How can I see a report of my AWS Bounced emails? - amazon-web-services

I have an application that automatically sends thousands of emails per hour using Amazon Web Service's Simple Email System (SES).
How/where can I view a report of email bounces?
EDIT:
Below #Neil shows how I can setup SNS to email me about bounced emails. But is there any way I can see a report of Bounced emails in the past? Going forward is there a way I can see a bounce report/table instead of getting an email notification every time an email bounces?

It has been long time wanted but there's no built-in feature for now.
I suggest you push on this thread so Amazon gives more info about the roadmap to integrate this feature

You can configure AWS to email you via SNS. See here

You can configure SES to send bounces (and complaints, and even deliveries) to an SNS endpoint.
From SNS, you can configure different subscribers: email, http(s), or a couple other options. The interesting option is Lambda. Create a Lambda end point, and then write a simple function that inserts the information you want to track into DynamoDB.
This might cost you a few cents/month, but you have control over what you're recording and how to access it.

Related

How do I see a history of all SES emails sent with their contents? Mysterious emails were sent

My organization's AWS account got an alert that we sent over 10,000 emails last week, many of which were marked as spam.
The catch is: No emails were supposed to be sent, we don't know who did it, and thus we're suspecting that it was a malicious actor.
How can we see a history of all emails sent and log all future SES emails? Specifically, can we see the contents of those emails? Is there a way we can determine who/which user sent those emails?
I'd like to emphasize that I need to see all emails sent by SES, regardless of region or any other parameters.
Any other tips or tricks?
This tutorial seems like overkill:
https://aws.amazon.com/premiumsupport/knowledge-center/ses-email-sending-history/
How can we see a history of all emails sent and log all future SES emails?
yes using CloudWatch Metrics you can easily find all the metrics associated with ses, for future try using a notification system using cloudwatch and sns when something happens
Docs https://docs.aws.amazon.com/ses/latest/dg/monitor-sending-activity-console.html
Is there a way we can determine who/which user sent those emails?
Yes use cloud trail events
can we see the contents of those emails?
I am afraid No, you can't, you might need to build custom solution like creating an event, and then processing contents with lambda.

Should AWS SES bounce emails be notified by one or more methods

AWS Simple Email Service (SES): Bounce Email Notification/Feedback
I have both the following methods set up in the AWS Console to receive information about bounce emails:
1) Email Feedback forwarding - to send any bounce email details back to the sender. This is the domain or email that is managed in the AWS console and is verified. Hence the From/Source is a valid user email with a mailbox
2) SNS Notification for bounce emails - This is used to trigger a lambda function and the intention here is to get a notification on the emails that bounced and was sent from an address of a verified domain that doesn't have a mailbox e.g noreply#domain. This is automated from the software.
The lambda function forwards this notification to the reply emails that are part of the Header in the notification.
The reply emails may also contain personal email addresses that are not necessarily managed in the AWS console. Therefore the lambda is basically forwarding the notification back to all the reply emails of the user.
My issue here is that the above works but sometimes I get notifications using both methods.
Should AWS only choose one of the above two when dealing with bounces? Can someone please shed some light on this?
Thank you
Try creating a Deliverability dashboard, it now provides excel sheet to download and track your bounce emails.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/bouncecomplaintdashboard.html
The AWS documentation is not super clear with respect to simultaneously using multiple methods for bounce email notification. However, the following under 'Disabling Email Feedback Forwarding' does indicate that using more than one method for bounce notification will result in multiple notifications.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/notifications-via-email.html
In my case (using the above two methods for bounce email notification), When I use the SES via SMTP interface from an Asp.Net app, I get two bounce email notifications, one via SNS and the other via the Email Feedback Forwarding method. In Addition when I use an email client like MSOutlook, then I only get one bounce notification which is expected
because it's not using SES.
My solution:
Option 1:
Use both methods for SES.
The Email Feedback Forwarding method will be responsible for delivering the notification to a verified email eg user#mycompany.com with a mailbox.
The lambda triggered by the SNS method will have a filter that will only process notifications where the source is norepy#mycompany.com.
Hence this will prevent duplicates and will also allow me to forward bounce email notifications to other reply-to emails (set by the web app in the header) that are not verified in my AWS.
Option 2:
Disable Email Feedback Forwarding Method and process all notifications via lambda triggered by SNS Method.

Amazon SES - notifications for email verification

We use Amazon's SES service, and have set up Topics and Subscriptions under SNS (Simple Notification Service) so that we get notification emails when an email is bounced or successfully delivered. That's all working fine.
We sometimes send emails via SES on behalf of one of our partners, and before we can do that we need to verify their email address. The process is that the system asks SES to send out a verification email to the person saying "Example.com wants to send emails on your behalf, is that ok?", with a link for them to click. If they click it, then that email is marked as Verified within SES, and we can use it as a from address.
What I can't work out is how to automate the process of knowing whether they've clicked the link yet. I can log in to the AWS dashboard, and go and look at the list of verified email addresses, but i'd like to make it an automated process.
What would be ideal is if it worked the same way as bounces & deliveries: that i set up a "Verification" topic, and subscribe to it so we get an email like we do with bounces and deliveries. Then, the scheduled job that deals with incoming email notifications can say "Aha, this is a verification email for foobar#example.com: I'll mark their account as 'ses-verified'".
Does anyone know if it's possible to set this up? All the docs on the SES site just talk about bounces, deliveries and complaints.
thanks, Max
You can use the GetIdentityVerification api call in the SES part of the awssdk:
https://docs.aws.amazon.com/ses/latest/APIReference/API_GetIdentityVerificationAttributes.html
You could do this in a serverless way by having a lambda function do the check, and expose the lambda as an API endpoint to your application (among other ways).
Alternatively you could just try to send a single test email to a test/internal email address and check if it gives you an error - if its not verified, it will return an error immediately when you try to do the send.
EDIT:
If you want to use the CLI instead:
aws ses get-identity-verification-attributes --identities "mailbox#thedomain.com"

Identify original email from Complaint SES notification

Is there a way to identify the originating email from a complaint notification in Amazon's SES? For example if we have 3 different mailing groups all sending different emails, and the recipient doesn't like 1 of them and reports it as spam, is there anything in the SES notification that would help us identify which email, and therefore which mailing group, we need to act on?
Yes, there is! From the docs:
Monitor your bounces and complaints and remove any bounced or
complained recipient addresses from your mailing list. You can be
notified of bounces and complaints in one of two ways: by email or by
Amazon Simple Notification Service (Amazon SNS) notifications. For
more information, see Monitoring Using Amazon SES Notifications.
Basically you can receive an email of a SNS notification (email, SMS, queue, etc.) to handle this. I would suggest SNS as it's way more flexible and the cost shouldn't be a problem (considering you don't have loads of complaints, of course!). Take a look:
Monitoring Using Amazon SES Notifications
EDIT: to identify the specific message the complaint is about, you'll need to store the unique ID created by SES when you send the message. From this AWS blog post:
Amazon SES assigns a unique message ID to each email that you
successfully submit to send. When Amazon SES receives a bounce or
complaint message from an ISP, we forward the feedback message to you.
I have used complaints treatment but never paid attention to this message ID. Anyway, looks like the path to follow.
Yes, you can do that
For each of the email that you send out via the SES, it gives back a messageID which is unique for every message that goes out (In your case it will be unique for each of the 3 mails that you send to the same recipient).
You need to persist that somewhere when you send emails.
Now when a complain occurs SES gives back the original messageId that this particular email was sent with.
And this way you can look up your local persistance and find out which of the 3 emails did the user complained for

AWS SES - Logging SendEmail & SendRawEmail calls (SMTP)

We've changed our email service from Mandrill to Amazon SES. We are using it with SMTP.
In Mandrill we had access to some details such as:
raw content of the emails
delivery dates
is the email viewed by the recipient
are the links in the email clicked
But in SES Management Console > Sending Statistics page it shows only the numbers without any details for deliveries, bounces, complaints & rejects.
And I've looked into CloudTrail, CloudWatch & S3 combination with no luck. Also I'm not sure if this is still valid but this page says
All Amazon SES APIs except for the email-sending APIs (SendEmail and SendRawEmail) are supported.
So I can't seem to log these data with CloudTrail.
Can I log them via another method (maybe a third party tool?). How do other people log these? Or do they? Maybe it's not possible with SMTP but possible with only API?
Example scenario
We're using multiple IAM access keys (with multiple users) for SES. Let's say there is 50% increase in complaints. Doesn't AWS offer any tool to find the culprit access key?
I had found this thread when trying to get easy access to who Amazon SES sent emails to, at what time, etc. I found the tutorials at Amazon pretty helpful:
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/event-publishing-tutorials.html
I actually tried all four of them. I couldn't figure out how to get the CloudWatch path to actually show who the email went to, but the other ones worked. I eventually settled on the Amazon Redshift path:
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/event-publishing-redshift.html
It works well for me and provides an SQL query view into the "log" data. They do have a new Query tool, so you don't have to use JDBC/ODBC if you don't want to.
Hoping this will help someone else looking...
For raw content logging, you would have to proxy the SMTP requests through some service that logs everything and then sends it to SES, or just log everything in your code before making the call to SES.
For delivery rates you would have to setup SNS listeners to process SES bounce notifications.
For email viewed and links clicked you would have to build your own analytics service to add tracking to the emails you send, or find some third-party service that does that for you.
There is a reason SES is so much cheaper than other email services like Mandrill, it is because you don't get all the features that the other services provide. Honestly if you want things like click tracking analytics I would suggest you rethink moving away from Mandrill, or look at other email services like SendGrid. SES is more of a raw email sending service that doesn't provide any of those higher-level features you are looking for.