I have a domain that I manage using Amazon Route 53. It contains TXT/MX records of Amazon Simple Email Service, that I use to process incoming email to a certain email address via AWS Lambda. I also need to register the domain to Google Admin, i.e. GSuite so that I may manage my business emails via Google console. How do I achieve this? I tried setting up Google Admin, entered the MX records of Google Mail, but it resulted in failure of AWS SES services.
It isn't possible to split email for a single domain across multiple services like this. When a sender on the Internet resolves your domain's mail exchanger (MX), the answer must contain a set of one or more hostnames for systems that will all behave identically for any given recipient email address.¹
The easy solution is to create a subdomain for your SES mail, for example contact.example.com, and simply use that domain for your SES messages.
If you really need to have all the addresses have exactly the same domain, set up a subdomain for SES as described above, but then configure GSuite to forward messages for the specific addresses that you want to go to SES, such as info#example.com, over to info#contact.example.com.
GSuite will then accept messages for those addresses, rewrite the recipient address, and hand them over to SES.
As a G Suite administrator, you can configure numerous email routing and delivery options to suit your organization. For example, you can route mail to Gmail and an external server. Or, you might need to route incoming mail for non-Gmail users. You can also set up routing policies that vary by organization
https://support.google.com/a/answer/6297084
¹behave identically from the sender's perspective. How they may handle the message internally is implementation specific, but for any given email address, all of the listed mail exchangers must accept or reject it, because an authoritative response of "No Such User" from any one of these systems will not trigger the sending system to try any of the others.
Related
We are a growing agency and we like to use SES to improve deliverability for emails that get generated by client websites.
The agency has an AWS account which uses SES and we would now like to add in another website. However, despite the fact you can verify multiple domains, it looks like SES can only be used with a single website.
In SES home, under the 'your account details' section it has the web address and no way of adding another.
Do i need to create a new AWS account for every client we want to use SES with?
I have bought a domain,then I have created domain identity in SES and verified it successfully, now comes the email part. I have created email address in identity management that is user#example.com (assume that example.com is my domain), documentation states that I need to go to the email inbox and click on the email but what inbox they mean? How can I access this inbox of this address that I've just created? If I have to use my own email here then what's the point of adding a domain If I can use gmail smtp straight away? Can someone please clarify this?
Here is the clear answer:
At first, you need to purchase and verify your domain in SES(you've done this already, it's good to go for next step)
You need to write a support ticket to move your SES account out from sandbox mode as it's in sandbox mode by default(You need to provide all info AWS requires in detail)
moving out from sandbox mode
This might take 1 day around, finally you can get production SES status and check in your statistics section from SES console.
Next, you need to go AWS WorkMail service console and create your email accounts to be used for sender or receiver in your platform by your purchased domain(i.e, if your domain is abc.com, info#abc.com or support#abc.com).
When I say creating email accounts, it says you need to create email address, username and password for each email account.
Finally, If you need to check out the inbox for above created accounts, WorkMail provides a cool web client for it.
Here is the WorkMail web client documentation from AWS
It says this:
The web client URL looks like this: https://alias.awsapps.com/mail. Replace alias with the alias you received from your site administrator.
Here, alias is configured by you when you create your organization in WorkMail console.
The reason why SES requires to verify domain is something like ID verification of email sender, and verification of 3rd party email addresses gives us a flexibility to work with any other email addresses not registered in SES, also allow development and test before registration of domain in sandbox mode.
Cheers
The email address you want to verify must have existing mail service, before you can validate the address in SES.
From AWS docs, about receiving email
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/receiving-email.html
When you receive email, Amazon SES processes it according to instructions you provide. For example, Amazon SES can deliver incoming mail to an Amazon S3 bucket, publish it to an Amazon SNS topic, or send it to Amazon WorkMail.
If you need an inbox service, use Amazon WorkMail.
Creating a IAM user doesn't create an inbox. And SES has no inbox capability at all. The point of validation is to allow sending in behalf of the service. In certain use cases, you can process inbound email via Lambda, store attachments on S3 etc. but there is no POP3/IMAP inbox-like service included in the SES.
Creating an IAM user is not required to validate your email. That is only for authentication purposes for accessing AWS account services.
AWS SES can receive emails and mostly this is used for automated email processing.
If you have verified in identity that you own the domain(by adding txt record in your domain DNS table) then by default you have verified all emails that fall in that domain.
You don't have to follow the steps to verify individual emails by clicking the link received on the emails.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-domains.html
From your example: since the domain examaple.com is verified, you don't have to again verify emails(user#example.com) that fall under same domain.
Individual email verification is for scenarios where you cant verify domain by placing dns records. Here you will not be able to receive emails, but if you still want to send emails from an address then you can verify it by clicking the link you receive on your inbox. This can be done with gmail or other mail providers.
I'm wondering if anyone has done the below before, the documentation is not apparent since this is sort of combining two configurations on AWS...
I use SES for receiving mail more than sending it. It's a pretty good service to use as a catch-all for domains without multiple users, which works fine for... say, small non-profits in which one person answers all of the incoming email from a few public addresses. I have all incoming mail dumped into an S3 bucket and the SES active rule set triggers a Lambda function to parse the recipient of the incoming mail and forward it to predefined gmail addresses.
However, I have one account that wishes to send out fundraising mails to newsletter subs, and of course they'll want to buy their own IP from AWS for this purpose, to include DMARC and PTR records for minimizing their losses to spam filters.
SES has the capability to do this, by setting a 'custom domain' for your outgoing SES email. The catch is, by going through the motions to set this up I notice that SES designates the incoming MX you must use to feedback-smtp.(region).amazonses.com rather than the inbound-smtp.(region).amazon.ses.com that normal receiving at SES requires.
Can these two configurations (receiving as well as custom domain for outgoing) co-exist? Or does feedback-smtp.(region).amazonses.com get handled differently somehow?
Anyone done this before?
You don't need to worry about the Feedback MX address.
In SES, you can't have Custom mail from for naked domain (e.g: example.com)
You need to use something like mail.example.com and publish the MX record as feedback-smtp.(region).amazonses.com, this won't affect your incoming emails.
To comply with DMARC using that, you need to make sure that aspf is set to relaxed.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/dmarc.html
I used a service for mailing my users and that service uses amazon SES to send emails.
When I signed up and did setup a sender agent, that service just required two things:
company name which I typed "cmpny".
agent name which I selected from a predefined list, I chose "joe" .
thus the result was a sender email address joe#cmpny.email-service.com(displayed just bellow the form) and after submit the form I tested the mailing feature and it did work immediately.
I know (by aws docs) that an entity (either domain or email address) needs to be verified before get work therefore that requirement demands a manual operation.
How did this service (in an automatically way) ...
verify cmpny.email-service.com domain in SES ?
verify joe#cmpny.email-service.com address in SES?
thanks in advance.
By using SES, you just need to verify the root domain, in this case email-service.com. Then email-service.com can create any quantity of subdomains they want using Route53 like cmpny.email-service.com and send emails using the created subdomain without any additional check.
Check the AWS docs page about this subject at verify-domains, or the excerpt that explains it below:
If you verify a domain with Amazon SES, you can send from any subdomain of that domain without specifically verifying the subdomain. For example, if you verify example.com, you do not need to verify a.example.com or a.b.example.com. As specified in RFC 1034, each DNS label can have up to 63 characters and the whole domain name must not exceed a total length of 255 characters.
Brand new to AWS & Simple Email Service (SES) and have an app that needs to generate some email using SES. All I'm trying to do is set things up so that my app's service user (called, say, myapp-dev) has Access & Secret Keys that have permission to use SES APIs for generating emails. Furthermore I need these SES-generated emails to be sent from either no-reply#myapp.example.com which is not a valid email address, as well as hello#myapp.example.com which is a valid email address. This is because some SES emails will be alerts/notifications that end users should not respond to, and other emails will be emails that they may very well want/need to reply to.
I've already created a myapp-dev user that has AmazonSESFullAccess permissions.
Not knowing any better, I then went to the SES dashboard and clicked Manage Identities and started creating a new "SES Identity". I'm not sure if I need to do this or not (given my needs) or whether my myapp-dev user is ready to use the SES APIs as-is. Adding this new SES identity, it asked me to enter my domain and gave me the option to generate DKIM configurations for that domain. I read up quickly on DKIM and it sounds like its a way to authenticate that emails did in fact come from my domain, so it sounds like its something I'd like leverage. So I generated DKIM configs and now SES says that my new identity has a status of "pending verification".
Main concern is bolded above: with AmazonSESFullAccess permission, is my myapp-dev user ready to rock n' roll? Or will SES APIs fail/refuse to send emails until my SES identity (for my domain) is "verified"?
What do I actually need to do to change the SES identity from "pending" to "verified"? I did see a note that I needed to modify TXT and CNAME DNS records to configure DKIM with my domain, is that it? Or do I need to do something else?
Thank in advance for any and all clarification!
Found an alternate answer in this thread:
https://forums.aws.amazon.com/thread.jspa?threadID=125362
Here's what might have happened: Some domain name providers will automatically add example.com on to the end of the name/host field. So if you enter _xx.example.com, they'll "silently" change it to _xx.example.com.example.com
This is currently the case with namecheap, as I've painfully learned.....
It turned out this was my issue. Make sure to double check!
You need to wait for dns verification, can take a while.
You also need to take the Sandbox into account and open a ticket to move out from it.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
To help protect our customers from fraud and abuse and to help you
establish your trustworthiness to ISPs and email recipients, we do not
immediately grant unlimited Amazon SES usage to new users. New users
are initially placed in the Amazon SES sandbox. In the sandbox, you
have full access to all Amazon SES email-sending methods and features
so that you can test and evaluate the service; however, the following
restrictions are in effect:
You can only send mail to the Amazon SES mailbox simulator and to
verified email addresses and domains.
You can only send mail from verified email addresses and domains.
You can send a maximum of 200 messages per 24-hour period.
Amazon SES can accept a maximum of one message from your account per
second.