We're thinking of moving to Amazon's SES for sending bulk mail. It appears that we have a unique API call for each email we want to send. So if there are 20k emails to send, we make 20k API calls. My question is, do we need to verify these email addresses before we send to them? We have an existing database of users and I'd rather the transition to SES to be transparent to them.
I noticed that SES has an API method for verifying emails. If we aren't required to verify, why would someone would use this method?
http://docs.amazonwebservices.com/ses/latest/APIReference/index.html?API_SendRawEmail.html says:
Important:
If you have not yet requested production access to Amazon SES, then you will only be able to send email to and from verified email addresses.
So, that method you asked about is used for building a list of addresses that can be e-mailed to, if you haven't requested production access yet. Since you seem to already have done that, it's not useful to you.
Note - once you have production access, you will still need to verify email addresses you are sending FROM, but not to.
Related
I am new to SES and thought it would be a quick setup but its looking a bit more involved than expected. I also have to go through a client so I want to make sure I understand my options before I make any requests.
So I have a client who has set up an email mailbox in outlook, dev#clientdomain.com. I want to have emails sent to this go into a lambda for processing, so I was looking at SES. Do I need to go through the same setup as if I was going to be sending emails? That is do I need to verify a domain identity or can I get away with verifying just an email? Do I need to ask the client to publish an MX record on their domain?
Tbh I was hoping I could just some email address in AWS that is linked to a lambda, and then have the client email forward to this. Is there nothing straight forward like this in AWS? I am able to send emails with the client email following this, but how can I receive an email and parse it with a lambda the easiest way?
So I recived an email from AWS that someone is using my domain for spamming.
I checked the details of the email that was sent and I detected that if my domain is myapp,
and I am usually sending emails from email address office#myapp.com. I noticed that the hacker is using the mail 073office#myapp.com which is very similar to my business email.
This address 073office#myapp.com is not verified in my SES verified emails, but he is still using my ARN somehow.
How can I prevent it? Is there a way to configure SES only from one email?
are you able to see in SES logs if the emails are being sent from your SES? if yes, try creating new SES credentials and disable the existing ones, to avoid them using the current ones. If not, they are probably using external SMTP and spamming using your domain and this is something that you can't do much to avoid.
So apparently one of our access keys was leaked and was included in the frontend's cache. I generated a new Access Key and disabled the old one , I also improved security configurations for the server.
I also configured SNS for bounces and complaint management and reconfigured my SES to use Hard Fail and improved DKIM , SPF and MAIL TO
Currently I'm working on building an email marketing system using Amazon SES. I have some problems which I have googled about for a while now but I couldn't find any clue so I decided to ask you guys here.
The first thing is I use only one Amazon account to send email, but it is limited up to 10,000 verified sending addresses or domains per region, so if I want to verify more than that I need to use different regions or Amazon accounts?
Next, is there any way can I add some custom arguments when I request to verify an email address? Because I need to check which account in my system owns that address so that no other account can use that verified address to send emails.
Any answer would be appreciated. And by the way, I'm sorry for my bad English.
Email address verification is only required while Amazon SES is in sandbox mode. This is done to prevent people creating an AWS account and using it to send spam.
From Moving out of the Amazon SES sandbox - Amazon Simple Email Service:
When your account is in the sandbox, we apply the following restrictions to your account:
You can only send mail to verified email addresses and domains, or to the Amazon SES mailbox simulator.
You can only send mail from verified email addresses and domains (also applies to Production mode)
You can send a maximum of 200 messages per 24-hour period.
You can send a maximum of 1 message per second.
You would typically only "send" from one email address, or perhaps a few to make it easier to handle replies. There should be no need for 100s or 1000s of verified 'sending' email addresses.
Once you request to move into Production mode and it is accepted, you can send to any recipients (whereas in Sandbox mode, each recipient need to be verified).
I'm wondering if anyone has done the below before, the documentation is not apparent since this is sort of combining two configurations on AWS...
I use SES for receiving mail more than sending it. It's a pretty good service to use as a catch-all for domains without multiple users, which works fine for... say, small non-profits in which one person answers all of the incoming email from a few public addresses. I have all incoming mail dumped into an S3 bucket and the SES active rule set triggers a Lambda function to parse the recipient of the incoming mail and forward it to predefined gmail addresses.
However, I have one account that wishes to send out fundraising mails to newsletter subs, and of course they'll want to buy their own IP from AWS for this purpose, to include DMARC and PTR records for minimizing their losses to spam filters.
SES has the capability to do this, by setting a 'custom domain' for your outgoing SES email. The catch is, by going through the motions to set this up I notice that SES designates the incoming MX you must use to feedback-smtp.(region).amazonses.com rather than the inbound-smtp.(region).amazon.ses.com that normal receiving at SES requires.
Can these two configurations (receiving as well as custom domain for outgoing) co-exist? Or does feedback-smtp.(region).amazonses.com get handled differently somehow?
Anyone done this before?
You don't need to worry about the Feedback MX address.
In SES, you can't have Custom mail from for naked domain (e.g: example.com)
You need to use something like mail.example.com and publish the MX record as feedback-smtp.(region).amazonses.com, this won't affect your incoming emails.
To comply with DMARC using that, you need to make sure that aspf is set to relaxed.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/dmarc.html
Brand new to AWS & Simple Email Service (SES) and have an app that needs to generate some email using SES. All I'm trying to do is set things up so that my app's service user (called, say, myapp-dev) has Access & Secret Keys that have permission to use SES APIs for generating emails. Furthermore I need these SES-generated emails to be sent from either no-reply#myapp.example.com which is not a valid email address, as well as hello#myapp.example.com which is a valid email address. This is because some SES emails will be alerts/notifications that end users should not respond to, and other emails will be emails that they may very well want/need to reply to.
I've already created a myapp-dev user that has AmazonSESFullAccess permissions.
Not knowing any better, I then went to the SES dashboard and clicked Manage Identities and started creating a new "SES Identity". I'm not sure if I need to do this or not (given my needs) or whether my myapp-dev user is ready to use the SES APIs as-is. Adding this new SES identity, it asked me to enter my domain and gave me the option to generate DKIM configurations for that domain. I read up quickly on DKIM and it sounds like its a way to authenticate that emails did in fact come from my domain, so it sounds like its something I'd like leverage. So I generated DKIM configs and now SES says that my new identity has a status of "pending verification".
Main concern is bolded above: with AmazonSESFullAccess permission, is my myapp-dev user ready to rock n' roll? Or will SES APIs fail/refuse to send emails until my SES identity (for my domain) is "verified"?
What do I actually need to do to change the SES identity from "pending" to "verified"? I did see a note that I needed to modify TXT and CNAME DNS records to configure DKIM with my domain, is that it? Or do I need to do something else?
Thank in advance for any and all clarification!
Found an alternate answer in this thread:
https://forums.aws.amazon.com/thread.jspa?threadID=125362
Here's what might have happened: Some domain name providers will automatically add example.com on to the end of the name/host field. So if you enter _xx.example.com, they'll "silently" change it to _xx.example.com.example.com
This is currently the case with namecheap, as I've painfully learned.....
It turned out this was my issue. Make sure to double check!
You need to wait for dns verification, can take a while.
You also need to take the Sandbox into account and open a ticket to move out from it.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html
To help protect our customers from fraud and abuse and to help you
establish your trustworthiness to ISPs and email recipients, we do not
immediately grant unlimited Amazon SES usage to new users. New users
are initially placed in the Amazon SES sandbox. In the sandbox, you
have full access to all Amazon SES email-sending methods and features
so that you can test and evaluate the service; however, the following
restrictions are in effect:
You can only send mail to the Amazon SES mailbox simulator and to
verified email addresses and domains.
You can only send mail from verified email addresses and domains.
You can send a maximum of 200 messages per 24-hour period.
Amazon SES can accept a maximum of one message from your account per
second.