Setting up a Secure Email Engine using Amazon SES

Cloud computing, also known as on-the-line computing, is a kind of Internet-based computing that provides shared processing resources and data to computers and other devices on demand. It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources (e.g., networks, storage, applications, servers, and services), which can be rapidly provisioned and released with minimal management effort. Cloud computing and storage solutions provide enterprises and users with various capabilities to store and process their data in third-party data centers. It relies on sharing of resources to achieve coherence and economy of scale, similar to a utility (like the electricity grid) over a network.

Amazon Web Services (AWS), a subsidiary of, which offers a suite of cloud computing services that make up an on-demand cloud computing platform.  The scope of this blog is confined to one of the efficient and effective services which are a part of AWS – Amazon SES.

Amazon SES is a pay-per-use email distribution engine that provides AWS users with an easy, authentic, cost-effective, reliable and consistent infrastructure for sending and receiving bulk email correspondence using your domain and email addresses. 

Amazon SES

Why Vmoksha opts for Amazon SES?

Amazon SES works with Elastic Compute Cloud also known as “EC2,” Lambda, Elastic Beanstalk and various other services. It is available in different regions such as US-East, US-West, and EU-Ireland, which allow consumers close to these regions to deploy their applications to ensure high availability and low latency.

Unlike other SMTP players in the market, Amazon SES provides competitive pricing and deliverability.

Listed below are certain benefits of using Amazon SES:

  1. Trusted by Internet Service Providers (ISP) as an authentic source
  2. Cost-Effective & Competitive Pay-per-use pricing
  3. Reliability and Scalability
  4. Bulk Messaging Engine
  5. Automation using Amazon Lambda functions
  6. Ensure deliverability and Active monitoring to make sure that the illegal or questionable content is not being distributed
  7. No Infrastructure challenges
  8. Provides mailbox simulator application as a testing environment
  9. Real-time notifications via Amazon SNS.

How Vmoksha make use of Amazon SES?

The Amazon SES service along with Amazon Lambda service is configured for sending emails automatically. The mail sent via SES is verified by ISP and mail service provider such as Google and finally delivered to the employee(s). To ensure the smooth delivery of the mail, Vmoksha undergoes certain workarounds, which are described in the following sections.

The following diagram explains the scenario

Amazon SES

Setting up Amazon Simple Email Service (SES):

First, set-up Amazon Web Services (AWS) account to use this service

After signing up to the AWS account, log-in into the management console and look for SES under services section or log-in with the URL,


Steps to verify Email Addresses and Domain:

   I.  Steps to Configure Amazon SES

Goto SES home page, navigate to Identity management menu and choose your option to verify either your email domain or list of addresses.

For example;

Email addresses –, and so on…

Domain –

The verification is managed using the Amazon SES console or Amazon SES API.

Note: Email address and domain verification status for each AWS region is separate.

Although, Email Addresses verification is quite an easy step, completed by opening the verification URL sent by SES. Domain verification demands the following steps,

    1. Go to Domains under Identity Management, select Verify a New Domain.
    2. Enter the domain name and select Generate DKIM settings and Click Verify This Domain.
    3. List of DNS record details will be displayed, which needs to be added in the DNS Zone Files of your domain. Eg. Godaddy DNS management
    4. Download the csv file of DNS Records. This contains the details of Text (TXT), Canonical Name (CNAME), and Mail Exchange (MX) records that need to be added or amended in DNS records.
    5. Domain verification can be done by just adding a text (TXT) record in your DNS Zone File. But, it is highly recommended to perform DKIM verification.
    6. TXT Records looks similar to this,         TXT     pmBGN/7MjnfhTKUZ06Enqq1PeGUaOkw8lGhcfwefcHU=


  1. On propagating TXT record in domain, the domain verification status changes to verified
  2. To ensure that the mail is from a trusted source, DKIM verification is required. DKIM verification can be done by adding CNAME records in DNS Control Panel.
  3. Once DNS changes are reflected, the domain is fully verified.

Email Authentication via SPF or DKIM:

Amazon SES uses Simple Mail Transfer Protocol (SMTP) to send an email. Since SMTP does not provide authentication by itself, spammers can send messages pretending to be from the actual sender or domain. Most of the ISPs evaluate the email traffic to check if the emails are legitimate.


Authentication Mechanisms:

There are two authentication mechanisms used by ISPs commonly:

  1. Email Authentication with SPF (Sender Policy Framework)
  2. Email Authentication with DKIM (DomainKeys Identified Mail)


Email Authentication with SPF:

Setting up SPF Records and Generating SMTP credentials:

A Sender Policy Framework (SPF) Record indicates to ISPs that you have authorized Amazon SES to send mail for your domain. SPF Record looks similar to this,       SPF           “v=spf1 -all”


SMTP Credentials can be generated from SES management console under Email Sending section. It prompts to create an IAM user and provides SMTP username and password upon creation of that IAM user. Another alternative way is to create a separate IAM user with access to SES service using access key and secret key as SMTP credentials.


If SPF Record already exists, then, you can append “” to the existing record. Also to work with Google apps, you need to add “ ~all”

If SPF record does not exist in the DNS Zone File, text (TXT) record can be added with the value as “v=spf1 -all.”


Email Authentication with DKIM:

DKIM (DomainKeys Identified Mail) is a standard that allows senders to sign their email messages & ISPs and use those signatures to verify whether that messages are legitimate and cannot be modified by a third party in transit. DKIM setup can be done by adding CNAME records provided by Amazon SES in DNS Zone File.

Here are the samples of CNAME records for DKIM Verification,  CNAME CNAME  CNAME


Finally, now it’s time to leave all SMTP servers and move on to AWS Simple Email Service (SES). This way Amazon Web Services reduces the effort of DevOps and takes IT Revolution to the next level.

Useful Links:

About Abdullah Kajamohideen

Abdullah is young passionate person, researching and implementing new technologies in IT Infrastructure Management. He enjoys working on multiple cross platform technologies, video gaming, reading books, Photoshop designing, Macromedia animation, surfing, and shopping, etc.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>