# Set Up Amazon SES

> Use Amazon SES when you want AWS-native sending with full control over your sending identity, regional configuration, and bounce tracking through SNS notifications.

- Human page: https://mailrith.com/docs/setup-amazon-ses
- Markdown page: https://mailrith.com/docs/setup-amazon-ses.md
- Category: Campaigns & Delivery
- Reading time: 12 min read
- Last updated: 2026-07-13
- Related keywords: Set Up Amazon SES, Set Up Amazon SES documentation, Campaigns & Delivery, Campaigns & Delivery documentation, Mailrith documentation, Mailrith help, Before You Start, Mailrith Fields, AWS Setup, SNS Webhooks, Email Delivery Connections, Broadcasts, Sequences

## AI Agent Notes
- Use this article as step-by-step Mailrith product guidance, not as legal, financial, or deliverability advice unless the article says so.
- Preserve exact Mailrith UI labels from the steps when explaining a workflow.
- Prefer Mailrith's product term Subscribers when referring to people on an email list.

## What this guide covers
Connect Amazon SES to Mailrith with an IAM access key, a verified sender identity, and SNS webhook subscriptions for bounce and complaint tracking.

## Sections
- Before You Start
- Mailrith Fields
- AWS Setup
- SNS Webhooks

## Visual Reference
![Mailrith email delivery connections page showing connected services with action controls.](https://mailrith.com/docs/screenshots/email-delivery-connections.png)

The Email Delivery Connections page lists every connected service. From here you can add a connection, send a test email, view delivery-event links, and assign connections to workspaces.

## Before You Start

Amazon SES is the AWS email delivery service. Use Amazon SES with Mailrith when AWS already manages your domain, your team needs AWS-level control, or your sending setup must scale with strict identity and region settings.

Prepare these items in AWS before you create the Mailrith connection:

- **A verified sender identity:** in Amazon SES, verify your domain or the exact email address that you want to use as the From email. Domain verification is usually better because one verified domain can cover multiple sender addresses on your domain.
- **The correct AWS region:** SES identities are region-specific. If you verified your domain in `us-east-1`, enter that same region in Mailrith.
- **Production access:** new SES accounts may start in sandbox mode, which limits sending. Request production access in AWS before you send email to real subscribers.
- **An access key for sending:** create an IAM user or role that can send email through SES. Mailrith needs the Access Key ID and Secret Access Key from that IAM access key.
- **Permission to configure SNS:** to track bounces and complaints automatically, you need AWS permission to create or select SNS topics and subscribe those topics to Mailrith webhook URLs.

Avoid using a broad administrator key. A dedicated SES sending key is easier to rotate later and reduces risk if the credential is exposed.

## Mailrith Fields

In Mailrith, click [Email Delivery Connections](https://mailrith.com/docs/email-delivery-connections.md) in the left sidebar, click **Create Connection**, choose **Amazon SES** in **Select Email Delivery Service**, and fill in these fields in **Connect Email Delivery Service**:

- **Connection name:** an internal label, such as "Main SES Sender" or "Acme SES - us-east-1".
- **Region:** the AWS region where the SES identity is verified.
- **Access Key ID:** the public identifier for the IAM access key.
- **Secret Access Key:** the matching secret value. Mailrith stores this value securely and uses it only to send through SES.
- **From name:** the sender name that subscribers see in their inbox.
- **From email:** the sender email address. The verified identity in the selected region must allow this address.
- **Workspaces:** the workspaces that can use this SES connection.

## AWS Setup

1. Sign in to the AWS account that owns your domain or sender email address that Mailrith will use.
2. Use the region selector in the top-right corner of the AWS console to choose the region you want to send from, such as `us-east-1`. Keep this region visible because you will enter the same region in Mailrith.
3. Search for **Amazon SES** in the AWS console search bar and open the Amazon SES service.
4. Open **Verified identities**. If your domain or sender email address is already listed as verified in this region, open the identity and confirm that it covers the exact From email you plan to use in Mailrith.
5. If the identity is not verified yet, click **Create identity**, choose either **Domain** or **Email address**, enter your domain or sender email address, and continue.
6. For a domain identity, copy the DNS records that AWS provides and add them in your DNS provider. These records usually include DKIM records and may include other verification records. Wait until AWS shows the identity as verified before you test Mailrith.
7. For an email-address identity, open the verification email from AWS and click the confirmation link. This verifies only that exact address, not every address on your domain.
8. Check whether your SES account is still in sandbox mode. If AWS shows sandbox limits, request production access before you use this connection for real subscribers. Sandbox mode can block sending to people who are not verified test recipients.
9. Open the AWS console search bar again, search for **IAM**, and open **Identity and Access Management**.
10. Open **Users**, click **Create user**, and enter a clear name such as **mailrith-ses-sender**. Do not give this user AWS Console access if Mailrith will use the access key only for sending.
11. On the permissions step, choose **Attach policies directly**. Give this user only the SES sending permissions that Mailrith needs. If your AWS team manages custom policies, use a narrow policy that allows `ses:SendEmail` and `ses:SendRawEmail` for the verified identity. SNS permissions are needed only by the person who creates and connects the SNS topics in AWS, not by the access key stored in Mailrith for sending.
12. Review the user settings, click **Create user**, then open the newly created user.
13. Open the user's **Security credentials** tab and click **Create access key**.
14. When AWS asks for the access-key use case, choose **Other** or the closest non-console option, add a description such as **Mailrith email sending**, and create the key.
15. Copy both values immediately: **Access Key ID** and **Secret Access Key**. AWS will not show the secret value again after you leave this screen.
16. Return to [Email Delivery Connections](https://mailrith.com/docs/email-delivery-connections.md) in Mailrith, click **Create Connection**, choose **Amazon SES**, and enter the region, Access Key ID, Secret Access Key, From name, From email, and workspace assignments.
17. Click **Save**, then use **Send Test Email** from the connection row before you use the connection in a broadcast, sequence, or automation.

SES errors often come from a region mismatch. If the test send fails, confirm that the verified identity is in the same region as the Mailrith connection, the IAM permissions allow the From email, and SES production access is enabled for the sender you are testing.

## SNS Webhooks

Amazon SES sends bounce and complaint events through Amazon SNS. Mailrith provides separate webhook URLs for these event types so subscriber statuses can update automatically.

Use two SNS topics: one for bounces and one for complaints. Separate topics keep each SES event type connected to the correct Mailrith webhook.

### Copy The Mailrith Webhook URLs

1. In Mailrith, click **Email Delivery Connections**, find the SES connection row, and click **Webhooks**.
2. Copy the **Bounce Handling Webhook** URL.
3. Copy the **Spam Handling Webhook** URL. For Amazon SES, this URL handles complaint events.

### Create The Bounce Topic

1. In AWS, use the region selector in the top-right corner to choose the same region used by the Mailrith SES connection.
2. Search for **SNS** and open **Simple Notification Service**.
3. In the left sidebar, click **Topics**.
4. Click **Create topic**.
5. For **Type**, choose **Standard**. Do not choose FIFO for SES notifications.
6. For **Name**, enter a clear name such as **mailrith-ses-bounces**.
7. Leave the other settings unchanged unless your AWS team requires a specific setting.
8. Click **Create topic**.

### Subscribe The Bounce Topic

1. Open the new bounce topic.
2. Click **Create subscription**.
3. For **Protocol**, choose **HTTPS**.
4. For **Endpoint**, paste the Mailrith **Bounce Handling Webhook** URL.
5. Leave **Raw message delivery** turned off.
6. Leave the filter policy empty unless your AWS team has a specific reason to filter messages.
7. Click **Create subscription**.

### Create The Complaint Topic

1. Return to **Topics**.
2. Click **Create topic**.
3. For **Type**, choose **Standard**.
4. For **Name**, enter a clear name such as **mailrith-ses-complaints**.
5. Click **Create topic**.
6. Open the new complaint topic and click **Create subscription**.
7. For **Protocol**, choose **HTTPS**.
8. For **Endpoint**, paste the Mailrith **Spam Handling Webhook** URL.
9. Leave **Raw message delivery** turned off, then click **Create subscription**.

### Connect The Topics In Amazon SES

1. In AWS, open **Amazon SES** in the same region used by the Mailrith connection.
2. In the left sidebar, open **Configuration**, then click **Identities**.
3. Open the verified domain or email address used as the Mailrith From identity.
4. Open the **Notifications** tab.
5. In **Feedback notifications**, click **Edit**.
6. For **Bounce feedback**, choose the bounce SNS topic.
7. For **Complaint feedback**, choose the complaint SNS topic.
8. Leave **Delivery feedback** empty unless you have a separate reporting system that needs delivery events.
9. Click **Save changes**.

### Confirm The Subscriptions

1. Return to **Simple Notification Service**.
2. Click **Subscriptions**.
3. Find the bounce and complaint subscriptions by their endpoint URLs. They may show **PendingConfirmation** for a short time.
4. Wait until each subscription shows a subscription ID instead of **PendingConfirmation**. Mailrith automatically handles the SNS confirmation request when AWS reaches the webhook URL.
5. Send a controlled test before you rely on the connection for real subscribers. Use the AWS SES mailbox simulator addresses for bounce and complaint tests, or ask your AWS administrator for the safest test process for your account.

You usually do not need to edit the SNS topic access policy by hand. AWS normally adds the required SES publish permission when you connect the topic to the SES identity. Check the topic policy only if SES shows a publish permission error, the topic is in another AWS account, the topic uses a locked-down custom policy, or the topic uses KMS encryption.

Do not skip complaint tracking. Complaint events mean a subscriber marked a message as spam, and Mailrith stops sending to that address to protect your sender reputation.

## Related Guides
- [Email Delivery Connections](https://mailrith.com/docs/email-delivery-connections.md): You connect your own email delivery service. Mailrith then manages subscribers, campaigns, follow-up, and reports while that service sends the emails.
- [Broadcasts](https://mailrith.com/docs/broadcasts.md): Use broadcasts for newsletters, product launches, announcements, and any message you send once to selected subscribers. Compose, target, test, and send or schedule the campaign in one workflow.
- [Sequences](https://mailrith.com/docs/sequences.md): Sequences send a series of emails over time as subscribers move through the steps. Use sequences for onboarding, nurture campaigns, and educational content that should be sent over days or weeks.
