Configuring Amazon SES for Email Sending

Step 01 – Configuring Amazon SES#

Access the AWS console and look for the “Amazon Simple Email Service” service.

In the side menu on the left, click on “Verified identities”.

Click on “Create identity”.

At this stage, you can choose between creating an identity of the “Domain” or “Email address” type.

An identity of type “Domain” means that after Amazon SES is configured, you will have the ability to send emails representing any address linked to the configured domain, for example, you will be able to send emails representing mkt@alfredocastro.com.br or marketing@alfredocastro.com.br and so on.

With the “Email address” type identity, you will configure Amazon SES to send emails only with a specific email address.

For this tutorial, we will use the “Domain” type, in the “Domain” field enter your domain, leave the other default settings and click on “Create identity”.

That’s it, you have successfully completed creating the identity for your domain.

On the next screen that opens, you will be prompted to confirm that you are the owner of this domain.

You will need to create some CNAME records in your DNS to set up DKIM and thus confirm ownership of the domain.

In the “Authentication” tab, go to the “Publish DNS records” field, 3 CNAME type DNS records will be displayed to be created in your DNS.

Step 02 – Creating DNS records#

Access your domain’s DNS record manager.

Create the CNAME type records as shown in the previous step. Here’s an example:

To check the propagation of the created record, visit the website: WhatsMyDNS

After propagation, you will receive an email (email that is configured in your AWS Root Account) confirming that the DKIM configuration was successful.

Access Amazon SES and log in to the identity we just created, you will be able to see the status as “Verified” and the DKIM status as “Successful”.

Step 03 – Requesting access to Amazon SES production#

Access the AWS console and access the “Amazon Simple Email Service” service.

In the side menu on the left, click on “Account dashboard”.

See the yellow message, the identity we just created is in “Sandbox” mode, click on the “View Get set up page” button.

Our account is in “Sandbox” and with some usage restrictions, we can only send 200 emails per 24 hours and we can only send emails to our own verified identity.

To remove this restriction, we need to open a ticket to AWS, click on the “Request production access” button.

We need to fill out this form explaining for what purpose we will use Amazon SES. AWS will analyze the request and if it is in agreement, it will release our identity for “Production” mode.

In “Mail type” select which type of email you will send, whether it is a “Marketing” or “Transactional” email, for this tutorial I will use “Transactional”.

In “Website URL” enter the URL of your company or product website so that AWS can analyze what type of content will be sent.

In “Use case description”, describe the type of email that will be sent and what measures you will take to ensure that the emails sent are not considered by users as Spam. AWS asks you to answer 3 questions:

1) How will you build or acquire your mailing list?
2) How will you handle bounces and complaints?
3) How can recipients unsubscribe from your mailing list, and how will you respond to those requests?

I used the following text for my request (basically I explained that I would use Amazon SES to send transactional emails, emails sent by a new system that I am creating and I gave an example of the type of email “I forgot my password” and emails with new posts, I also explained that in order to not have my emails marked as unwanted or sent to Spam, I will create a link so that users can remove their email from the sending list or they can access the system and remove the sending of emails):

How will you build or acquire your mailing list?
It's a new system, I will use AWS SES to send emails to new registered users, to send "I forgot my password" emails and to send notifications of new posts made on the website.

How will you handle bounces and complaints?
Each user will can cancelate the notification of system. Or via a link that will be sent along with the email.

How can recipients unsubscribe from your mailing list, and how will you respond to those requests?
Each user will can cancelate the notification of system through of a option 'help' inside the system. Or via a link that will be sent along with the email.

As it is a new system, I believe that daily emails will be sent around 100 emails.

Check the box “I agree to the AWS Service Terms and Acceptable Use Policy (AUP)” and click “Submit request”.

You will receive a message that the request was submitted successfully and AWS will review it within 24 hours. The status will change to “Under review”.

Refresh the page and you will see a message with the ticket ID opened for AWS. You can click on the link and go to the ticket to send more information to AWS. If AWS finds any inconsistencies, they will send you a message via the ticket.

After AWS analysis, you will receive an email (root account email) notifying you that Amazon SES has been released for “Production” mode.

Access the service again and click on “Account dashboard”, now we can see that our quota for sending emails has been changed to 50,000 emails per 24 hours and our status is “Healthy”.

This number of emails was defined by AWS, you can request an adjustment according to usage.

AWS provides a dashboard where we can see our daily usage.

Step 04 – Creating SMTP credential via AWS Console#

Now that we have our Amazon SES configured and enabled to send emails, we must generate an SMTP credential.

Access the AWS console and access the “Amazon Simple Email Service” service.

In the side menu on the left, click on “SMTP settings”.

Click the “Create SMTP credentials” button.

By default, AWS will create the “User name” as “ses-smtp-user.YYYYMMDD-HHMMSS”, if you want, you can change the name of the “User name”, below will show what permission the user has.

Basically AWS creates an IAM user with an Allow Policy for ses:SendRawEmail, it generates an Access keys and runs a script to generate an SMTP credential.

I changed my username to “ses-smtp-alfredo”, clicked “Create user”.

Copy the data displayed on the screen and save in a safe place the “SMTP username” and “SMTP password” are our authentication credentials in Amazon SES for sending emails. Click on “Return to SES console”.

Returning to the “SMTP settings” tab, we will find the essential information for configuring our application, including the “SMTP endpoint”, “TLS” and “Port” settings.

Step 05 – Creating SMTP Credential via Programmatic Credential#

In this step I will demonstrate how to generate an SMTP credential via programmatic credential, for this it is necessary to run a script to transform the Secret Key into an SMTP credential.

NOTE: The SMTP credential is generated per region and only works for Amazon SES in that region, you can use the same Secret Key to generate SMTP credentials for other regions.

Access the AWS console and access the “IAM” service.

In the side menu on the left, click on “Users”.

Click on “Create user”.

In “User name”, define a name for your user and click “Next”.

We will set the permissions later, just click “Next”.

Click on “Create user”.

Click on the user we just created.

Click on “Add permissions” and then click on “Create inline policy”.

Change the “Policy editor” to “JSON”.

Paste the following JSON into the “Policy editor” and click “Next”.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ses:SendRawEmail",
            "Resource": "*"
        }
    ]
}

Define a name for the Policy and click “Create policy”.

Click on the “Security credentials” tab.

In “Access keys”, click on “Create access key”.

Choose the “Use case” as “Other” and click “Next”.

Click on “Create access key”.

Save the generated “Access key” and “Secret access key” in a safe place, click “Done”.

Now, we need to convert our “Secret access key” into an SMTP credential.

I used a Linux with Ubuntu 22.04. First, I installed python3 and then created the file with the python script. When running the script, provide the “Secret access key” and then indicate the region for which you want to generate the SMTP credential. In this tutorial, we are using the us-east-1 region.

apt-get update
apt-get install python3 -y
vim /tmp/ses.py

Script:

#!/usr/bin/env python3

import hmac
import hashlib
import base64
import argparse

SMTP_REGIONS = [
    "us-east-2",  # US East (Ohio)
    "us-east-1",  # US East (N. Virginia)
    "us-west-2",  # US West (Oregon)
    "ap-south-1",  # Asia Pacific (Mumbai)
    "ap-northeast-2",  # Asia Pacific (Seoul)
    "ap-southeast-1",  # Asia Pacific (Singapore)
    "ap-southeast-2",  # Asia Pacific (Sydney)
    "ap-northeast-1",  # Asia Pacific (Tokyo)
    "ca-central-1",  # Canada (Central)
    "eu-central-1",  # Europe (Frankfurt)
    "eu-west-1",  # Europe (Ireland)
    "eu-west-2",  # Europe (London)
    "eu-south-1",  # Europe (Milan)
    "eu-north-1",  # Europe (Stockholm)
    "sa-east-1",  # South America (Sao Paulo)
    "us-gov-west-1",  # AWS GovCloud (US)
]

# These values are required to calculate the signature. Do not change them.
DATE = "11111111"
SERVICE = "ses"
MESSAGE = "SendRawEmail"
TERMINAL = "aws4_request"
VERSION = 0x04


def sign(key, msg):
    return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()


def calculate_key(secret_access_key, region):
    if region not in SMTP_REGIONS:
        raise ValueError(f"The {region} Region doesn't have an SMTP endpoint.")

    signature = sign(("AWS4" + secret_access_key).encode("utf-8"), DATE)
    signature = sign(signature, region)
    signature = sign(signature, SERVICE)
    signature = sign(signature, TERMINAL)
    signature = sign(signature, MESSAGE)
    signature_and_version = bytes([VERSION]) + signature
    smtp_password = base64.b64encode(signature_and_version)
    return smtp_password.decode("utf-8")


def main():
    parser = argparse.ArgumentParser(
        description="Convert a Secret Access Key to an SMTP password."
    )
    parser.add_argument("secret", help="The Secret Access Key to convert.")
    parser.add_argument(
        "region",
        help="The AWS Region where the SMTP password will be used.",
        choices=SMTP_REGIONS,
    )
    args = parser.parse_args()
    print(calculate_key(args.secret, args.region))


if __name__ == "__main__":
    main()

Running the script:

NOTE: The output of the script will be your SMTP credentials.

python3 /tmp/ses.py AedgghOlpaoKFYZ+5w/aoAo/BEBb/1z9RQ2V4N9W us-east-1

Step 06 – Testing sending email via AWS Console#

Now let’s perform an email sending test using the AWS Console itself.

Access the AWS console and access the “Amazon Simple Email Service” service.

In the side menu on the left, click on “Verified identities”.

Click on your domain.

Click the “Send test email” button.

Under “Email format”, select “Formatted”.

In “From-address”, enter the name of the email address that will send the message.

Under “Scenario”, select “Custom”.

In “Custom recipient”, enter the recipient’s email, who will receive our test email.

In “Subject”, enter a subject for the email.

In “Body”, type a test message.

Click “Send test email”.

Here’s the information extracted from the test email we just sent:

Our email has been sent successfully!

Step 07 – Testing sending email via script#

Now we will perform an email sending test using a bash script using our SMTP credentials generated in step 05.

I used the same Linux with Ubuntu 22.04, first I installed sendemail and then I created the file with the script in bash with execution permission. Before running the script, change the variables according to your environment.

apt-get update
apt-get install sendemail -y
vim /tmp/email.sh

Script:

#!/bin/bash

# STMP endpoint
SMTP_HOST="email-smtp.us-east-1.amazonaws.com"
# STARTTLS Port
SMTP_PORT="587"
# Access key
SMTP_USER="AKIAR3YIWCET3TYHQR6T"
# Credencial SMTP
SMTP_PASS="BHqSfD7stBQJf55FGQ9RoSeNK5h2E0LvOaQFl0DmZs2Z"
# Remetente
EMAIL_FROM="contato2@alfredocastro.com.br"
# Destinatário
EMAIL_TO="alfredotavio@gmail.com"
# Assunto
SUBJECT="Teste de Envio 2"
# Mensagem
echo "E-mail de teste 2" | \
        sendemail -o tls=yes -f ${EMAIL_FROM} -u ${SUBJECT} -t ${EMAIL_TO} -s ${SMTP_HOST}:${SMTP_PORT} -xu ${SMTP_USER} -xp ${SMTP_PASS}

Running the script:

chmod +x /tmp/email.sh
/tmp/email.sh

Here’s the information extracted from the test email we just sent using our bash script:

I hope I’ve helped! If you have any questions, don’t hesitate to contact me.