This is the second part of the series about the Simple Email Service (SES) from Amazon. In this part we will discuss:
SMTP settings and how to send emails from the SMTP Interface
Email authentication and a use case of using DKIM
Amazon SES mailbox simulator
As mentioned in the first part, you can send emails through Amazon SES using multiple ways. We saw how to use the SES console to do this but this method is not very fast and you cannot send emails to multiple recipients at once.
VMware Training – Resources (Intense)
To do so, you can use the SMTP Interface to configure an email client to send emails from or develop your own application that will send the emails.
To send emails through the SMTP Interface you will need this information:
SMTP usernames and passwords
SMTP port number
We will see later how this information is gathered or generated.
SES uses SMTP to send emails. Because SMTP doesn’t provide any authentication by itself, others can send emails pretending that the emails came from owners of the email addresses. There are two mechanisms that can be used to authenticate emails: Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
SPF provides a way to track the system from where the email was sent. To be SPF-compliant, the sender must publish one or more DNS entries to establish its identity. These records specify which IP addresses can send the emails. Then whenever an email is received, the sender’s IP address is compared with the DNS records.
DKIM allows the sender to sign the emails so that the recipient can verify if any third party altered the email. The email contains a DKIM signature header that encodes all or part of the email. The receiver decodes the signature by using the public key that is found in the sender’s DNS record.
We will see later how Amazon SES uses DKIM to authenticate emails.
SES provides a mailbox simulator that can allow the user to test how the application handles various scenarios without affecting the sending quota of 200 emails per day or the complaint metrics. The mailbox simulator is actually a set of test email addresses. Each email address simulates a specific scenario.
You can simulate the following:
Success – the recipient accepts the email.
Bounce – the recipient rejects the email with an SMTP 550 5.1.1 response code (unknown user).
Out of office – the recipient accepts the email but cannot reply immediately.
Complaint – the recipient accepts the email but doesn’t want to receive your email and marks it as spam.
Address on Suppression List – the sender’s email address is on the suppression list.
So let’s start by looking at how you can use the SMTP Interface to send emails and how you can configure an email client to perform the same.
First, let’s see what information we have available. From the SES console, select “SMTP Setting”. As you can see, we have information about the server name and the ports. To obtain the credentials, you need to click on “Create My SMTP Credentials”:
This will redirect you to the IAM Management Console where you can choose the IAM user name. There is a predefined username that you can use if you want:
If you expand the information section, you will see the IAM policy that is assigned to the username:
After the user is created, you will have access to the security credentials, which are different from regular credentials. We will need these security credentials later when we set up the email client:
The user for SMTP is now visible in the list of usernames in the IAM console:
Now, it’s time to setup the email client. In this case, we will use Microsoft Outlook. We will use the same email address from the vtep.net domain that we used in the first part of the series (firstname.lastname@example.org). You will also need the SMTP server and you can get this information from the “SMTP Settings” menu in the SES console. Click on “More Settings” to configure additional details about the email account:
In “Internet E-mail Settings” select the “Outgoing Server” and fill in the SMTP username and SMTP password that were provided as security credentials when the user for SMTP was created:
From the same window, select “Advanced” and fill in the details as shown below:
Click on OK, then uncheck “Test Account Settings by clicking the Next button” and click on “Next” to finish the process.
Once this is done, you can start sending emails from any email address from this domain to any already verified email address.
Let’s send an email from Microsoft Outlook to a verified email address:
On the verified email address, I can see that the email was received from the account that we configured in Microsoft Outlook:
Now, let’s move on and see how DKIM can be used with Amazon SES. You can either enable DKIM when you first verify an email address or a domain, or you can enable DKIM later on.
Because we already verified the domain, we are in the latter situation. So here is how it’s done. From the SES console, select the “Domains” menu, then select the verified domain and click on “View Details”:
You will have multiple sections containing different configuration options that you can use with the domains. We are interested in the DKIM section, so expand it. Click on “Generate DKIM Settings”:
Similar to domain verification, you will be asked to insert a few CNAME records in the DNS zone:
I inserted the new records in the zone that is kept in Amazon Route 53 next to the TXT record needed to verify the domain:
And very soon I received confirmation that the DKIM setup was successful:
Going back to the DKIM section of the domain details, you can see that DKIM verification status is verified, but it is disabled. Click on the link to enable it:
And now it’s done:
Sending the same email from the email client to the verified email address, I can see the DKIM header in the email. You will need to view the details of the email but how to do so varies depending on what your email client is or what public email service you use:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1439543068; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type:Feedback-ID; bh=WkIY8H1HWC4fQCQ7ItOVN6am7TmY89ofu8lsNRXS6Y0=; b=Ri4ivBv2vPs3Wde8tW9TecA8eWWztjcOEm2pFGptqCLeK+pjaQdIti2ILmeQGYsU jVSy0g6XQ9Ygf4Gbw23RnSO+pdPCE5xn09IxMs4nezrZU1U7wZ07cVtCKzjnfSeDCyj xzzPtp84Se+OSEG7ahefdB58nusZ9TJ18zHLXXVY=
And we have now reached the end of the article and of the series.
Throughout the two parts of this series we saw what Amazon Simple Email Service is, its basic concepts, how we can verify an email address and a domain. We also saw how to use the SMTP Interface to send emails, discussed a little bit about authentication methods and how to implement DKIM.