# Set Up Amazon SES

> Use Amazon SES when you want AWS-native sending with full control over your sending identity, regional configuration, and bounce tracking through SNS notifications.

- Human page: https://mailrith.com/docs/setup-amazon-ses
- Category: Campaigns & Delivery
- Reading time: 12 min read

## What this guide covers
Connect Amazon SES to Mailrith using an IAM access key, verified sender identity, and SNS webhook subscriptions for bounce and complaint tracking.

## Sections
- Before You Start
- Mailrith Fields
- AWS Setup
- SNS Webhooks

## Visual Reference
![Mailrith email delivery connections page showing connected providers with action controls.](https://mailrith.com/docs/screenshots/email-delivery-connections.png)

The Email Delivery Connections page lists every connected provider. From here you can add a new connection, send a test email, view webhook endpoints, and assign connections to workspaces.

## Before You Start

Amazon SES is AWS's email sending service. Use it with Mailrith when your domain is already managed in AWS, your team wants AWS-level control, or you need a provider that can scale with strict identity and region settings.

Prepare these items in AWS before creating the Mailrith connection:

- **A verified sender identity:** verify the domain or exact email address you want to use as the From email. Domain verification is usually better because it covers multiple sender addresses on the same domain.
- **The correct AWS region:** SES identities are region-specific. If you verified your domain in `us-east-1`, use that same region in Mailrith.
- **Production access:** new SES accounts may be in sandbox mode, which limits sending. Request production access in AWS before sending to real subscribers.
- **An access key for sending:** create an IAM user or role with permission to send email through SES. Mailrith needs the Access Key ID and Secret Access Key.
- **Permission to configure SNS:** if you want automatic bounce and complaint tracking, you need access to create or select SNS topics and subscribe them to Mailrith webhook URLs.

Do not use a broad administrator key if you can avoid it. A dedicated SES sending key is easier to rotate later and limits the risk if the credential is ever exposed.

## Mailrith Fields

In Mailrith, click [Email Delivery Connections](https://mailrith.com/docs/email-delivery-connections.md) in the left sidebar, click **Create Connection**, choose **Amazon SES** in **Select Email Delivery Service**, and fill these fields in **Connect Email Delivery Service**:

- **Connection name:** an internal label, such as "Main SES Sender" or "Acme SES - us-east-1".
- **Region:** the AWS region where your SES identity is verified.
- **Access Key ID:** the public identifier for the IAM access key.
- **Secret Access Key:** the matching secret value. Mailrith stores it securely and only needs it to send through SES.
- **From name:** the sender name subscribers see in their inbox.
- **From email:** the sender email address. It must be allowed by the verified identity in the selected region.
- **Workspaces:** the workspaces that are allowed to use this SES connection.

## AWS Setup

1. Sign in to the AWS account that owns the domain or sender email you want Mailrith to use.
2. Use the region selector in the top-right corner of the AWS console to choose the region where you want to send, such as `us-east-1`. Keep this region visible because you will enter the same region in Mailrith.
3. Search for **Amazon SES** in the AWS console search bar and open the Amazon SES service.
4. Open **Verified identities**. If your domain or sender email is already listed as verified in this region, open it and confirm it covers the exact From email you plan to use in Mailrith.
5. If the identity is not verified yet, click **Create identity**, choose either **Domain** or **Email address**, enter the domain or sender email, and continue.
6. For a domain identity, copy the DNS records AWS gives you and add them in your DNS provider. These records usually include DKIM records and may include additional verification records. Wait until AWS shows the identity as verified before testing Mailrith.
7. For an email-address identity, open the verification email from AWS and click the confirmation link. This only verifies that exact address, not every address on the domain.
8. Check whether your SES account is still in sandbox mode. If AWS shows sandbox limits, request production access before using this connection for real subscribers. Sandbox mode can block sending to people who are not verified test recipients.
9. Open the AWS console search bar again, search for **IAM**, and open **Identity and Access Management**.
10. Open **Users**, click **Create user**, and enter a clear name such as **mailrith-ses-sender**. You do not need to give this user AWS Console access if Mailrith will only use the access key for sending.
11. On the permissions step, choose **Attach policies directly**. Give this user only the SES sending permission Mailrith needs. If your AWS team manages custom policies, use a narrow policy that allows `ses:SendEmail` and `ses:SendRawEmail` for the verified identity. SNS permissions are needed only by the person who creates and connects the SNS topics in AWS, not by the access key stored in Mailrith for sending.
12. Review the user, click **Create user**, then open the newly created user.
13. Open the user's **Security credentials** tab and click **Create access key**.
14. When AWS asks for the access-key use case, choose **Other** or the closest non-console option, add a description such as **Mailrith email sending**, and create the key.
15. Copy both values immediately: **Access Key ID** and **Secret Access Key**. AWS will not show the secret value again after you leave this screen.
16. Return to [Email Delivery Connections](https://mailrith.com/docs/email-delivery-connections.md) in Mailrith, click **Create Connection**, choose **Amazon SES**, and enter the region, Access Key ID, Secret Access Key, From name, From email, and workspace assignments.
17. Click **Save**, then use **Send Test Email** from the connection row before using the connection in a broadcast, sequence, or automation.

SES errors often come from region mismatch. If everything looks correct but the test send fails, confirm that the verified identity, the IAM permissions, the Mailrith connection region, and the SES production-access status all match the sender you are testing.

## SNS Webhooks

Amazon SES sends bounce and complaint events through Amazon SNS. Mailrith gives you separate webhook URLs for these event types so subscriber statuses can update automatically.

Use two SNS topics: one for bounces and one for complaints. This keeps each SES event connected to the matching Mailrith webhook.

### Copy The Mailrith Webhook URLs

1. In Mailrith, click **Email Delivery Connections**, find the SES connection row, and click **Webhooks**.
2. Copy the **Bounce Handling Webhook** URL.
3. Copy the **Spam Handling Webhook** URL. This is the complaint webhook for Amazon SES.

### Create The Bounce Topic

1. In AWS, use the region selector in the top-right corner to choose the same region used by the Mailrith SES connection.
2. Search for **SNS** and open **Simple Notification Service**.
3. In the left sidebar, click **Topics**.
4. Click **Create topic**.
5. For **Type**, choose **Standard**. Do not choose FIFO for SES notifications.
6. For **Name**, enter a clear name such as **mailrith-ses-bounces**.
7. Leave the other settings unchanged unless your AWS team requires a specific setting.
8. Click **Create topic**.

### Subscribe The Bounce Topic

1. Open the new bounce topic.
2. Click **Create subscription**.
3. For **Protocol**, choose **HTTPS**.
4. For **Endpoint**, paste the Mailrith **Bounce Handling Webhook** URL.
5. Leave **Raw message delivery** turned off.
6. Leave the filter policy empty unless your AWS team has a specific reason to filter messages.
7. Click **Create subscription**.

### Create The Complaint Topic

1. Return to **Topics**.
2. Click **Create topic**.
3. For **Type**, choose **Standard**.
4. For **Name**, enter a clear name such as **mailrith-ses-complaints**.
5. Click **Create topic**.
6. Open the new complaint topic and click **Create subscription**.
7. For **Protocol**, choose **HTTPS**.
8. For **Endpoint**, paste the Mailrith **Spam Handling Webhook** URL.
9. Leave **Raw message delivery** turned off, then click **Create subscription**.

### Connect The Topics In Amazon SES

1. In AWS, open **Amazon SES** in the same region used by the Mailrith connection.
2. In the left sidebar, open **Configuration**, then click **Identities**.
3. Open the verified domain or email address used as the Mailrith From identity.
4. Open the **Notifications** tab.
5. In **Feedback notifications**, click **Edit**.
6. For **Bounce feedback**, choose the bounce SNS topic.
7. For **Complaint feedback**, choose the complaint SNS topic.
8. Leave **Delivery feedback** empty unless you have a separate reporting system that needs delivery events.
9. Click **Save changes**.

### Confirm The Subscriptions

1. Return to **Simple Notification Service**.
2. Click **Subscriptions**.
3. Check the bounce and complaint subscriptions. They may show **PendingConfirmation** for a short time.
4. Wait until each subscription shows a subscription ID instead of **PendingConfirmation**. Mailrith automatically handles the SNS confirmation request when AWS reaches the webhook URL.
5. Send a controlled test before relying on the connection for real subscribers. Use the AWS SES mailbox simulator addresses for bounce and complaint tests, or ask your AWS administrator for the safest test process for your account.

You usually do not need to edit the SNS topic access policy by hand. AWS normally sets the required SES publish permission when the topic is connected to the SES identity. Check the topic policy only if SES shows a publish permission error, the topic is in another AWS account, the topic uses a locked-down custom policy, or the topic uses KMS encryption.

Do not skip complaint tracking. Complaint events mean a subscriber marked a message as spam, and Mailrith stops sending to that address to protect your sender reputation.

## Related Guides
- [Email Delivery Connections](https://mailrith.com/docs/email-delivery-connections.md): Mailrith is provider-agnostic — you connect your own email delivery service and Mailrith handles campaign logic, subscriber targeting, and engagement tracking on top of it.
- [Broadcasts](https://mailrith.com/docs/broadcasts.md): Broadcasts are for newsletters, product launches, announcements, and any message that goes out once to selected subscribers — compose, target, test, and send or schedule from a single workflow.
- [Sequences](https://mailrith.com/docs/sequences.md): Sequences send a series of emails over time as subscribers progress through the steps — ideal for onboarding, nurture campaigns, and educational content that should unfold over days or weeks.