SES

Cost-effective email sending for transactional and bulk marketing emails

Amazon Simple Email Service (SES) is a cloud-based email sending service designed for both transactional emails (order confirmations, password resets) and bulk marketing campaigns. It offers one of the lowest costs per email in the industry, starting at $0.10 per thousand emails. SES is a critical service for any application that sends email at scale and needs deliverability, reputation management, and compliance features.

Sending Methods and Integration Options

SES supports multiple integration methods to fit different use cases and tech stacks.

Method	When to Use	Notes
SES API (SDK)	Applications sending transactional email	Most flexible - full control over headers, attachments
SMTP interface	Existing apps configured for SMTP	Uses SES SMTP credentials, port 587 or 465
SES console	Testing and one-off sends	Not for production automation
SES v2 API	New integrations	Preferred API - has features not in v1

bash

# Send email via AWS CLI (SES v2)
aws sesv2 send-email \
  --from-email-address "noreply@yourdomain.com" \
  --destination '{"ToAddresses":["user@example.com"]}' \
  --content '{
    "Simple": {
      "Subject": {"Data": "Your order has shipped", "Charset": "UTF-8"},
      "Body": {
        "Text": {"Data": "Your order #12345 has shipped.", "Charset": "UTF-8"},
        "Html": {"Data": "<h1>Your order has shipped</h1>", "Charset": "UTF-8"}
      }
    }
  }'

Identities, Verification, and DKIM/DMARC

Before sending email, you must verify your sending identity - either an email address or an entire domain. Domain verification is strongly preferred for production because it verifies all addresses at that domain and enables DKIM signing.

Identity Type	Verification Method	Production Use
Email address	Click verification link sent to address	Only for testing
Domain	Add DNS TXT record provided by SES	Required for production
DKIM	Add CNAME records (Easy DKIM) or bring your own key	Required for deliverability
DMARC	Add TXT record to _dmarc.yourdomain.com	Strongly recommended for inbox placement

bash

# Verify a domain identity
aws sesv2 create-email-identity \
  --email-identity yourdomain.com \
  --dkim-signing-attributes '{"NextSigningKeyLength":"RSA_2048_BIT"}'

# SES returns DNS records to add - check status
aws sesv2 get-email-identity \
  --email-identity yourdomain.com \
  --query 'DkimAttributes.Status'

💡

Enable DKIM signing for every domain you send from. Emails without DKIM fail DMARC checks and are much more likely to land in spam. SES Easy DKIM handles key rotation automatically.

Sandbox Mode vs Production Access

All new SES accounts start in sandbox mode, which severely limits sending. You must request production access before you can send to unverified addresses.

Limit	Sandbox	Production (default)
Recipients	Only verified email addresses	Any email address
Sending limit (daily)	200 emails/day	50,000 emails/day (increasable)
Sending rate	1 message/second	14 messages/second (increasable)
Request increase	N/A	Via Service Quotas console

⚠️

A common mistake is deploying to production while still in sandbox mode. Your emails to real users will bounce because their addresses are not verified in your SES account. Always request production access before launch.

Reputation Management, Bounces, and Complaints

Email deliverability depends heavily on your sender reputation. AWS monitors your bounce rate and complaint rate. If they exceed thresholds, SES pauses your sending automatically.

Metric	Healthy	Warning Zone	Dangerous (SES may pause)	What causes it
Bounce rate	< 2%	2-5%	> 5%	Invalid email addresses, typos
Complaint rate	< 0.1%	0.1-0.5%	> 0.5%	Users marking email as spam

You must process bounce and complaint notifications and remove those addresses from your sending list. SES delivers these via SNS topics.

bash

# Configure notification destinations for a verified identity
aws sesv2 put-email-identity-feedback-attributes \
  --email-identity yourdomain.com \
  --email-forwarding-enabled false

# Set SNS topic for bounce and complaint notifications
aws ses set-identity-notification-topic \
  --identity yourdomain.com \
  --notification-type Bounce \
  --sns-topic arn:aws:sns:us-east-1:123:ses-bounces

aws ses set-identity-notification-topic \
  --identity yourdomain.com \
  --notification-type Complaint \
  --sns-topic arn:aws:sns:us-east-1:123:ses-complaints

💡

Implement a suppression list in your application. When SES delivers a bounce or complaint notification via SNS, your Lambda consumer should add that address to a database table. All future sends should check this list before calling SES. SES also has a built-in account-level suppression list.

SES Pricing Model

Scenario	Price	Notes
Email sent from EC2 or Lambda	$0.10 per 1,000 emails	No base fee
Email sent outside AWS	$0.10 per 1,000 + $0.12 per GB attachments	Same rate, plus data transfer
Incoming email	$0.10 per 1,000 emails	First 1,000 free
Dedicated IP leasing	$24.95 per IP per month	For high volume / reputation isolation
Virtual deliverability manager	$0.0075 per email analyzed	Dashboard for deliverability insights

💡

At $0.10 per thousand, SES is dramatically cheaper than services like SendGrid ($14.95/month for 50k emails) or Mailgun. For high-volume senders, the savings compound quickly. The main reason to use a third-party ESP over SES is its easier-to-use template management and analytics, not cost.

🎯

Interview Focus Points

1What is the difference between SES sandbox mode and production mode, and what do you need to do before going to production?
2How would you handle bounces and complaints in an SES-based email system?
3What is DKIM and why is it important for email deliverability with SES?
4How would you architect a system to send 1 million transactional emails per day using SES?
5What is a dedicated IP in SES and when would you pay for one?
6How does SES compare to SendGrid or Mailgun, and when would you choose each?
7What metrics should you monitor to maintain good SES sender reputation?