to accept or reject an email, ISPs consider the reputation of the IP that sent it.

○One of the factors that contributes to the reputation of an IP is whether the IP has a considerable history of sending high-quality emails.

○You should therefore gradually increase your sending through a new dedicated IP before you use it to its full capacity.

○This process is called warming up the IP.

Testing Amazon SES Email Sending

  • Amazon SES provides a mailbox simulator that you can use to test how your application handles various email sending scenarios without affecting your sending quota or your bounce and complaint metrics.
  • Each email address represents a specific scenario.

The mailbox simulator provides typical bounce, complaint, and OOTO responses. In the bounce scenario, multiple bounces from the same sending request are gathered into a single response.

Amazon SES and Security Protocols

  • The security protocol that you use to connect to Amazon SES depends on whether you are using the Amazon SES API or the Amazon SES SMTP interface.
  • If you are using the Amazon SES API, then all communications are encrypted by TLS through the Amazon SES HTTPS endpoint.
  • f you are accessing Amazon SES through the SMTP interface, you are required to encrypt your connection using Transport Layer Security (TLS).
  • Amazon SES supports two mechanisms for establishing a TLS-encrypted connection: STARTTLS and TLS Wrapper.
  • The method of sending messages over a TLS-protected connection is called opportunistic TLS.

Receiving Email with Amazon SES

  • Amazon SES is a mail server that can both send and receive mail on behalf of your domain.
  • When you use Amazon SES to receive your mail, Amazon SES handles underlying mail-receiving operations, such as:

○communicating with other mail servers

○scanning for spam and viruses

○rejecting mail from untrusted sources

○accepting mail for recipients in your domain

  • Amazon SES Email-Receiving Concepts

○Recipient-Based Control

■The primary way to control your incoming mail is to specify how mail is handled based on its recipient.

■You set up receipt rules to specify how to handle the mail when a condition is satisfied, which consists of a condition and an ordered list of actions.

■ The actions available are S3, SNS, lambda, bounce, stop, add header, work mail action.

■Receipt rules are grouped together into receipt rule sets.

■The following figure shows how receipt rules, receipt rule sets, and actions relate to each other.


○IP Address-Based Control

■You can control your mail flow on a broader level by setting up IP address filters.

■Your IP address filters can include block lists and allow lists.

■These filters are useful for blocking spam.

○Email-Receiving Process

■Amazon SES first looks at the IP address of the sender.

■Examines your active receipt rule set.

■Amazon SES rejects the mail if there aren’t any matches. Otherwise, accepts the mail.

■After accepting the mail, SES evaluates your active receipt rule set.

Controlling Access to Amazon SES

  • You can use IAM with Amazon SES to specify which Amazon SES API actions an IAM user, group, or role can perform.
  • You can also control which email addresses the user can use for the “From”, recipient, and “Return-Path” addresses of emails.
  • To use IAM, you define an IAM policy, which is a document that explicitly defines permissions, and attach the policy to a user.
  • There are three reasons you might use IAM with Amazon SES:

○To restrict the email-sending action.

○To restrict the “From”, recipient, and “Return-Path” addresses of the emails that the user sends.

○To control general aspects of API usage.

Logging Amazon SES API Calls By Using AWS CloudTrail

  • Amazon SES is integrated with CloudTrail, a service that

○Captures API calls made by or on behalf of Amazon SES in your AWS account.

○Delivers the log files to an Amazon S3 bucket that you specify.

  • When CloudTrail logging is enabled in your AWS account, API calls made to a subset of Amazon SES actions are tracked in log files.
  • Amazon SES records are written together with other AWS service records in a log file.
  • CloudTrail determines when to create and write to a new file based on a time period and file size.

Regions and Amazon SES

  • When you use Amazon SES, you connect to a URL that provides an endpoint for the Amazon SES API or SMTP interface.
  • Amazon SES has endpoints in multiple AWS regions.
  • To reduce network latency, it’s a good idea to choose an endpoint closest to your application.
  • Email sending end points
Region Name API (HTTPS) endpoints SMTP endpoint
US East (N. Virginia)
US West (Oregon)
EU (Ireland)
  • Email receiving end points
Region Name API (HTTPS) endpoints
US East (N. Virginia)
US West (Oregon)
EU (Ireland)
  • Before you send email using Amazon SES, you must verify that you own your email address or domain with Amazon SES.
  • Verification status for each region is separate.
  • You must perform the Easy DKIM setup procedure for each region in which you want to use Easy DKIM.
  • Although each region has a separate suppression list, if you remove an address from the suppression list of one region, the address is removed from the suppression list of all regions.
  • You can use the same set of SMTP credentials in all regions.
  • You can use the same custom MAIL FROM domain for verified identities in different AWS regions.
  • The delegate sender must send the emails from the AWS region in which the identity owner’s identity is verified.
  • When you receive email with Amazon SES, all of the resources that you use must be in the same region as the Amazon SES endpoint.

Metrics That Define Your Success

  • Bounce Rate

○A bounce occurs when an email cannot be delivered to the intended recipient.

○There are two types of bounces: hard bounces and soft bounces.

  • Complaints

○A complaint occurs when an email recipient clicks the “Mark as Spam” button in their web-based email client.

○If you accumulate a large number of these complaints, the ISP assumes that you are sending spam.

○This has a negative impact on your deliverability rate and sender reputation.

○ Some ISPs will notify you when a complaint is reported; is called a feedback loop.

  • Message Quality

○Email receivers use content filters to detect certain attributes in your messages to identify whether your message is legitimate.

○These content filters automatically review the content of your messages to identify common traits of unwanted to malicious messages.

○Amazon SES uses content filtering technologies to help detect and block messages that contain malware before they are sent.

Amazon Pinpoint

  • Amazon Pinpoint is an AWS service that you can use to improve user engagement.
  • Use Amazon Pinpoint to create campaigns that reach audience segments with tailored messages.
  • It supports multiple messaging channels.
  • With Amazon Pinpoint, you can do the following:

○Define audience segments

○Engage your audience with messaging campaigns

○Analyze user behavior

Amazon Pinpoint Segments

  • A user segment represents a subset of your audience based on shared characteristics, such as how recently the users have used your application or which device platform they use.
  • A segment designates who receives the messages delivered by a campaign.
  • You can add segments to Amazon Pinpoint in either of the following ways:

○Building segments by choosing selection criteria that is based on data that your application reports to Amazon Pinpoint.

○Importing segments that you defined outside of Amazon Pinpoint.

Amazon Pinpoint Campaigns

  • A campaign is a messaging initiative that engages a specific audience segment.
  • It sends tailored messages according to a schedule that you define.
  • Your campaign can send a message to all users in a segment, or you can allocate a holdout, which is a percentage of users who receive no messages.
  • The segment can be one that you created on the Segments page or one that you define while you create the campaign.
  • You can set the campaign’s schedule to send the message once or at a recurring frequency.

Direct Messages with Amazon Pinpoint

  • With Amazon Pinpoint, you can send a direct message, which is a one time message that you send to a limited audience without creating a campaign.
  • Sending a direct message is useful if, before creating a campaign, you want to test how your message appears to recipients.
  • You can send the message to up to 15 recipients.
  • Amazon Pinpoint delivers a message immediately, and you cannot schedule the delivery.
  • To engage a user segment, and to schedule the message delivery, create a campaign instead of sending a direct message.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s