2

Brand new to AWS & Simple Email Service (SES) and have an app that needs to generate some email using SES. All I'm trying to do is set things up so that my app's service user (called, say, myapp-dev) has Access & Secret Keys that have permission to use SES APIs for generating emails. Furthermore I need these SES-generated emails to be sent from either no-reply@myapp.example.com which is not a valid email address, as well as hello@myapp.example.com which is a valid email address. This is because some SES emails will be alerts/notifications that end users should not respond to, and other emails will be emails that they may very well want/need to reply to.

I've already created a myapp-dev user that has AmazonSESFullAccess permissions.

Not knowing any better, I then went to the SES dashboard and clicked Manage Identities and started creating a new "SES Identity". I'm not sure if I need to do this or not (given my needs) or whether my myapp-dev user is ready to use the SES APIs as-is. Adding this new SES identity, it asked me to enter my domain and gave me the option to generate DKIM configurations for that domain. I read up quickly on DKIM and it sounds like its a way to authenticate that emails did in fact come from my domain, so it sounds like its something I'd like leverage. So I generated DKIM configs and now SES says that my new identity has a status of "pending verification".

  • Main concern is bolded above: with AmazonSESFullAccess permission, is my myapp-dev user ready to rock n' roll? Or will SES APIs fail/refuse to send emails until my SES identity (for my domain) is "verified"?
  • What do I actually need to do to change the SES identity from "pending" to "verified"? I did see a note that I needed to modify TXT and CNAME DNS records to configure DKIM with my domain, is that it? Or do I need to do something else?

Thank in advance for any and all clarification!

smeeb
  • 27,777
  • 57
  • 250
  • 447

2 Answers2

4

You need to wait for dns verification, can take a while.

You also need to take the Sandbox into account and open a ticket to move out from it. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/request-production-access.html

To help protect our customers from fraud and abuse and to help you establish your trustworthiness to ISPs and email recipients, we do not immediately grant unlimited Amazon SES usage to new users. New users are initially placed in the Amazon SES sandbox. In the sandbox, you have full access to all Amazon SES email-sending methods and features so that you can test and evaluate the service; however, the following restrictions are in effect:

You can only send mail to the Amazon SES mailbox simulator and to verified email addresses and domains.

You can only send mail from verified email addresses and domains.

You can send a maximum of 200 messages per 24-hour period.

Amazon SES can accept a maximum of one message from your account per second.

jhernandez
  • 847
  • 5
  • 9
  • 1
    Thanks @jhernandez (+1) appreciate the answer (immensely!). A few followup questions for you, if you don't mind: **(1)** Can you confirm that I actually need to go through this verification process, and maybe explain why I need to do this? Is it so that I can get moved out of the sandbox? **(2)** What do I actually need to do in order to get it verified, and how does this relate to adding TXT/CNAME records to my DNS? **(3)** How long does verification usually take? Does AWS have any SLA on this?! Are we talking a few days, weeks, months?! – smeeb Jan 16 '18 at 18:38
  • And **(4)** "*Amazon SES can accept a maximum of one message from your account per second.*" Does this mean they throttle you down to 1 per second, or that they will actually drop your emails if you send them faster than once per second?! – smeeb Jan 16 '18 at 18:38
  • 1
    1 Yes you have to verify your domain because this will validate that you are actualy the owner of the domain and the DNS records allows mail servers such as gmail to trust the origin and not mark as spam/pishin 2.- When you go to the ses console in the verify domain you will have a TXT record like _amazonses.yourdomain.com this verify you own the domain the DKIM Record set which are 3 entries allows the trusted email stuff for servers. 3- Verification takes probably an hour – jhernandez Jan 16 '18 at 20:10
  • 1
    4- You can ask for increasing the number as whatever you want it does not matter but you have to ask in order to get out of sandboxing, usally takes 24 hours tops (not sure) – jhernandez Jan 16 '18 at 20:11
  • Thanks so much @jhernandez (+1 both answers!), so just to confirm: I just need to add the TXT and two DKIM CNAME records to my DNS and within about 24-hours AWS will auto-verify them? – smeeb Jan 16 '18 at 20:18
  • 1
    @smeeb Correct this for verifying the domain and well all the DKIM CNAME I think they are 3, as for the sandbox submit a ticket as the docs says. – jhernandez Jan 16 '18 at 20:31
  • Side note - if using GoDaddy be sure to append all TXT host entries with a period - or else Gdaddy will add the domain name to the end of the entry as sighted here (along with other things) https://docs.aws.amazon.com/ses/latest/DeveloperGuide/domain-verification-problems.html – DropHit Aug 11 '18 at 00:41
4

Found an alternate answer in this thread:

https://forums.aws.amazon.com/thread.jspa?threadID=125362

Here's what might have happened: Some domain name providers will automatically add example.com on to the end of the name/host field. So if you enter _xx.example.com, they'll "silently" change it to _xx.example.com.example.com

This is currently the case with namecheap, as I've painfully learned.....

It turned out this was my issue. Make sure to double check!

Community
  • 1
  • 1
Seph Reed
  • 8,797
  • 11
  • 60
  • 125
  • 2
    If you are hosting with Digital Ocean same thing! DO appends the domain so be careful – Henry Nov 17 '20 at 13:00
  • This is a very common issue with DNS providers. I double check using the CNAME Lookup tool here to verify myself: https://mxtoolbox.com/CnameLookup.aspx – Tony Schmidt Nov 05 '21 at 17:03
  • I have to upvote this as "Dyn" is also very subtle in adding your domain name to the end of a string that already includes it. In this case you need to trim the copied value after pasting. – mckenzm Nov 29 '21 at 23:53
  • Specifically on GoDaddy, the CNAME record only shows the domain name once. So you do not see this: CNAME _xx.example.com.example.com Rather you see this, which I though was ok based on the instructions above: CNAME _xx.example.com But for the verification to work you need to see this (no domain at all): CNAME _xx I managed to come across this when I changed the TTL. If you change the TTL it prompts you with two options: to not add the domain name or to add the domain name. You have to select the first option. – Vikas Mujumdar May 05 '23 at 02:36