One of the best transactional Email Service Providers (ESPs) is Amazon’s Simple Email Service (SES). It can actually be used to send many different kinds of email but its reputation controls and high deliverability make it particularly suited for transactional email.
Amazon’s tools are powerful and robust but also rather difficult to set up. This guide will walk you through the process so you can set it up properly and securely.
We can also help you set up SES under our AWS account, or under your AWS account if you grant us the proper access permissions. Reach out if you’d like our assistance.
Create an AWS account #
To use SES, you first have to sign up for an Amazon Web Services (AWS) account. AWS includes all the services (essentially tools and APIs) that can be used to power advanced business solutions. It’s a kind of infrastructure for the web. SES is one of those services.
AWS has two different kinds of users: root users and IAM users. Root users are account owners and have full access to all the capabilities provided by SES. IAM users are restricted users created for specific purposes.
If you already have an AWS account, log in as a root user and skip to the next step.
If you don’t, go to aws.amazon.com and click Create an AWS Account. Follow the instructions to create the account but keep these guidelines in mind:
- Use a strong password that you’ve never used on any other site and save it in a password manager or other secure location. This account has access to billing and hacked AWS accounts can run extremely high bills.
- You’ll have to provide accurate information in the signup and connect a credit card. Amazon will verify your identity but won’t actually charge you until you go over the free limits.
- You probably don’t need a support plan with Amazon at this stage. You can always sign up for one later, if you want to.
- We strongly recommend you set up Multi-Factor Authentication (MFA). After you sign in to your account, click to the account name at the top-right of the header to open the dropdown menu and select My Security Credentials. Then expand the Multi-factor authentication (MFA) section, click Activate MFA, and follow the instructions. You’ll probably want to use the Virtual MFA device.
Go to the IAM console #
- Log in to the AWS Console.
- Click the search box in the header and search for IAM.
- In the Services section of the results, click IAM.
IAM stands for Identity and Access Management. It's the control panel that lets you set up users and permissions.
Create the user group #
- In the IAM Console, go to Access management > User groups.
- Click Create group.
- Name the group EmailSenders (or something similar).
- Add the permissions AmazonSESFullAccess and AmazonSNSFullAccess.
- Click Create group.
Create the user #
- In the IAM Console, go to Access management > Users.
- Click Add user.
- Set the User name to a name that will make it easy to identify later. Some examples include <website-name>-email-sender or <email-address>-email-sender. If you already have a naming scheme for users, comply with that scheme. This user name is only used for internal purposes so it can be pretty much anything that makes sense to you.
- Under Access type, enable only Programmatic access. Do not enable console access.
- Add the user to the EmailSenders group you created earlier.
- You can probably skip the tags.
- On the Review page, click Create user.
- In the Secret access key column, click Show.
- Copy the Access key ID and the Secret access key to your password manager (or other secure location). Make sure to copy them immediately because the Secret access key cannot be displayed again later. If you miss it, you’ll have to delete the user and recreate it.
- After you’ve stored the credentials securely, click Close.
Go to the SES console #
- Click the search box in the header and search for SES.
- In the Services section of the results, click Amazon Simple Email Service.
Create a Configuration Set #
A configuration set isn’t strictly necessary but we strongly recommend using one because it provides some useful capabilities later on, including better monitoring and reputation management. It’s easier to set it up now even if you won’t end up using those additional capabilities. If you prefer not to, you can just skip ahead to the next step.
- In the SES Console, go to Email Sending > Configuration Sets.
- Click Create Configuration Set.
- Set the Configuration Set Name to a name based on the domain or usage. For example, if your website is hosted at www.example.com, the configuration set name could be example-com or main-website-transactional-email or something similar.
- Click Create Configuration Set.
- Click Close on the Configuration Set Created popup.
You can edit the configuration set to add a destination for events or a dedicated IP, if you wish, but that’s beyond the scope of this guide.
Decide whether to verify a domain or an email address #
To send email with SES, you first have to prove to Amazon that you own it or have legitimate access to it.
You have two options:
- Verify a domain to send email from any email address on the domain. This is useful when your website or app is expected to send emails on behalf of multiple email addresses. There doesn’t necessarily have to be a mailbox associated with any of the email addresses, such as in the case of no-reply emails.
- Verify an email address to send email from only that particular email address. This is useful for finer control and helps prevent abuse or accidental misuse.
Note that you can verify both a domain and an email address on the same domain. If you do verify both, the email address and its settings will take precedence over the domain settings for any email sent from that email address. You can verify as many individual email addresses as you wish.
Verify a domain #
This step is only relevant if you’ve decided to verify your domain.
- In the SES Console, go to Identity Management > Domains.
- Click Verify a New Domain.
- Enter your domain in the Domain field.
- Enable the Generate DKIM Settings checkbox.
- Click Verify This Domain.
- The Verify a New Domain popup will display a number of tables with DNS records.
- Add the Domain Verification Record to your domain. This is typically a TXT record on the _amazonses subdomain of your domain.
- Add the DKIM Record Set records to your domain. There are usually two CNAME records whose names are long randomly named subdomains under the _domainkey subdomain. Add both DNS records to your domain.
- If you wish to also accept incoming email with SES, you can add the Email Receiving Record. This is an advanced option not covered in this guide. If your domain already has email set up, you should probably skip this option and ask us or an expert to help. Adding the record displayed in this table will likely break your email, so avoid it if you don’t know what it does.
- Click Close.
- The domain will be added to the list of domains and will show pending verification for both the Verification Status and DKIM Status columns. As long as the Verification Status is pending, the Enabled for Sending column will show No and you won’t be able to use the domain.
- Expand the domain in the table by clicking the little triangle to its left. Look for MAIL FROM Domain and note the subdomain under amazonses.com. That subdomain is the region, which we’ll need later. Note it down.
- Click the refresh button (two arrows going around in a circle) at the top right above the table to have AWS check the status of the domain. Verification can take a few minutes or a few days so you might have to wait patiently for the verification to complete. If the status doesn’t change immediately, wait a while before checking again.
- If all goes well, eventually the domain will be verified successfully. Refreshing the list (or the page) should show verified under both the Verification Status and DKIM Status columns, and Yes under Enabled for Sending.
Verify an email address #
This step is only relevant if you’ve decided to verify an email address.
- In the SES Console, fo to Identity Management > Email Addresses.
- Click Verify a New Email Address.
- Enter the email address you want to verify in the Email Address field. This should be the email address that you want your website visitors to see when they receive email from your website. Typically, this will be something like email@example.com, firstname.lastname@example.org, or email@example.com. Note that the email address should be a real address that has a mailbox because you’ll have to verify it.
- Click Verify This Email Address.
- The email address will be added to the list with a Verification Status of pending verification.
- Expand the email address in the table by clicking the little triangle to its left. Look for MAIL FROM Domain and note the subdomain under amazonses.com. That subdomain is the region, which we’ll need later. Note it down.
- AWS will send a verification email message to your mailbox titled Amazon Web Services – Email Address Verification Request. Open the message and click the link to verify your email address. If all goes well, you should see a page telling you that the verification was successful.
- Go back to the tab with the AWS Console and refresh the list (or the page). The Verification Status should be verified.
Configure your website #
At this stage, you’ve already finished configuring SES on AWS. Now we have to apply the settings to the website.
One option is send us the details we need and we’ll configure the website. You can send us the information using one of our secure channels. These are the details we need:
- The Access key ID of the IAM user
- The Secret access key of the IAM user
- The email address from you which the website will send email (should be identical to the verified email address if you chose that option)
- The name of the sender
- The region of the verified domain or email address that you noted earlier
Another option is to add the Access key ID and Secret access key to the website on your own. The instructions will vary depending on the plugin or setup of your website. The steps below assume you’re using the popular Fluent SMTP plugin. If you’re using another plugin, you can ask us for help or extrapolate.
- Log in to your website’s dashboard as a user with administrator permissions.
- Install the free Fluent SMTP plugin if it’s not already installed.
- Go to Settings > Fluent SMTP.
- Choose the SES connection provider.
- In the Sender Settings section, enter the desired From Email and From Name that will be used to send all the email from the website. If you only verified an email address, the From Email must be the same email address that you verified. If you verified a domain, any email address under that domain should work.
- In the section with the access keys, we usually store the access keys in the config file because it’s more secure but you have to have access to the file system to do that. If you don’t have that access, select Store Access Keys in DB and then enter the Access key ID in the Access Key field and the Secret access key in the Secret Key field.
- The Region has to match the region you noted down earlier for the domain or email address.
- Click Save Connection Settings.
Test email delivery #
It’s important to test that the email delivery works before users start visiting your website.
If you’re using the Fluent SMTP to send email from your website, you can use its Email Test page to send a test email to yourself.
If you’re using a different email plugin or another mechanism to send email, you’ll have to find another option. Most email plugins provide some way to test it.