AWS Simple Email Service – SES

• SES is a fully managed, cloud-based email service that provides an easy, cost-effective way to send and receive email using your own email addresses and domains.
• can be used to send both transactional and marketing emails securely, and globally at scale.
• processes over a trillion emails each year for customers worldwide across various industries.
• acts as an outbound email server and eliminates the need to support its own software or applications to do the heavy lifting of email transport.
• acts as an inbound email server to receive emails that can help develop software solutions such as email autoresponders, email unsubscribe systems, and applications that generate customer support tickets from incoming emails.
• existing email server can also be configured to send outgoing emails through SES with no change in any settings in the email clients.
• Maximum message size including attachments is 40 MB per message (after base64 encoding) when using the SESv2 API or SMTP.
• integrated with CloudWatch, CloudTrail, Amazon EventBridge, and Amazon SNS for monitoring and notifications.
• available in 24 AWS Regions, including AWS GovCloud (US) Regions.

SES Key Features

• Compatible with SMTP
• Applications can send email using the SES API (v2 recommended), AWS SDKs in many supported languages (Java, .NET, PHP, Python, Ruby, Go, JavaScript), or the AWS CLI.
• Optimized for the highest levels of uptime, availability, and scales as per the demand.
• Provides sandbox environment for testing.
• provides Reputation dashboard, performance insights, anti-spam feedback.
• provides statistics on email deliveries, bounces, feedback loop results, emails opened, clicks, etc.
• supports DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting and Conformance (DMARC).
• supports flexible deployment: shared, dedicated, and managed dedicated IPs (M-DIPs).
• supports attachments with many popular content formats, including documents, images, audio, and video, and scans every attachment for viruses and malware.
• integrates with KMS to provide the ability to encrypt the mail that it writes to the S3 bucket.
• uses client-side encryption to encrypt the mail before it sends the email to S3.
• supports inline email templates directly within API requests, eliminating the need to manage template resources separately.
• supports HTTPS custom tracking domains for open and click tracking.
• supports configurable maximum delivery time for time-sensitive messages.
• enables customers to connect an SES SMTP endpoint to a VPC through a VPC endpoint powered by AWS PrivateLink.

SES v2 API

• AWS recommends using the SESv2 API for all new implementations.
• While SESv1 API continues to be supported, all new features and capabilities are only available through the SESv2 API.
• SESv2 API supports email size of up to 40 MB for both inbound and outbound emails by default.
• Migrating to SESv2 API provides access to features like Virtual Deliverability Manager, Mail Manager, Tenants, and Global Endpoints.

Virtual Deliverability Manager (VDM)

• VDM is an SES feature that helps enhance email deliverability by providing insights into sending and delivery data.
• provides three core components:
  • Deliverability Insights – view at-a-glance reports on sending and delivery data (bounce rates, opens, clicks) broken down by ISP, sender identity, and configuration set.
  • Recommendations – notifies senders of deliverability issues and provides actionable recommendations (e.g., DKIM, DMARC configuration issues, BIMI gap detection).
  • Automatic Implementation – option to allow SES to automatically implement email deliverability improvements like optimizing delivery patterns.
• includes automated complaint rate insights as an early warning system to protect sender reputation.
• tracks every email’s journey, uncovering opportunities to improve delivery and engagement rates.

Mail Manager

• Mail Manager (launched May 2024) provides comprehensive tools to simplify managing large volumes of email communications.
• acts as a centralized email gateway for routing, filtering, archiving, and compliance across inbound, outbound, and internal email.
• Key capabilities include:
  • Ingress Endpoints – dedicated email ingress points with IP filtering, TLS, and mutual TLS (mTLS) authentication support.
  • Rules Engine – powerful rule-based email processing with conditions and actions for routing, archiving, and security enforcement.
  • Traffic Policies – enforce sophisticated email traffic filtering policies.
  • SMTP Relay – relay emails to Google Workspace, Microsoft 365, or other email destinations.
  • Email Archiving – flexible archiving features to meet compliance and record-keeping requirements.
  • Full Lifecycle Logging – end-to-end logging to CloudWatch, S3, and Firehose.
• integrates with Amazon Q Business for email indexing and queries.
• supports email journaling and echo spoofing prevention.
• available in 17+ AWS Regions including AWS GovCloud (US).
• supports Lambda function invocation and Bounce actions directly in rules (added April 2026).

Global Endpoints

• Global Endpoints (launched December 2024) provides multi-region resilience for email sending.
• allows customers to add a secondary Region, dividing workloads equally in a load-balanced state.
• if either Region suffers an outage, traffic automatically shifts to the healthy Region with no customer intervention.
• both Regions develop warmed-up IPs in parallel, ensuring both are ready to support 100% of workload at any time.
• synchronizes critical parameters between chosen Regions automatically.
• compatible with Virtual Deliverability Manager (VDM) and Dedicated IPs (DIPs/M-DIPs).

Tenant Management

• SES Tenant Management (launched August 2025) enables isolation and reputation management at the individual tenant level.
• allows creation of up to 10,000 isolated tenants within a single AWS account (increasable to 300,000 on request).
• each tenant can have its own email identities, configuration sets, templates, and independent reputation metrics.
• addresses the challenge where one tenant’s poor email practices could previously pause an entire SES account.
• includes automated pause mechanism to limit damage from problematic senders.
• enables organizations to manage multiple email streams independently while maintaining centralized oversight.

Dedicated IPs

• SES supports three types of IP deployment:
  • Shared IPs – default, cost-effective option; reputation determined by all emails sent from the shared pool.
  • Dedicated IPs (Standard) – customer leases dedicated IPs for sole sending reputation control; requires manual warm-up.
  • Dedicated IPs (Managed / M-DIPs) – AWS automates provisioning, warming up, and scaling of dedicated IPs; pool automatically scales based on usage and ISP policies.
• Managed Dedicated IPs eliminate manual support cases and handle IP warmup per ISP individually.

Email Authentication & Bulk Sender Requirements

• Gmail and Yahoo implemented new requirements for bulk senders (5,000+ messages/day) effective February 2024, with Microsoft following in May 2025.
• Requirements include:
  • Domain Authentication – SPF, DKIM passing; DMARC record with at least p=none.
  • One-Click Unsubscribe – RFC 8058 List-Unsubscribe and List-Unsubscribe-Post headers required for bulk/marketing mail.
  • Low Complaint Rates – spam complaint rates must stay under 0.3% threshold.
• SES supports one-click unsubscribe through the subscription management feature and List-Unsubscribe headers.
• SES supports BIMI (Brand Indicators for Message Identification) with VDM gap detection.

Event Publishing & Monitoring

• SES can publish email sending events to multiple destinations:
  • Amazon CloudWatch
  • Amazon Data Firehose
  • Amazon SNS
  • Amazon EventBridge (added June 2024) – enables routing events to any EventBridge-supported service.
• Supported event types include: Send, Delivery, Bounce, Complaint, Open, Click, Rendering Failure, Delivery Delay, Subscription.
• VDM Advisor recommendations are also published to EventBridge.
• supports custom values in feedback headers for better tracking transparency.
• TLS version auto-tagging for outgoing messages provides visibility into connection security.

Sending Limits

• Production SES has a set of sending limits which include:
  • Sending Quota – max number of emails in a 24-hour period.
  • Maximum Send Rate – max number of emails per second.
• SES automatically adjusts the limits upward as long as emails are of high quality and they are sent in a controlled manner, as any spike in the email sent might be considered to be spam.
• Limits can also be raised by submitting a Quota increase request.

Email Receiving

• SES provides complete control over which emails are accepted and what to do with them.
• Accept or reject mail based on email address, IP address, or domain of the sender.
• After accepting email, actions include:
  • Store in an Amazon S3 bucket
  • Execute custom code using AWS Lambda
  • Publish notifications to Amazon SNS
  • Route through Mail Manager rules for advanced processing
• Mail Manager extends receiving capabilities with SMTP relay to Google Workspace, Microsoft 365, or Amazon Connect.

SES Best Practices

• Send high-quality and real production content that the recipients want.
• Only send to those who have signed up for the mail.
• Implement one-click unsubscribe (RFC 8058) for bulk/marketing emails to comply with Gmail/Yahoo/Microsoft requirements.
• Unsubscribe recipients who have not interacted with the business recently.
• Have low bounce and complaint rates and remove bounced or complained addresses, using SNS or EventBridge to monitor bounces and complaints, treating them as an opt-out.
• Implement SPF, DKIM, and DMARC authentication for all sending domains.
• Monitor the sending activity using VDM dashboards and reputation metrics.
• Keep spam complaint rates below 0.3%.
• Use Global Endpoints for multi-region resilience for critical email workloads.
• Use Tenant Management to isolate reputation for multi-tenant email platforms.

Amazon Pinpoint Migration Note

• Amazon Pinpoint will reach end of support on October 30, 2026 (no new customers accepted since May 20, 2025).
• For email capabilities, customers should migrate to Amazon SES with:
  • SES for transactional and bulk email sending
  • SES Tenant Management for multi-tenant isolation
  • SES Mail Manager for routing and compliance
  • AWS End User Messaging for SMS/push notification channels

AWS Certification Exam Practice Questions

• Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
• AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
• AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
• Open to further feedback, discussion and correction.

1. What does Amazon SES stand for?
   1. Simple Elastic Server
   2. Simple Email Service
   3. Software Email Solution
   4. Software Enabled Server
2. Your startup wants to implement an order fulfillment process for selling a personalized gadget that needs an average of 3-4 days to produce with some orders taking up to 6 months you expect 10 orders per day on your first day. 1000 orders per day after 6 months and 10,000 orders after 12 months. Orders coming in are checked for consistency then dispatched to your manufacturing plant for production quality control packaging shipment and payment processing. If the product does not meet the quality standards at any stage of the process employees may force the process to repeat a step. Customers are notified via email about order status and any critical issues with their orders such as payment failure. Your case architecture includes AWS Elastic Beanstalk for your website with an RDS MySQL instance for customer data and orders. How can you implement the order fulfillment process while making sure that the emails are delivered reliably? [PROFESSIONAL]
   1. Add a business process management application to your Elastic Beanstalk app servers and re-use the RDS database for tracking order status use one of the Elastic Beanstalk instances to send emails to customers.
   2. Use SWF with an Auto Scaling group of activity workers and a decider instance in another Auto Scaling group with min/max=1 Use the decider instance to send emails to customers.
   3. Use SWF with an Auto Scaling group of activity workers and a decider instance in another Auto Scaling group with min/max=1 use SES to send emails to customers.
   4. Use an SQS queue to manage all process tasks Use an Auto Scaling group of EC2 Instances that poll the tasks and execute them. Use SES to send emails to customers.
3. A company sends millions of marketing emails daily using Amazon SES. They need to ensure emails continue to be delivered even if one AWS Region experiences an outage. What SES feature should they use?
   1. Virtual Deliverability Manager with automatic recommendations
   2. Dedicated IPs (Managed) with automatic warmup
   3. Global Endpoints with a primary and secondary Region configuration
   4. Mail Manager with SMTP relay to multiple regions
4. A SaaS company uses Amazon SES to send emails on behalf of hundreds of customers. They want to ensure that one customer’s poor email practices do not affect the sending reputation of other customers. What is the MOST appropriate solution?
   1. Create separate AWS accounts for each customer
   2. Use separate configuration sets for each customer
   3. Use dedicated IPs for each customer
   4. Use SES Tenant Management to create isolated tenants with independent reputation metrics
5. A company needs to process incoming emails, archive them for compliance, apply security filtering, and route them to different internal systems based on recipient addresses. Which Amazon SES feature provides this capability?
   1. SES receipt rules with S3 actions
   2. Virtual Deliverability Manager
   3. SES Mail Manager with ingress endpoints, traffic policies, and rules engine
   4. SES event publishing with EventBridge
6. A company sending bulk marketing emails through Amazon SES notices that their inbox placement rate has dropped. They want SES to automatically optimize email delivery patterns without manual intervention. Which feature should they enable?
   1. Dedicated IPs (Managed)
   2. Mail Manager traffic policies
   3. Virtual Deliverability Manager with automatic implementation enabled
   4. Global Endpoints with load balancing
7. Which of the following are requirements that Gmail and Yahoo enforce for bulk email senders since February 2024? (Select THREE)
   1. SPF and DKIM authentication with a DMARC record
   2. Use of dedicated IP addresses
   3. One-click unsubscribe support (RFC 8058)
   4. Use of the SESv2 API
   5. Spam complaint rate below 0.3%
   6. Mandatory use of VPC endpoints

References

• AWS SES Developer Guide
• Amazon SES Features
• Amazon SES Mail Manager
• Virtual Deliverability Manager
• Amazon SES Global Endpoints
• Amazon SES Tenant Management