Organizations typically do not use their production email infrastructure to send non-user emails to the internet. For example, a company may send a weekly or monthly newsletter to partners, send automatic replies for orders, blast marketing messages, etc.
Instead of building a separate SMTP server and bearing the hardware, maintenance, and future possible upgrade cost, an excellent alternative is using a cloud-hosted solution like the Amazon SES.
Amazon Simple Email Service or SES is Amazon’s SMTP email service aimed at mainly two types of usage scenarios: Transactional and Promotional. But don’t get hung up with those two labels because, at its very core, Amazon SES works like any other SMTP relay service.
If you’re interested in learning about Amazon SES as SMTP relay, you’ve come to the right place. We’ll cover how to set up the AWS SMTP relay service in this tutorial, and by the end, you should be able to send outbound messages through it.
Table of Contents
Requirements
- You must have an existing AWS account. A free tier account is sufficient for this tutorial.
- Depending on how you want to prove the sender’s identity:
- Whole Domain: You must have access to your DNS host to establish the domain ownership.
- Single Sender Address: An active email account in your domain to prove the mailbox exists. You cannot use known public email address domains like gmail.com, yahoo.com, etc.
Create a Sender Identity for Amazon SES SMTP Relay
Before sending emails using the AWS SES SMTP relay, you must create and verify the sender’s identity. You can verify a whole domain or a single email address as the sender’s identity.
Note. By default, every SES account starts as sandboxed, with restrictions and limitations. One limitation is that you can only send and receive emails using your verified sender identity (sender and recipient are the same domain or email address.)
Refer to Moving out of the Amazon SES sandbox to learn how to move your SES account to production.
If you verify a whole domain, you can send emails using any email address from that domain through Amazon SES. For example, if you configure the domain org870b.ga as the sender identity domain, you can send messages from user1@org870b.ga, someonelse@org870b.ga, and so on.
Note. Check our fix for StartTLS is required to send email error.
In contrast, verifying a single email address would mean you can only send messages using that specific email address. Whichever sender identity you configure is entirely your decision.
Option 1: Verify a Domain
Note. This option involves adding new DNS records for your domain, which means that you must have access to your public DNS management. This example will verify the domain identity of org870b.ga.
Login to your AWS SES account at https://console.aws.amazon.com/ses.
Click Verified identities → Create identity.
Next, select Domain as the identity type and enter the domain you wish to verify.
Scroll to the bottom and click Create Identity. At this point, the domain identity is already created, but the verification status is still pending.
The domain identity creation automatically generated DKIM keys in the form of CNAME records, as you can see below.
To complete the domain verification, you must add these CNAME entries to your DNS. The process varies depending on your DNS host. In this example, we are using Cloudflare as the DNS host to manage this domain’s entries.
Note. DNS records could take several minutes to several hours to replicate.
You only need to wait for Amazon SES to detect your created CNAME entries. In my case, it took around five minutes for Amazon SES to see the DNS records.
Once it happens, the domain identity status changes to Verified.
The DKIM configuration status changes to Successful.
Option 2: Verify an Email Address
This example will verify the sender email identity of aten.stig@org870b.ga.
Login to your AWS SES account at https://console.aws.amazon.com/ses.
Click Verified identities → Create identity.
Next, select Email address as the identity type and enter the specific email address you wish to verify.
After creating the sender identity, Amazon SES sends a verification email to the email address.
To complete the verification process, open the mailbox, look for the email from Amazon Services, and click the link in the email.
The link opens in the web browser and confirms that you can now use this email address to send emails via AWS SES SMTP relay.
Back to the Amazon SES console, the identity status is now Verified.
Send a Test Email from Amazon SES
You’ve now verified your sender’s identity. Whether you verified a domain or a specific email address, our next step is to send a test email and confirm that it is working.
Back on the Amazon SES console, click Verified identities and click the identity you want to test. In this example, we’ll choose the domain identity.
On the next page, click the Send test email button.
On the next page:
- Enter the From-address without the domain part.
- Select Custom under the Scenario so you can enter a custom recipient address. Note that you can only send to verified identity.
- Enter the recipient’s email address.
- Enter the Subject and Body.
- Click Send test email.
If successful, you should see a banner like the one below.
Verify that the recipient received the test email.
Send an Email using the Amazon SES SMTP Relay
So you’ve successfully created, verified, and tested your Amazon SES sender’s identity (domain or email address). But we’re not done yet. We still need to use the Amazon SES SMTP Relay endpoint to send a message.
Find the Amazon SES SMTP Relay Settings
The SMTP endpoint listens to ports 25, 587, and 2587 for STARTTLS. To find the SMTP relay settings, click SMTP Settings.
Create the SMTP Credential
Knowing the SMTP interface details would be useless if you don’t have the proper authentication credentials to connect to it. So let’s create an SMTP credential to get the username and password we’ll use to authenticate.
On the same page, click Create SMTP credentials.
Type the username you want for the account, and click Create. In this example, let’s use ses-smtp-user as the IAM username.
Once the credential is created, copy the SMTP username and password. You can also download the credential.
Send the Email using PowerShell
Having the SMTP endpoint, username, and password allows you to configure your applications to use the Amazon SES SMTP relay. But in this example, we’ll use the SMTP details to send an email using PowerShell; here’s how.
Open a PowerShell window on your computer and run the below command to store the SMTP credentials to the $credential variable.
$credential = Get-Credential
Next, modify the below code to use your values.
- Replace the SmtpServer value with your Amazon SES SMTP relay endpoint.
- Replace the From value with your sender’s identity.
- Replace the To value with your recipient’s email address.
# Send Email Send-MailMessage -Credential $credential ` -UseSSL ` -SmtpServer 'email-smtp.us-east-2.amazonaws.com' ` -Port 587 ` -From 'someone@org870b.ga' ` -To 'aten.stig@org870b.ga' ` -Subject 'Amazon SES SMTP Relay Test' ` -Body 'Amazon SES SMTP Relay Test'
Once you’ve modified the code, run it in PowerShell to send the test email. An empty return means the SMTP relay operation was successful.
Check the recipient’s mailbox and confirm that the email was received.
And that confirms that your AWS SES SMTP relay configuration is working.
Conclusion
Amazon SES is an excellent email service that’s relatively easy to implement. You can do many more configurations that this tutorial did not cover, but you can explore them on your own.
When you decide that Amazon SES SMTP relay fits your organization’s requirements, don’t forget to move your SES instance out of the sandbox before using it in production. Good luck!
