Simplifying Email Receiving and Routing with Amazon SES

Overview

Amazon Simple Email Service (Amazon SES) is a cost-effective, flexible, and scalable cloud-based email service that enables businesses to send and receive email using their domain. While sending email is a common use case, many organizations also need to receive and process incoming email for various applications like support tickets, email-based automation, or routing messages.

This blog will guide you through the essentials of setting up email receiving in Amazon SES, focusing on domain and email identity verification, DomainKeys Identified Mail (DKIM) setup, Custom MAIL FROM Domain configuration, and updating the required Mail Exchanger (MX) and TXT DNS (Domain Name System) records provided by Amazon SES for that specific identity.

Introduction

Amazon SES (Simple Email Service) offers more than email sending, it also supports email receiving, enabling users to build automated workflows using AWS services like AWS Lambda, Amazon S3, and Amazon SNS. You must create and verify your domain identity and configure MX records to receive emails. These steps allow Amazon SES to accept and process incoming messages for your domain. This makes Amazon SES a powerful tool for building scalable, event-driven email applications in the cloud.

DomainKeys Identified Mail (DKIM) is an email authentication standard that ensures the domain owner genuinely authorizes an email claiming to originate from a specific domain.

MX (Mail Exchange) Records are DNS entries that direct email traffic for a domain to the correct mail server. When someone sends an email to your domain, MX records determine which server should receive and handle that email. Configuring MX records properly ensures emails are routed to Amazon SES for processing.

TXT Records are DNS entries that allow domain owners to store text-based information in their DNS. They are commonly used for email authentication mechanisms like SPF, DKIM, and DMARC. In the case of Amazon SES, TXT records are used to prove domain ownership and publish the DKIM public key to verify signed emails.

To start receiving emails using Amazon SES, three main steps are involved:

• Verifying your domain and creating an email identity to be used as the sender (From address)
• Enabling DKIM and configuring a custom MAIL FROM domain for the identity
• Updating the domain’s MX and TXT DNS records to route and authenticate email properly

Step-by-Step Configuration

1. Domain Verification for Receiving Emails

You must prove domain ownership before Amazon SES can process incoming mail for your domain. This verification is separate from the verification required to send an email.

Steps:

• Open the Amazon SES Console.
• Navigate to Email Receiving → Domains.
• Click “Verify a New Domain”.
• AWS will generate the MX and TXT DNS records. Copy this.
• Add the MX and TXT records to your domain’s DNS using your DNS provider (Amazon Route 53, GoDaddy, Cloudflare, etc.).
• Wait for AWS to validate the domain.

Once the record is detected, the domain is marked as verified, and Amazon SES is ready to accept mail, provided other steps are completed.

Tip: DNS changes can take a few minutes to a few hours to propagate globally. You can use tools like dig or online DNS checkers to verify propagation status.

2. Creating a Sender Identity and Enabling DKIM

Once the domain is verified, the next step (especially for email sending) is to create an identity, typically an email address like noreply@yourdomain.com, that will be used as the “From” address.

• Navigate to Amazon SES → Verified Identities.
• Choose “Create Identity” → Email address, and enter an email like info@yourdomain.com.
• If the email address domain matches the already-verified domain, Amazon SES will automatically verify DKIM (DomainKeys Identified Mail) for that identity.
• DKIM helps ensure the email is not tampered with in transit and improves email deliverability by authenticating the source.

3. Setting Up a Custom MAIL FROM Domain

To further improve email reputation and ensure bounce handling and SPF alignment, it’s recommended that a custom MAIL FROM domain be configured.

Steps to configure:

1. Go to Amazon SES → Verified Identities and click the identity you created.
2. Scroll to the “MAIL FROM Domain” section and click Edit.
3. Check “Use a custom MAIL FROM domain”.
4. Enter a subdomain (e.g., mail.yourdomain.com) that will be used as the MAIL FROM address.
5. Under Behavior on MX failure, choose “Use default MAIL FROM domain” to provide fallback safety.
6. Click Save.

Amazon SES will now generate two DNS records that need to be published at your domain’s DNS level:

• An MX record pointing to Amazon SES’s inbound mail endpoint.
• A TXT record used for SPF verification (v=spf1 include:amazonses.com -all).

These records ensure that mail sent using your domain complies with sender authentication frameworks like SPF and that bounce messages are properly routed.

Note: These DNS records must be added correctly to your domain’s DNS settings. Failure to do so may result in email delivery issues, SPF failures, or the inability to track bounces.

Conclusion

Setting up email receiving in Amazon SES involves more than just domain verification, it requires configuring a complete sender identity with DKIM, setting up a custom MAIL FROM domain, and publishing the necessary DNS records (MX and TXT) to ensure proper email routing and authentication. These steps help improve email deliverability, align with SPF and DKIM standards, and enable advanced workflows through integration with other AWS services like AWS Lambda, Amazon S3, and Amazon SNS. With Amazon SES, organizations can build reliable, scalable, and fully managed inbound email pipelines within a secure and compliant AWS environment.

Drop a query if you have any questions regarding Amazon SES and we will get back to you quickly.

About CloudThat