Cloudten techblog: Using AWS SES as an SMTP Relay

One of the services that many customers overlook in their initial cloud migration assessment is that of their SMTP gateway. It is common for web applications to require access to an email relay. Some possible reasons for this may include

  • Customer registrations
  • Password reset notices
  • Sales broadcasts
  • Newsletters and regular updates

Typically, in a traditional infrastructure, the SMTP gateway has existed as part of the corporate email infrastructure or as an accessible service provided by a third party vendor. Many people, when venturing into the cloud may choose to leave their internal email platform on premise. Whilst it is possible to connect back into these existing services from AWS via some form of VPN or internet gateway, another alternative is to use the SES service as an SMTP relay.


The following steps outline how to do this:

1)   Create some SMTP credentials. This is basically accomplished by setting up an IAM user that has a predefined policy to access SES. To set this up:

  • Inside your AWS Console click on the SES service, then SMTP Settings , then “Create My SMTP Credentials” .
  • Update the name of the new IAM user to something meaningful to you and then click Create.
  • Download the subsequent credentials to a secure location.
  • NOTE: When setting up the SMTP details in your application you need to use the access key ID as the username and the secret access key as the password.

2)   Amazon then needs to verify that you do indeed own the domain that you are requesting to send email from. It does this through the use of something called DKIM records. We’ll talk more about what these are later but to set them up just complete the following:

  • Inside the AWS SES console, click on Domains under Verified Senders.
  • Click on Verify a New Domain.
  • Enter in the base level domain name you want to send from and ensure that the “Generate DKIM Settings” box is ticked.
  • The next screen will show the DKIM records. These consist of a single TXT record and several CNAME records. Choose to download these records in case you have a problem later. Store them in a safe place.
  • If the domain you are requesting is already owned by you and defined in your AWS’ Route53 then you will be presented with an option to automatically import the DKIM settings into your record set.
  • If the domain you are requesting sits outside of Route53 then you will need to manually add the records into your zone file.
  • NOTE: At this stage whilst you have used DKIM records to initiate the verification process, DKIM signing is not enabled on your SES service until you enable it under SES>Domains > “your domain”>DKIM>
  • Your domain status will now be in Pending Verification until AWS can perform a successful lookup on the domain with the DKIM records.

3)   Before your account can be productionised ( allowed to send out email unrestricted ), you must first verify the email addresses what you wish to send from. This is one of the most misunderstood steps in the process as many people assume that these are test target addresses. Ironically, this is actually the case until your account is productionised as you can only send email to addresses you have verified , but the main point of these addresses is that can send via SES. So if you intention is to send from something like, you must first ensure that the mailbox exists and is accessible as you will need to click on a link within an email that is sent to the address.

4)   Once you have successfully tested an email from one of the verified addresses, you can request production access by clicking on the appropriate big blue button. Typically production access will be granted within 24 hours assuming there are no reasons for it not to be granted.


Amazon has actually taken on a fair bit of risk by offering SES as a service. In order to provide the service levels and delivery guarantees that they do they must have to have designated ( and paid for ) a rather large block of IP addresses to be recognised as valid internet mail gateways. Due to the fact that AWS is such an easy to use and readily available platform, many businesses with questionable email practices have tried to use SES to send SPAM and other unsolicited mail. This results in IP addresses being blacklisted by a number of the major mail services ( gmail, goDaddy, yahoo etc ). Consequently, AWS needs to consistently rotate the IP addresses in its relay pool and also be seen to be proactively monitoring the quality of the emails being generated from within its managed domains. This is quite an expensive exercise and we imagine that the SES service as a whole runs at a significant loss so it will be interesting to see what happens in the future with this service.


Domain Keys Identified Mail is a system for validating sender addresses and email domains that has been adopted by such giants as gmail, yahoo and AOL amongst others. Without going into too much detail ( more information can be found here ), DKIM records involve creating a set of signed keys. A part of the key is input into the DNS zone record of your domain and used to set a DKIM-Signature header in outbound email requests. Receiving domains can, if they choose to, use information in the header to perform a DNS lookup of the sending domain and use the public key in the signature to verify its authenticity.

Cloudten Industries © is an Australian cloud practice and a recognised consulting partner of AWS. We specialise in the design, delivery and support of cloud based solutions. Don’t hesitate to contact us if you have any queries about this post or any cloud related topic.

Cloudten Industries © is an Australian cloud practice and a recognised consulting partner of AWS. We specialise in the design, delivery and support of cloud based solutions. Don’t hesitate to contact us if you have any queries about this post or any cloud related topic.