Amazon Simple Email Service (SES) is Amazons email service. This guide shows how to configure the AWS Simple Email Service (SES) for SMTP to allow email from your EC2 production website, for example via a “contact me” form. I assume you are using Amazon Route 53 for DNS services. Using Route 53 automates certain parts of the setup. If you are using a third-party DNS service the steps are still the same but you will have to manually create certain DNS entries.
All AWS accounts are setup initially with the SES service in sandbox mode. You can still use all the features of AWS SES but there are the following restrictions:
- You can only send mail to verified email addresses and domains, or to the Amazon SES mailbox simulator.
- You can only send mail from verified email addresses and domains.
- You can send a maximum of 200 messages per 24-hour period.
- You can send a maximum of 1 message per second.
If you are using your website for simple emails then the sandbox mode will be fine as long as you are happy with the default limits specified above. If not you will have to open a support case with AWS to request to be removed out of the sandbox to gain production access. This is not complicated, but you will have to demonstrate to AWS how you will handle email bounces etc. Further information on SES and how to request to move out of the sandbox can be found here.
When your account is out of the sandbox, you can send email to any recipient, regardless of whether the recipient’s address or domain is verified. However, you still have to verify all identities that you use as “From”, “Source”, “Sender”, or “Return-Path” addresses.
Which SMTP Port?
AWS default blocks access to port 25 (SMTP) by default for EC2 and Lambda functions. You can request to AWS to remove these restrictions, better practice would be to use Port 587, the TLS port for SMTP email.
You can test your SMTP access from your EC2 instance using via TLS using:
telnet <Amazon SMTP FQDN> 587
Replace <Amazon SMTP FQDN> with the relevant Amazon SES endpoint. For a list of endpoints, see here. If the connection is successful, then the telnet command returns an output similar to the following:
Trying 220.127.116.11... Connected to email-smtp.eu-west-2.amazonaws.com. Escape character is '^]'. 220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-GLVKJ6XQM GorLM8WA5nbkJjjc7Zcc
If the above works, next check the TLS connection by using the following command:
openssl s_client -crlf -starttls smtp -connect <Amazon SMTP FQDN>:587
Replace <Amazon SMTP FQDN> with the relevant Amazon SES endpoint. At the very end of the output, you should see:
If the two above commands work then your SMTP connectivity is good.
Go to the region you want to setup Amazon SES and go to the SES console page.
Firstly, we need to approve the domain that we will be sending email from. Select “Domains” from the main SES console menu. Click on the “Verify a New Domain” button. You will see the dialog shown below. Enter your domain name and click Generate DKIM Settings. Then click “Verify This Domain”:
To verify you have control of the domain, AWS needs some CNAME and TXT DNS entries to be added to your DNS record. If you are using Amazons Route 53 DNS service, SES can create these entries for you automatically:
Click “Use Route 53” and it will automatically generate the associated TXT and CNAME records for you. You do not need to create the MX record if you are only sending outbound email.
You will then see the following dialog asking you to confirm you are happy to update your domains DNS records. Read carefully before proceeding:
Click “Create Record Sets” and SES will automatically create the required DNS records in your Route 53 hosted zone for the domain.
You will then see the following prompt on the main SES page:
It should only take a moment for the changes to propagate and for the domain to be verified. Click the refresh button and you should see the following:
You should receive two confirmation emails to your registered AWS management email account similar to the following, The first relating to the domain verification, the second relating to the DKIM verification:
The domain and DKIM are now setup and verified. We now need to run through a similar process, but this time to verify the email addresses we will be using.
Although the above email states we can send now send emails from any address associated with our domain as we are in sandbox mode we still have to create a verified email address.
Select “Email Addresses” from the main SES console menu. Click on “Verify a New Email address”. You will see the following dialog:
Enter the email address you want to be verified and click “Verify This Email Address”.
SES will then confirm it has sent a verification email to the email address you specified:
You should receive an email like this with a verification link:
Click on the verification link and you should get the following prompt:
If we go back to the SES console, we will see our original request is showing pending verification:
Refresh the console and we will now see the following:
We have successfully configured our domain and our sending email address for Amazon SES.
To view your SMTP settings, select “SMTP settings” from the SES console. You should see something like this:
This shows the AWS SMTP server name, port details etc you should use to send email.
SES SMTP Credentials
To send email using SES SMTP you must create a set of IAM user credentials which consists of an IAM user and a IAM policy to allow sending to the SES SMTP resource ses::SendRawEmail:
You can create this manually, but SES will do this for us. Click on “Create My SMTP Credentials” and you will see the following:
Click on the “Show More Information” dropdown and it will expand to show you the IAM inline policy it will create (as shown above). Click the “Create” button to create the IAM user.
If the user is created successfully, you will see the following:
Your SMTP credentials have been created, click the “Show User SMTP Security Credentials” dropdown to view your credentials. This is the only time you will get to view your SES SMTP credentials. If you lose them you will have to delete your IAM user associated with the SES credentials and create a new IAM user.
Select “Download Credentials”. This will download a .csv formatted file with your user credentials. Keep these safe!
EC2 Security Group and Network ACL rules
Your website EC2 instance and your VPC needs to be appropriately configured to allow SMTP traffic. Ensure that your EC2 security group and Network ACL rules are configured as follows:
- Configure Security Group outbound rules for TLS on Port 587
- Configure Network ACL outbound rules 587
- Configure Network ACL inbound rules 1024-65535
- EC2 instance must have internet connectivity
AWS Tip – Unless you specify otherwise any VPC you create will be with the following defaults:
- Security Group outbound rules – AWS default is all outbound traffic is allowed
- Network ACL outbound rules – AWS default is all outbound traffic allowed
- Network ACL inbound rules – AWS default is all inbound traffic allowed
Therefore, unless you have changed your VPC default settings and specifically locked down your outbound and/or inbound rules you should not need to change any of your Security Group or Network ACL rules.
Send a test email from SES
To see if the email service is working correctly we we can send a test email from the Amazon SES console to confirm that our SES configuration is correct. From the SES console select either “Domains” or “Email Addresses”. Click “Send a Test Email”. You will see the following dialog:
The From: and To: address has to be an address that has been previously verified i.e. the email addresses you use here must exist and be shown as verified within the “Email Addresses” section of the AWS console (in sandbox mode). Complete the form, click “Send Test Email” and you should receive the email.
All that is left to do now is to install an WordPress plugin that will handle the sending of SMTP email from your WordPress site. I recommend Easy WP SMTP. It seems well supported and is quick to setup and test. It also supports ReCaptcha.