# AWS SES Setup Guide: Domain Verification, SMTP Configuration, DKIM, SPF & DMARC

Email delivery is a critical component of modern applications. Whether you're sending OTPs, transactional notifications, account alerts, invoices, or marketing campaigns, reliable email delivery is essential.

In this guide, we'll walk through the complete setup of Amazon Simple Email Service (AWS SES), including domain verification, DKIM, SPF, DMARC, SMTP credentials, and production access.

---

What is AWS SES?

Amazon Simple Email Service (AWS SES) is a cloud-based email service that enables businesses and developers to send and receive emails securely and at scale.

Key Benefits

• Cost-effective email delivery
• High deliverability
• SMTP and API support
• Easy integration with applications
• Reputation monitoring
• Scalable infrastructure
• Security through SPF, DKIM, and DMARC

---

Step 1: Before You Start

Before configuring AWS SES, complete the following prerequisites.

Login to AWS Console

Sign in to your AWS account and select the correct region.

Select AWS Region

For users in India, use:

Asia Pacific (Mumbai) – ap-south-1

Important:
SMTP credentials are region-specific.
For SMTP and SMS credential generation, it is recommended to use the Mumbai (ap-south-1) region.

Create Identity Using Your Domain

Example:

alerts.yourcompany.com

AWS SES uses this domain identity for email authentication and reputation management.

---

Step 2: Create Domain Identity

1. Open AWS Console
2. Search for SES
3. Open Amazon Simple Email Service
4. Navigate to Verified Identities
5. Click Create Identity
6. Select Identity Type → Domain
7. Enter your domain

Example:

alerts.yourcompany.com

1. Enable Easy DKIM
2. Click Create Identity

AWS SES will generate:

• TXT record for domain verification
• Three DKIM CNAME records

---

Step 3: Configure DNS Records

Add the records generated by SES to your DNS provider.

TXT Record (Domain Verification)

Type: TXT
Value: amazonses-verification-token

DKIM Records

Type: CNAME
Count: 3

AWS provides these automatically.

SPF Record

Type: TXT

Value:
v=spf1 include:amazonses.com -all

SPF authorizes Amazon SES to send emails on behalf of your domain.

---

Step 4: Route 53 Configuration (Optional)

If your domain is hosted in Route 53:

1. Open Route 53
2. Select Hosted Zone
3. Add TXT verification record
4. Add DKIM CNAME records
5. Save changes

DNS propagation generally completes within:

5–15 minutes

---

Step 5: Configure Custom MAIL FROM Domain

Using a custom MAIL FROM domain improves deliverability and branding.

Example:

mail.alerts.yourcompany.com

Navigate to:

SES → Verified Identities → Domain → MAIL FROM Domain

Select:

Use Custom MAIL FROM Domain

Add MX Record

Type: MX

Value:
10 feedback-smtp.ap-south-1.amazonses.com

Add SPF Record

Type: TXT

Value:
v=spf1 include:amazonses.com -all

---

Step 6: Create Configuration Set (Optional but Recommended for monitoring)

Configuration Sets help monitor:

• Deliverability
• Bounce rates
• Complaint rates
• Reputation metrics

Steps:

1. Open SES
2. Navigate to Configuration Sets
3. Click Create Configuration Set
4. Enter a name

Example:

alerts-config

1. Enable Reputation Metrics
2. Attach SNS or CloudWatch event destinations

---

Step 7: Request Production Access

New AWS SES accounts start in Sandbox Mode.

Sandbox restrictions:

• Can only send to verified email addresses
• Limited sending quotas

To move to production:

1. Open SES Dashboard
2. Select Request Production Access
3. Fill in:

Use Case: Transactional Emails
Email Type: Transactional
Website: https://yourcompany.com

Approval typically takes:

2–24 hours

---

Step 8: Create SMTP Credentials

Navigate to:

SES → SMTP Settings

Click:

Create SMTP Credentials

AWS creates an IAM user and generates:

• SMTP Username
• SMTP Password

SMTP Endpoint (Mumbai Region)

Host:
email-smtp.ap-south-1.amazonaws.com

Port:
587

Encryption:
TLS

Important

Always use the SMTP endpoint that matches the region where credentials were generated.

---

Step 9: Test Email Delivery

You can test email delivery using:

Option 1

SMTP integration from your application.

Option 2

AWS SES test email functionality.

Option 3

Python Boto3 SDK.

After receiving the email:

Open Gmail → Show Original

Verify:

SPF: PASS
DKIM: PASS
DMARC: PASS

---

Step 10: Configure DMARC

DMARC adds an additional layer of protection against email spoofing.

Create:

Type: TXT

Host:
_dmarc.alerts.yourcompany.com

Value:
v=DMARC1; p=none; rua=mailto:admin@yourcompany.com;

After monitoring reports, you can move from:

p=none

to

p=quarantine

and eventually

p=reject

for stronger protection.

---

Email Deliverability Best Practices

Warm Up New Domains

Start with:

10–20 emails per day

and gradually increase volume.

Maintain Low Bounce Rates

Recommended:

Bounce Rate < 5%

Maintain Low Complaint Rates

Recommended:

Complaint Rate < 0.1%

Send Multipart Emails

Always send:

• HTML version
• Plain text version

Monitor Reputation Dashboard

Review:

• Delivery rates
• Bounce rates
• Complaint rates
• Reputation status

regularly.

---

High-Level Email Flow

Application
      ↓
AWS SES
      ↓
Domain Verification
      ↓
SPF + DKIM + DMARC
      ↓
Recipient Inbox
      ↓
High Deliverability

---

Conclusion

AWS SES provides a reliable, scalable, and cost-effective solution for sending transactional and notification emails. By properly configuring Domain Verification, DKIM, SPF, DMARC, Custom MAIL FROM, and SMTP credentials, you can significantly improve email deliverability and protect your domain reputation.

If you're building SaaS platforms, ERP systems, notification services, fintech applications, or customer communication platforms, AWS SES is one of the most efficient email delivery services available today.