AWS SES

Prerequisites

Prerequisites

Before setting up the AWS SES integration, ensure you have:

• An active DashX account
• Access to your AWS Console
• A registered domain name that you own and have access to its DNS settings

Setup an IAM user

An IAM user has permanent long-term credentials and is used to directly interact with AWS services like SES and SNS.

1. Sign in to the AWS Management Console and open the IAM console
2. In the navigation pane, choose Users, then click Create user
3. Enter a name for the user (e.g., dashx-ses-user) and click Next
4. Choose Attach policies directly
5. Search for and attach the following policies:
   • AmazonSESFullAccess - Grants full access to Amazon SES
   • AmazonSNSFullAccess - Grants full access to Amazon SNS
6. Click Next
7. Review the user details and click Create user
8. After the user is created, click on the user name to go to their details page
9. Go to the Security credentials tab
10. Under Access keys, click Create access key
11. Choose Command Line Interface (CLI) as the use case
12. Click Next, then click Create access key

warning

Make sure to securely store your Access key ID and Secret access key. For security reasons, you won't be able to retrieve the Secret access key again after leaving this page.

Add domain to SES Identities

SES Sandbox Mode

New AWS accounts start in the SES sandbox, which restricts sending to verified email addresses only and has lower sending limits. While in sandbox mode, you can only send emails to identities (domains or email addresses) that you've verified in SES. To send to any recipient, you'll need to request production access after completing the setup.

1. Open the Amazon SES console
2. In the navigation pane, select Verified identities
3. Click Create identity
4. Choose Domain as the identity type
5. Enter your domain name (e.g., yourdomainname.com)
6. Under DKIM signing key length, choose 2048-bit (recommended) or 1024-bit
7. Optionally, check Enable Easy DKIM to automatically configure DKIM signing
8. Click Create identity

Verify the domain

After creating the domain identity, SES will provide DNS records that need to be added to your domain's DNS settings.

1. In the Verified identities page, click on your domain name
2. You'll see several DNS records that need to be added:
   • TXT record for domain verification: This record verifies that you own the domain
   • CNAME records for DKIM: These records enable DKIM signing for your emails
3. Add these records to your domain's DNS settings:
   • The exact process varies depending on your DNS provider (Route 53, Cloudflare, GoDaddy, etc.)
   • Copy the Name and Value from the SES console
   • Add them as the corresponding record type (TXT or CNAME) in your DNS provider
4. After adding the records, return to the SES console
5. Click Verify next to your domain
6. Verification may take a few minutes to several hours depending on DNS propagation. The status will change from Pending verification to Verified once AWS detects the records

tip

DNS propagation can take up to 48 hours, but typically completes within a few hours. You can check your DNS records using tools like dig or online DNS checkers to verify they're properly configured.

Set up SPF

Sender Policy Framework (SPF) helps prevent email spoofing by specifying which mail servers are authorized to send emails on behalf of your domain.

Root domain SPF record

1. Check if you already have an SPF record:

   • If you're using Google Workspace: v=spf1 include:_spf.google.com ~all
   • If you're using Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all

2. Add or update the SPF record in your domain's DNS settings:

   • Name/Host: @ or yourdomainname.com
   • Type: TXT
   • Value:
     • If you have an existing SPF record, update it to include Amazon SES:

       v=spf1 include:_spf.google.com include:amazonses.com ~all

     • If you don't have an existing SPF record:

       v=spf1 include:amazonses.com ~all

warning

You can only have ONE SPF record per domain. If you already have an SPF record, you must modify it to include include:amazonses.com rather than creating a duplicate.

Custom MAIL FROM domain (Recommended)

Setting up a custom MAIL FROM domain improves deliverability and SPF alignment, especially if your root domain already uses another mail provider.

1. In the SES console, navigate to your verified domain under Verified identities and click on your domain
2. Under MAIL FROM domain, click Edit and enable Use a custom MAIL FROM domain
3. Enter a subdomain (e.g., ses.yourdomainname.com) and choose Use default MAIL FROM domain for MX failure behavior
4. Click Save changes
5. Add the DNS records provided by SES:
   • MX Record for the subdomain:
     • Name/Host: ses or ses.yourdomainname.com
     • Type: MX
     • Priority: 10
     • Value: feedback-smtp.[region].amazonses.com (replace [region] with your SES region)
   • SPF Record (TXT) for the subdomain:
     • Name/Host: ses or ses.yourdomainname.com
     • Type: TXT
     • Value: v=spf1 include:amazonses.com ~all

Set up DKIM

DomainKeys Identified Mail (DKIM) adds a digital signature to your emails, allowing recipients to verify that emails were sent and authorized by the owner of the domain.

1. In the SES console, navigate to your verified domain under Verified identities
2. Under the DKIM section, you should see the DKIM records that were generated when you created the domain identity
3. If DKIM records are not visible, click Generate DKIM settings
4. Copy the CNAME records provided (typically 3 records)
5. Add these CNAME records to your domain's DNS settings:
   • Each record will have a name like [selector]._domainkey.yourdomainname.com
   • The value will be a CNAME pointing to an AWS DKIM endpoint
6. After adding the records, SES will automatically detect them and enable DKIM signing

info

DKIM signing status will show as Success in the SES console once all three CNAME records are properly configured and detected by AWS. This typically takes a few minutes to a few hours after adding the DNS records.

Set up DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM to provide instructions on how to handle emails that fail SPF or DKIM checks.

1. In your domain's DNS settings, add a TXT record with the following:
   • Name/Host: _dmarc.yourdomainname.com
   • Type: TXT
   • Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomainname.com
2. Replace dmarc-reports@yourdomainname.com with an email address where you want to receive DMARC aggregate reports
3. The p=none policy means "no action" - this is recommended for initial setup to monitor without affecting email delivery
4. As you gain confidence, you can change the policy to:
   • p=quarantine - Move failing emails to spam/junk folder
   • p=reject - Reject emails that fail DMARC checks

tip

Start with p=none to monitor your email authentication without impacting delivery. Review DMARC reports regularly and gradually tighten the policy as you verify that your legitimate emails are passing SPF and DKIM checks.

Set up BIMI

Brand Indicators for Message Identification (BIMI) allows you to display your brand logo in supported email clients, enhancing brand recognition and trust.

1. Prepare your logo:
   • Create an SVG version of your brand logo
   • The logo must meet BIMI specifications:
     • SVG format
     • Square aspect ratio (1:1)
     • Maximum file size: 32KB
     • Must be publicly accessible via HTTPS
2. Host the logo:
   • Upload the SVG file to a publicly accessible HTTPS URL (e.g., https://yourdomainname.com/logo.svg)
   • Ensure the server has a valid SSL certificate
3. Add BIMI record to DNS:
   • In your domain's DNS settings, add a TXT record with the following:
     • Name/Host: default._bimi.yourdomainname.com
     • Type: TXT
     • Value: v=BIMI1; l=https://yourdomainname.com/logo.svg
   • Replace the URL with the actual location of your hosted logo

note

BIMI is currently supported by a limited number of email clients (including Gmail for verified senders). Even if not all clients support it, setting up BIMI doesn't negatively impact email delivery and prepares you for broader adoption.

Set up receiving email (Optional)

If you want to receive emails through SES, follow these additional steps:

Set up MX Records

You have two options for setting up MX records, depending on your current email setup:

Option 1: Root domain (if not using another mail provider)

If your root domain (yourdomainname.com) doesn't already have MX records pointing to another mail provider (like Google Workspace, Microsoft 365, etc.), you can set up SES to receive emails directly for your root domain.

1. Determine your SES region's inbound endpoint:
   • The format is inbound-smtp.[region].amazonses.com
   • Common regions:
     • US East (N. Virginia): inbound-smtp.us-east-1.amazonses.com
     • US West (Oregon): inbound-smtp.us-west-2.amazonses.com
     • EU (Ireland): inbound-smtp.eu-west-1.amazonses.com
     • For other regions, refer to the AWS SES documentation
2. In your domain's DNS settings, add an MX record:
   • Name/Host: @ or yourdomainname.com
   • Type: MX
   • Priority: 10
   • Value: inbound-smtp.[region].amazonses.com (replace [region] with your actual region)

Option 2: Subdomain (if already using a mail provider)

If you're already using a mail provider (e.g., Google Workspace, Microsoft 365) for your root domain, your root domain will have MX records pointing to that provider. In this case, you should use a subdomain like inbound.yourdomainname.com for SES email receiving.

1. First, verify the subdomain in SES:
   • In the SES console, go to Verified identities > Create identity
   • Choose Domain and enter inbound.yourdomainname.com
   • Follow the verification process as described in the Verify the domain section
2. Determine your SES region's inbound endpoint (same as Option 1)
3. In your domain's DNS settings, add an MX record:
   • Name/Host: inbound or inbound.yourdomainname.com
   • Type: MX
   • Priority: 10
   • Value: inbound-smtp.[region].amazonses.com (replace [region] with your actual region)
4. When configuring receipt rules later, use @inbound.yourdomainname.com as the recipient condition

info

The MX record directs incoming emails to Amazon SES for processing. Make sure you use the correct endpoint for your SES region. If you're using a subdomain, ensure it's verified in SES before setting up the MX record.

Create an S3 bucket for inbound email logs

An S3 bucket is required to store inbound emails. Without this bucket, larger emails may not be processed correctly as the full headers are not sent by SNS.

1. Open the S3 console
2. Click Create bucket
3. Enter a unique bucket name (e.g., dashx-inbound-emails)
4. Choose the same AWS region where your SES is configured
5. Configure other settings as needed:
   • Object Ownership: Choose according to your needs
   • Block Public Access: Keep default settings (block all public access)
   • Bucket Versioning: Optional, but recommended for email archival
   • Default encryption: Recommended to enable server-side encryption
6. Click Create bucket

warning

This S3 bucket is required for receiving emails. Without it, larger emails may not be processed correctly because SNS has message size limits and doesn't send full email headers for larger messages. The S3 bucket stores the complete email, which DashX can then retrieve.

Attach an inline policy to the IAM user

The IAM user needs permissions to access the S3 bucket where inbound emails are stored.

1. Open the IAM console
2. In the navigation pane, choose Users
3. Click on the dashx-ses-user you created earlier
4. Go to the Permissions tab
5. Click Add permissions > Create inline policy
6. Click the JSON tab
7. Paste the following policy:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Sid": "AllowListBucket",
         "Effect": "Allow",
         "Action": [
           "s3:ListBucket"
         ],
         "Resource": [
           "arn:aws:s3:::YOUR-BUCKET-NAME"
         ]
       },
       {
         "Sid": "AllowObjectActions",
         "Effect": "Allow",
         "Action": [
           "s3:GetObject",
           "s3:PutObject",
           "s3:DeleteObject"
         ],
         "Resource": [
           "arn:aws:s3:::YOUR-BUCKET-NAME/*"
         ]
       }
     ]
   }

   • Replace YOUR-BUCKET-NAME with your actual S3 bucket name (e.g., dashx-inbound-emails)
8. Click Next
9. Enter a policy name (e.g., DashXInboundEmailS3Access)
10. Click Create policy

Configure Receipt Ruleset

SES uses receipt rulesets to process incoming emails. Only one ruleset can be active at a time.

1. Open the Amazon SES console
2. In the navigation pane, select Email receiving > Rule sets
3. Check if there's already an active ruleset:
   • If an active ruleset exists, DashX will not automatically create a new one
   • You'll need to either use the existing ruleset or manually deactivate it and create a new one
   • If no active ruleset exists, DashX will attempt to create one automatically
4. If you need to create a new ruleset manually:
   • Click Create rule set
   • Enter a name (e.g., dashx-receipt-rules)
   • Click Create rule set
   • After creating, click Set as active to activate it

warning

Only one receipt ruleset can be active at a time. If DashX finds an active ruleset, it won't create a new one, and you'll need to complete the remaining steps manually. Make sure to coordinate with your team if multiple people are configuring SES.

Add a receipt rule

Receipt rules define how SES processes incoming emails.

1. In the SES console, navigate to Email receiving > Rule sets
2. Click on the active ruleset (or the one you want to use)
3. Click Create rule
4. Configure recipients (optional):
   • If you want to accept all emails for your domain, you can leave this empty.
   • To accept emails for specific addresses, enter them (e.g., support@yourdomainname.com, info@yourdomainname.com)
   • Click Next
5. Configure actions:
   • Click Add action > S3
   • Select the S3 bucket you created earlier (e.g., dashx-inbound-emails)
   • Optionally, specify an object key prefix to organize emails (e.g., emails/)
   • Click Add action > SNS
   • If you haven't created an SNS topic yet, you can create one here or use an existing topic
   • For a new topic, click Create SNS topic and enter a name (e.g., dashx-email-notifications)
   • Click Next
6. Review and create:
   • Enter a rule name (e.g., dashx-inbound-rule)
   • Review the configuration
   • Click Create rule

tip

If you're accepting all emails for your domain, you typically don't need to specify conditions. The rule will match all incoming emails that reach SES for your domain.

Set up SNS topic subscription

The SNS topic will notify DashX when new emails are received.

1. Open the Amazon SNS console
2. In the navigation pane, select Topics
3. Click on the topic you created earlier (e.g., dashx-email-notifications)
4. Click Create subscription
5. Configure the subscription:
   • Protocol: Select HTTPS
   • Endpoint: Enter your DashX webhook URL
     • To get the webhook URL: Log in to your DashX workspace, navigate to the Integrations section, find your AWS SES integration, and copy the webhook URL
   • Click Create subscription
6. Confirm the subscription:
   • SNS will send a subscription confirmation request to your webhook endpoint
   • DashX should automatically confirm the subscription
   • The subscription status will change from Pending confirmation to Confirmed once confirmed
   • If it remains pending, you may need to manually confirm it or check that DashX is properly handling the confirmation request

info

The SNS topic subscription is essential for DashX to receive notifications when emails arrive. Without this, DashX won't know when new emails are stored in the S3 bucket.

Next steps

After completing the setup:

1. Verify your email authentication setup: Use free online tools to verify that your SPF, DKIM, and DMARC records are properly configured:

   • MXToolbox Email Health - Comprehensive email authentication checker
   • Mail Tester - Send a test email and get a detailed authentication report

   These tools will help you verify that all DNS records are correctly configured and that your emails will pass authentication checks.

2. Test email sending: Test sending emails through the DashX console:

   • Log in to your DashX workspace
   • Navigate to the Broadcasts section
   • Create a new Broadcast
   • Select your verified domain as the sender
   • Send a test email to a verified email address (remember, in sandbox mode you can only send to verified identities)
   • Verify that the email is delivered and that SPF, DKIM, and DMARC authentication passes

info

While in SES sandbox mode, you can only send emails to identities (domains or email addresses) that you've verified in SES. To test with unverified recipients, you'll need to request production access first.

3. Test email receiving (if configured): Send a test email to an address under your domain (or subdomain if using Option 2) and verify:

   • The email is stored in the S3 bucket
   • DashX receives the SNS notification
   • The email is processed correctly in DashX

4. Monitor email metrics: Monitor your email performance through the DashX console:

   • Navigate to the Broadcasts section in your DashX workspace
   • View sending statistics, delivery rates, and engagement metrics
   • Monitor bounce and complaint rates to maintain a good sender reputation
   • Use these metrics to optimize your email campaigns

5. Request production access: Once you've verified your domain and email authentication is working correctly, request production access to:

   • Send emails to any recipient (not just verified identities)
   • Increase your sending limits
   • Remove sandbox restrictions

tip

Request production access as soon as your domain is verified and email authentication is working. The approval process typically takes 24-48 hours, and you'll need to provide information about your use case and email sending practices.