SES Configuration
Amazon SES (Simple Email Service) is a scalable, cloud-based email service designed to send transactional, marketing, and bulk emails securely and cost-effectively.
Last updated
Amazon SES (Simple Email Service) is a scalable, cloud-based email service designed to send transactional, marketing, and bulk emails securely and cost-effectively.
Last updated
To configure AWS Simple Email Service (SES) as an SMTP Relay for WorkSpaces Manager, follow these steps:
DNS Domain to be used as sender: Identify the domain that will be used to send emails.
Create DNS Records: In your DNS provider’s console, create the necessary DNS records as requested by SES (such as DKIM, SPF, etc.).
Create SMTP Credentials: Generate SMTP credentials through SES to authenticate the sending of emails.
Test Emails: Send test emails to verify that SES is correctly configured as your SMTP relay.
Configure WorkSpaces Manager (WSM): Input the SMTP details (SES credentials, endpoint, and port) in the WorkSpaces Manager configuration to enable email functionality.
First, navigate to Amazon SES and click on “Get Started”:
As the identity type, select 'Domain' and enter your correct DNS domain name. By default, DKIM (DomainKeys Identified Mail) will be enabled, ensuring that messages are authenticated and not altered during transit.
After submitting the domain, the identity status will show as “Verification pending”, and Amazon SES will display the required DNS records (such as CNAME, TXT, or MX) that need to be created in your domain’s DNS settings for verification and DKIM setup.
Ensure that these records are added to your DNS provider, as this is necessary for domain verification and to authenticate emails sent via SES. Once the DNS changes propagate, the domain status will update to "Verified."
The CNAME records provided by Amazon SES for DKIM verification will be unique for each domain and verification request. These records are specific to your domain and are used to authenticate your emails by ensuring they are signed with the correct cryptographic keys.
Once Amazon SES generates the CNAME records, you need to add them to your domain’s DNS settings at your DNS provider. These records will look something like this:
CNAME Record 1: xxxxxxxx._domainkey.yourdomain.com -> xxxxxxxxxxxxxx.amazonses.com
CNAME Record 2: xxxxxxxx._domainkey.yourdomain.com -> xxxxxxxxxxxxxx.amazonses.com
CNAME Record 3: xxxxxxxx._domainkey.yourdomain.com -> xxxxxxxxxxxxxx.amazonses.com
The values will be different for each request. After these records are added, DNS propagation can take some time, and once completed, the domain status in SES will change to "Verified".
After the DNS records are created, wait for about 10-15 minutes for them to be published and fully replicated across the internet.
Once replication is complete, AWS will automatically check the status of the DNS records. If everything is correct, SES will mark the domain as “verified”, and the domain will be able to send emails through SES. Additionally, DKIM will be successfully registered, ensuring that emails sent from your domain are properly authenticated.
Next, generate SMTP credentials in AWS IAM to consume the SES service from your application.
Navigate to the SES dashboard and click on the button labeled “Create SMTP Credentials”.
When generating the credentials, you will also see important information like:
SMTP Endpoint: This is the endpoint to which you will connect for sending emails (e.g., email-smtp.<region>.amazonaws.com).
TLS Ports: SES supports multiple ports, but it's recommended to use 587 for secure communication with TLS.
Once the SMTP credentials are created, be sure to store them securely. These credentials will be required for configuring your email relay service in WorkSpaces Manager, allowing the application to send emails through AWS SES. Store them in a secure location, such as AWS Secrets Manager or another secure credential storage system, to prevent unauthorized access.
For the SMTP credentials, we are creating an IAM User in the AWS account with SES Sending permissions. It is crucial to save these credentials in a secure location, as they will only be displayed once during creation. You can choose to download them in a CSV file at this point for safekeeping.
Ensure that the credentials are stored securely, such as in AWS Secrets Manager or another credential management system, as they will be needed to configure email services in your application. If lost, the credentials cannot be retrieved, and you will need to generate new ones.
You can verify that the email flow is working by clicking on the “Send test email” option in the SES dashboard. This allows you to send a test email using the newly created SMTP credentials to ensure everything is correctly configured and that emails can be sent from your domain.
Fill out the necessary fields, such as the recipient's email address, subject, and body, and send the test email. If successful, you'll receive the test message, confirming that the SES setup and email flow are working properly.
When sending a test email through the SES dashboard, there are several options you can explore to customize the test:
Recipient Email: Specify the email address where you want to send the test email.
Subject: Enter a subject line to test how it appears in the recipient's inbox.
Body: You can choose to send plain text or HTML content to see how the email is rendered.
From Email Address: Verify the sender domain and email format.
Headers: Test additional email headers like custom or reply-to fields.
Feel free to investigate each of these options to better understand how the emails will appear to recipients and to confirm that everything is functioning as expected.
It is important to note that when a new SES Identity is created, it is initially placed in "Sandbox" mode. This means that the domain can only send emails to and from verified email addresses within the same registered domain.
To remove these restrictions and send emails to any recipient, you will need to request production access from AWS. Once granted, your SES account will no longer be limited to the sandbox and can send emails to a broader audience.
If you need to send emails to different DNS domains, you must contact AWS Support and request to convert the domain from “Sandbox” to “Production” mode, as outlined in the AWS documentation: Requesting Production Access for Amazon SES.
Once you have obtained production access, you can use the SMTP credentials generated earlier to configure WorkSpaces Manager. Populate the following fields in the WorkSpaces Manager configuration:
SMTP Endpoint: The endpoint provided by SES (e.g., email-smtp.<region>.amazonaws.com).
Username and Password: Use the SMTP credentials created in IAM.
Port: Typically 587 for TLS.
Encryption: Set to TLS to secure email communication.
This will enable WorkSpaces Manager to send emails through SES with the newly configured SMTP relay.
