AWS SES Identity "pending verification" for DKIM config - amazon-web-services

Brand new to AWS & Simple Email Service (SES) and have an app that needs to generate some email using SES. All I'm trying to do is set things up so that my app's service user (called, say, myapp-dev) has Access & Secret Keys that have permission to use SES APIs for generating emails. Furthermore I need these SES-generated emails to be sent from either no-reply#myapp.example.com which is not a valid email address, as well as hello#myapp.example.com which is a valid email address. This is because some SES emails will be alerts/notifications that end users should not respond to, and other emails will be emails that they may very well want/need to reply to.
I've already created a myapp-dev user that has AmazonSESFullAccess permissions.
Not knowing any better, I then went to the SES dashboard and clicked Manage Identities and started creating a new "SES Identity". I'm not sure if I need to do this or not (given my needs) or whether my myapp-dev user is ready to use the SES APIs as-is. Adding this new SES identity, it asked me to enter my domain and gave me the option to generate DKIM configurations for that domain. I read up quickly on DKIM and it sounds like its a way to authenticate that emails did in fact come from my domain, so it sounds like its something I'd like leverage. So I generated DKIM configs and now SES says that my new identity has a status of "pending verification".
Main concern is bolded above: with AmazonSESFullAccess permission, is my myapp-dev user ready to rock n' roll? Or will SES APIs fail/refuse to send emails until my SES identity (for my domain) is "verified"?
What do I actually need to do to change the SES identity from "pending" to "verified"? I did see a note that I needed to modify TXT and CNAME DNS records to configure DKIM with my domain, is that it? Or do I need to do something else?
Thank in advance for any and all clarification!

Found an alternate answer in this thread:
https://forums.aws.amazon.com/thread.jspa?threadID=125362
Here's what might have happened: Some domain name providers will automatically add example.com on to the end of the name/host field. So if you enter _xx.example.com, they'll "silently" change it to _xx.example.com.example.com
This is currently the case with namecheap, as I've painfully learned.....
It turned out this was my issue. Make sure to double check!

You need to wait for dns verification, can take a while.
You also need to take the Sandbox into account and open a ticket to move out from it.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
To help protect our customers from fraud and abuse and to help you
establish your trustworthiness to ISPs and email recipients, we do not
immediately grant unlimited Amazon SES usage to new users. New users
are initially placed in the Amazon SES sandbox. In the sandbox, you
have full access to all Amazon SES email-sending methods and features
so that you can test and evaluate the service; however, the following
restrictions are in effect:
You can only send mail to the Amazon SES mailbox simulator and to
verified email addresses and domains.
You can only send mail from verified email addresses and domains.
You can send a maximum of 200 messages per 24-hour period.
Amazon SES can accept a maximum of one message from your account per
second.

Related

How to prevent someone from using my domain in Amazon SES -- they are sending emails from my domain with a different email address

So I recived an email from AWS that someone is using my domain for spamming.
I checked the details of the email that was sent and I detected that if my domain is myapp,
and I am usually sending emails from email address office#myapp.com. I noticed that the hacker is using the mail 073office#myapp.com which is very similar to my business email.
This address 073office#myapp.com is not verified in my SES verified emails, but he is still using my ARN somehow.
How can I prevent it? Is there a way to configure SES only from one email?
are you able to see in SES logs if the emails are being sent from your SES? if yes, try creating new SES credentials and disable the existing ones, to avoid them using the current ones. If not, they are probably using external SMTP and spamming using your domain and this is something that you can't do much to avoid.
So apparently one of our access keys was leaked and was included in the frontend's cache. I generated a new Access Key and disabled the old one , I also improved security configurations for the server.
I also configured SNS for bounces and complaint management and reconfigured my SES to use Hard Fail and improved DKIM , SPF and MAIL TO

How to verify email address in AWS SES

I have bought a domain,then I have created domain identity in SES and verified it successfully, now comes the email part. I have created email address in identity management that is user#example.com (assume that example.com is my domain), documentation states that I need to go to the email inbox and click on the email but what inbox they mean? How can I access this inbox of this address that I've just created? If I have to use my own email here then what's the point of adding a domain If I can use gmail smtp straight away? Can someone please clarify this?
Here is the clear answer:
At first, you need to purchase and verify your domain in SES(you've done this already, it's good to go for next step)
You need to write a support ticket to move your SES account out from sandbox mode as it's in sandbox mode by default(You need to provide all info AWS requires in detail)
moving out from sandbox mode
This might take 1 day around, finally you can get production SES status and check in your statistics section from SES console.
Next, you need to go AWS WorkMail service console and create your email accounts to be used for sender or receiver in your platform by your purchased domain(i.e, if your domain is abc.com, info#abc.com or support#abc.com).
When I say creating email accounts, it says you need to create email address, username and password for each email account.
Finally, If you need to check out the inbox for above created accounts, WorkMail provides a cool web client for it.
Here is the WorkMail web client documentation from AWS
It says this:
The web client URL looks like this: https://alias.awsapps.com/mail. Replace alias with the alias you received from your site administrator.
Here, alias is configured by you when you create your organization in WorkMail console.
The reason why SES requires to verify domain is something like ID verification of email sender, and verification of 3rd party email addresses gives us a flexibility to work with any other email addresses not registered in SES, also allow development and test before registration of domain in sandbox mode.
Cheers
The email address you want to verify must have existing mail service, before you can validate the address in SES.
From AWS docs, about receiving email
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email.html
When you receive email, Amazon SES processes it according to instructions you provide. For example, Amazon SES can deliver incoming mail to an Amazon S3 bucket, publish it to an Amazon SNS topic, or send it to Amazon WorkMail.
If you need an inbox service, use Amazon WorkMail.
Creating a IAM user doesn't create an inbox. And SES has no inbox capability at all. The point of validation is to allow sending in behalf of the service. In certain use cases, you can process inbound email via Lambda, store attachments on S3 etc. but there is no POP3/IMAP inbox-like service included in the SES.
Creating an IAM user is not required to validate your email. That is only for authentication purposes for accessing AWS account services.
AWS SES can receive emails and mostly this is used for automated email processing.
If you have verified in identity that you own the domain(by adding txt record in your domain DNS table) then by default you have verified all emails that fall in that domain.
You don't have to follow the steps to verify individual emails by clicking the link received on the emails.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domains.html
From your example: since the domain examaple.com is verified, you don't have to again verify emails(user#example.com) that fall under same domain.
Individual email verification is for scenarios where you cant verify domain by placing dns records. Here you will not be able to receive emails, but if you still want to send emails from an address then you can verify it by clicking the link you receive on your inbox. This can be done with gmail or other mail providers.

Use Amazon SES to build a marketing email system

Currently I'm working on building an email marketing system using Amazon SES. I have some problems which I have googled about for a while now but I couldn't find any clue so I decided to ask you guys here.
The first thing is I use only one Amazon account to send email, but it is limited up to 10,000 verified sending addresses or domains per region, so if I want to verify more than that I need to use different regions or Amazon accounts?
Next, is there any way can I add some custom arguments when I request to verify an email address? Because I need to check which account in my system owns that address so that no other account can use that verified address to send emails.
Any answer would be appreciated. And by the way, I'm sorry for my bad English.
Email address verification is only required while Amazon SES is in sandbox mode. This is done to prevent people creating an AWS account and using it to send spam.
From Moving out of the Amazon SES sandbox - Amazon Simple Email Service:
When your account is in the sandbox, we apply the following restrictions to your account:
You can only send mail to verified email addresses and domains, or to the Amazon SES mailbox simulator.
You can only send mail from verified email addresses and domains (also applies to Production mode)
You can send a maximum of 200 messages per 24-hour period.
You can send a maximum of 1 message per second.
You would typically only "send" from one email address, or perhaps a few to make it easier to handle replies. There should be no need for 100s or 1000s of verified 'sending' email addresses.
Once you request to move into Production mode and it is accepted, you can send to any recipients (whereas in Sandbox mode, each recipient need to be verified).

Use Amazon SES and Google GSuite for the same domain

I have a domain that I manage using Amazon Route 53. It contains TXT/MX records of Amazon Simple Email Service, that I use to process incoming email to a certain email address via AWS Lambda. I also need to register the domain to Google Admin, i.e. GSuite so that I may manage my business emails via Google console. How do I achieve this? I tried setting up Google Admin, entered the MX records of Google Mail, but it resulted in failure of AWS SES services.
It isn't possible to split email for a single domain across multiple services like this. When a sender on the Internet resolves your domain's mail exchanger (MX), the answer must contain a set of one or more hostnames for systems that will all behave identically for any given recipient email address.¹
The easy solution is to create a subdomain for your SES mail, for example contact.example.com, and simply use that domain for your SES messages.
If you really need to have all the addresses have exactly the same domain, set up a subdomain for SES as described above, but then configure GSuite to forward messages for the specific addresses that you want to go to SES, such as info#example.com, over to info#contact.example.com.
GSuite will then accept messages for those addresses, rewrite the recipient address, and hand them over to SES.
As a G Suite administrator, you can configure numerous email routing and delivery options to suit your organization. For example, you can route mail to Gmail and an external server. Or, you might need to route incoming mail for non-Gmail users. You can also set up routing policies that vary by organization
https://support.google.com/a/answer/6297084
¹behave identically from the sender's perspective. How they may handle the message internally is implementation specific, but for any given email address, all of the listed mail exchangers must accept or reject it, because an authoritative response of "No Such User" from any one of these systems will not trigger the sending system to try any of the others.

How can i send mail without verifying the recipients in amazon ses

I have been trying to send mail with amazon ses and it worked very well for all the verified recipients. But i have a requirement to send mails to un verified recipients now. How to do this. Thanks
Your SES account is in Sandbox Mode. You need to open a request with AWS to take your SES account out of Sandbox Mode. This is documented here.
By default, AWS never provides you full access and needs certain
verification(s) to ensure security & remove possibilities of
Fraudulent activities or Spam.
These steps will resolve all the issue(s) regarding current scenario in your AWS SES Setup.
1) Verify “your-domain.com” Domain using the TXT record mentioned in Verification Tab - SES Console. By doing this you can use any ID in From Address to send emails.
2) Raise a Case on Amazon Support for Production Access. SES > Production Access. By doing this you can have the full access of TO addresses and can send emails to anyone.
Kindly let me know if you still face any issue.