Setup Amazon SES for your website (updated)

This is an updated version of my original post that can be found here. It reflects changes in the Amazon SES console and is current as of May 2022.

Amazon Simple Email Service (SES) – How to setup SMTP for your website

Introduction

This is an updated version of a guide to configure Amazon Simple Email Service (SES) to reflect changes in the SES console. This guide was written in May 2022.

This guide shows how to configure the AWS Simple Email Service (SES) for SMTP to allow email service from your EC2 production website, for example via a “contact me” form. I assume you are using Amazon Route 53 for DNS services. Using Route 53 automates certain parts of the setup. If you are using a third-party DNS service the steps are still the same but you will have to manually create certain DNS entries.

SES sandbox

All AWS accounts are setup initially with the SES service in sandbox mode. You can still use all the features of AWS SES but there are the following restrictions:

  • You can only send mail to verified email addresses and domains, or to the Amazon SES mailbox simulator.
  • You can only send mail from verified email addresses and domains.
  • You can send a maximum of 200 messages per 24-hour period.
  • You can send a maximum of 1 message per second.

If you are using your website for simple emails then the sandbox mode will be fine as long as you are happy with the default limits specified above. If not you will have to open a support case with AWS and request to be removed from the sandbox to gain production access. This is not complicated, but you will have to demonstrate to AWS how you will handle email bounces etc. Further information on SES and how to request to move out of the sandbox can be found here.

 When your account is out of the sandbox, you can send email to any recipient, regardless of whether the recipient’s address or domain is verified. However, you still have to verify all identities that you use as “From”, “Source”, “Sender”, or “Return-Path” addresses.

Which SMTP Port?

AWS default blocks access to port 25 (SMTP) by default for EC2 and Lambda functions. You can request to AWS to remove these restrictions, better practice would be to use Port 587, the TLS port for SMTP email.

You can test your SMTP access using via TLS using:

telnet <Amazon SMTP FQDN> 587

A list of Amazon SES regions and endpoints can be found here Amazon Simple Email Service endpoints and quotas – AWS General Reference. If the connection is successful, then the telnet command returns an output similar to the following:

Trying 18.132.221.228...
Connected to email-smtp.eu-west-2.amazonaws.com.
Escape character is '^]'.
220 email-smtp.amazonaws.com ESMTP SimpleEmailService-d-GLVKJ6XQM GorLM8WA5nbkJjjc7Zcc

If the above works, next check the TLS  connection by using the following command:

openssl s_client -crlf -starttls smtp -connect <Amazon SMTP FQDN>:587

At the very end of the output, you should see:

250 Ok

If the two above commands work then your SMTP connectivity is good.

Pre Requisites

This guide assumes your domain is hosted in AWS Route 53. You will need to have your domain and your DNS public hosted zone configured.

SES Configuration

Go to the region you want to setup Amazon SES and go to the SES console page.

Firstly, we need to approve the domain that we will be sending email from. Select Create Identity from the console home page, or select Amazon SES > Configuration: Verified Identities > Create Identity. You will see the screen as below:

Amazon SES – Verified Identities

Select “Create Identity”. You will see the screen below:

Amazon SES – Create Identity

Select domain and enter your domain name. Leave “Assign a default configuration set” and ”Use a custom MAIL FROM domain” unchecked. SES will configure DKIM for you and automatically publish the DKIM settings to your domain in Route 53. Add any Tags you require and click “Create Identity”:

Amazon SES – Identity Details

Unlike previous versions of SES, domain verification now only uses DKIM (DomainKeys Identified Mail). TXT entries are not used anymore. You should see a result similar to this:

Amazon SES – DKIM

DKIM configuration will shows as “Pending” and at the top of the SES console you should see:

As our domain is hosted in Route 53 the required CNAME records for DKIM will be added automatically to our Route 53 hosted zone. Detection of the new CNAME records can take up to 72 hours, but usually only takes a few mintues.

If you open the Route53 Console and view the hosted zone for the selected domain you should see that the CNAME entries shown on the SES page have been added to our hosted zone:

Amazon SES – CNAME Records

If we wait a short while and refresh our page (or select Verified identities from the SES console menu) you should see the page has updated and now shows the identity and DKIM configuration has been successful:

Amazon SES – DKIM uccessful

AWS will also send an email to your AWS admin email address confirming that DKIM has been successfully setup:

Amazon SES – DKIM email confirmation

The domain and DKIM are now setup and verified. We now need to run through a similar process, but this time to verify the email addresses we will be using.

Although the above email states we can send now send DKIM-signed emails from any address associated with our domain as we are in sandbox mode we still have to create a verified email address.

Select Create Identity from the console home page, or select Amazon SES > Configuration: Verified Identities > Create Identity. You will see the screen as below:

Amazon SES – Verified Identities

Select “Create Identity”. You will see the screen below:

Amazon SES – Create Identity

Select “Email Address”, enter the email address you want to be verified and click “Create Identity”.

You should also receive an email to verify that you have requested to authorise your email address for use with Amazon SES:

Amazon SES – Email Address Verification Request

Click on the link to verify your email address. If it is successful, you will receive the following acknowledgement:

Amazon SES – Email Address Verification Successful

You should now see the following in the verified identities section of SES:

Amazon SES – Verified Identities

We have successfully configured both our domain and our email address for Amazon SES.

Test Email

To test the service we can send a test email from the Amazon SES console to confirm that our SES configuration is working correctly. Select your verified email address and click “Send a Test Email”. You will see the following dialog:

Amazon SES – Test Email

The From: and To: address have to be an address that has been previously verified i.e. the email addresses you use here must exist and be shown as verified within the “Email Addresses” section of the AWS console (in sandbox mode), otherwise you will receive an error.

Complete the form, click “Send Test Email” and if all is well you should receive the email.

SMTP Settings

To view your SMTP settings, select “Account dashboard” from the SES console. You should see something like this:

Amazon SES – SMTP Settings

This shows the AWS SMTP server name, port details etc you should use to send email.

SES SMTP Credentials

To send email using SES SMTP you must create a set of IAM user credentials which consists of an IAM user and a IAM policy to allow sending to the SES SMTP resource ses::SendRawEmail:

You can create this manually, but SES will do this for us. Click on “Create SMTP Credentials” (as shown above) and you will see the following:

Amazon SES – IAM User for SMTP Authentication

Click on the “Show More Information” dropdown and it will expand to show you the IAM inline policy it will create (as shown above). Enter a suitable IAM User Name and click the “Create” button to create the IAM user.

If the user is created successfully, you will see the following:

Amazon SES – SMTP User Created Successfully

Your SMTP credentials have been created, click the “Show User SMTP Security Credentials” dropdown to view your credentials. This is the only time you will get to view your SES SMTP credentials. If you lose them you will have to delete your IAM user associated with the SES credentials and create a new IAM user again.

Amazon SES – SMTP Security Credentials

Copy the username/password or Select “Download Credentials” to download a .csv formatted file with your user credentials. Keep these safe!

EC2 Security Group and Network ACL rules

Your website EC2 instance and your VPC need to be configured to allow SMTP traffic. Ensure that your EC2 security group and Network ACL rules are configured as follows:

  • Configure Security Group outbound rules for TLS on Port 587
  • Configure Network ACL outbound rules 587
  • Configure Network ACL inbound rules 1024-65535
  • EC2 instance must have internet connectivity

AWS Tip

Unless you specify otherwise any VPC you create will be with the following defaults:

  • Security Group outbound rules – AWS default is all outbound traffic is allowed
  • Network ACL outbound rules – AWS default is all outbound traffic allowed
  • Network ACL inbound rules – AWS default is all inbound traffic allowed

Therefore, unless you have changed your VPC default settings and specifically locked down your outbound and/or inbound rules you should not need to change any of your Security Group or Network ACL rules.

For more information on default security group rules look here. For more information on default Network ACL rules look here.

WordPress Configuration

All that is left to do now is to install an WordPress plugin that will handle the sending of SMTP email from your WordPress site and enter your SMTP credentials and email address.

I recommend Easy WP SMTP. It seems well supported and is quick to setup and test. It also supports ReCaptcha.

I offer assistance in configuring Amazon SES if you require it. You can contact me at enquiries@awsmadesimple.co.uk

Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.