WorkMail

Managed business email and calendar service compatible with Outlook and mobile apps

Amazon WorkMail is a managed business email and calendar service that provides Microsoft Exchange-compatible email, contacts, and calendar functionality without managing Exchange servers. It supports native Outlook connectivity (via MAPI/EWS), ActiveSync for mobile devices, and the WorkMail web application - and integrates with other AWS services for spam filtering, encryption, and email flow customization through Lambda hooks.

How WorkMail Works: Organization, Users, and Mail Flow

WorkMail is organized around the concept of an Organization, which maps to an email domain. Each organization has an associated AWS directory (Managed AD, Simple AD, or an existing directory) and mailboxes for users and groups.

Concept	Description
Organization	Top-level container. Maps to your email domain (e.g. company.com). Created per AWS region.
User Mailbox	Email + calendar + contacts for a single user. Counts toward billing.
Group	Distribution list. Emails to the group are forwarded to all members. No storage.
Resource	Room or equipment mailboxes (conference rooms, projectors) with booking rules.
Alias	Additional email addresses for a user or group that resolve to the same mailbox.
Domain	Verified domain with DNS records (MX, SPF, DKIM, DMARC) pointing to WorkMail.

Inbound mail flows: external sender -> WorkMail MX endpoint -> (optional Lambda inbound hook) -> recipient mailbox. Outbound mail flows: user sends -> (optional Lambda outbound hook) -> WorkMail SMTP -> (optional SES for sending) -> internet.

💡

WorkMail uses AWS SES under the hood for sending email. When you verify a domain in WorkMail, the DNS records (SPF, DKIM) are provided by SES and reference SES infrastructure. This means your sending reputation is tied to the us-east-1 SES service.

Domain Setup and Required DNS Records

Setting up a domain in WorkMail requires adding several DNS records to route mail correctly and improve deliverability. Missing or incorrect records are the most common reason for deliverability issues.

DNS Record	Type	Purpose	Example Value
MX	MX	Route inbound mail to WorkMail	inbound-smtp.us-east-1.amazonaws.com priority 10
SPF	TXT	Authorize WorkMail to send on your behalf	"v=spf1 include:amazonses.com ~all"
DKIM	CNAME x3	Cryptographically sign outbound mail	WorkMail provides 3 CNAME records to add
DMARC	TXT	Policy for handling SPF/DKIM failures	"v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"
AutoDiscover	CNAME	Outlook auto-configuration	autodiscover.mail.us-east-1.awsapps.com

⚠️

If you do not add DMARC, inbound mail to other services may be quarantined even if SPF and DKIM pass, because many receivers now require DMARC. Always configure DMARC with at least p=none (monitoring mode) before switching to quarantine or reject.

bash

# Verify a domain for WorkMail via CLI
aws workmail create-organization \
  --alias mycompany \
  --directory-id d-9067abc123

# Register a domain with an organization
aws workmail register-mail-domain \
  --organization-id m-abc12345678 \
  --domain-name mycompany.com

# Get the DNS records needed for the domain
aws workmail get-mail-domain \
  --organization-id m-abc12345678 \
  --domain-name mycompany.com

Client Connectivity: Outlook, Mobile, and Web

WorkMail supports multiple connection protocols that map to different client types.

Protocol	Client	Port	Notes
MAPI/HTTP (EWS)	Outlook for Windows and macOS	443	Recommended for desktop. Supports full Exchange features.
ActiveSync	iOS Mail, Android Gmail, Outlook Mobile	443	Mobile device synchronization of email, calendar, contacts.
IMAP	Any IMAP client (Thunderbird, Apple Mail)	993	Email only - no calendar or contacts sync.
SMTP	Any SMTP client for sending	465 (SSL)	Requires WorkMail user credentials for authentication.
WorkMail Web App	Browser (Chrome, Firefox, Edge)	443	Full-featured web client at workmail.amazonaws.com.

Outlook auto-discovery uses the AutoDiscover CNAME record to automatically configure server settings. When a user adds their WorkMail email address to Outlook, Outlook queries the AutoDiscover endpoint and receives the MAPI/HTTP connection settings without manual configuration.

💡

WorkMail does not support Outlook for Windows via legacy MAPI (RPC over HTTP). It uses the modern MAPI over HTTP protocol. Outlook 2013 SP1 or later is required. Very old Outlook versions (2010 and earlier) only work via IMAP.

Email Flow Rules and Lambda Integration

Email flow rules let you intercept and process email at the organization level using Lambda functions. This enables custom spam filtering, compliance archiving, content inspection, and routing logic without modifying the mail server.

Rule Type	Trigger Point	Lambda Actions Available
Inbound rule	Before message is delivered to mailbox	PASS, DROP, BOUNCE, DEFAULT (WorkMail default handling)
Outbound rule	Before message is sent externally	PASS, DROP, DEFAULT

bash

# Lambda function handler for WorkMail inbound processing
import boto3
import json

def handler(event, context):
    # event contains: messageId, invocationId, flowDirection, truncated
    message_id = event['messageId']
    
    # Retrieve the raw email message
    workmail = boto3.client('workmailmessageflow')
    response = workmail.get_raw_message_content(
        messageId=message_id
    )
    raw_message = response['messageContent'].read()
    
    # Inspect content - example: block messages with specific subject
    if b'URGENT WIRE TRANSFER' in raw_message:
        return {'actions': [{'action': {'type': 'DROP'}}]}
    
    return {'actions': [{'action': {'type': 'DEFAULT'}}]}

💡

Lambda-based email flow rules are powerful for compliance use cases. A common pattern is routing a copy of all outbound emails to an S3 bucket for archiving while still passing the original message through. Use workmailmessageflow.put_raw_message_content() to modify messages before delivery.

Security: Encryption, Access Control, and Mobile Policies

WorkMail encrypts all mailbox data at rest using KMS and in transit using TLS. Additional security features control mobile device access and email client behavior.

Security Feature	Description	Configuration
KMS Encryption	All mailbox data encrypted at rest with customer-managed or AWS-managed KMS key	Set at organization creation - cannot change later
Mobile Device Policies	Enforce PIN, remote wipe, encryption on ActiveSync devices	Configurable per user or organization-wide
Email Impersonation Roles	Allow applications to send on behalf of users without their password	Grant impersonation role to IAM user/role for the mailbox
S3-based archiving	Journaling via email flow rules to S3 for compliance	Requires Lambda email flow rule + S3 destination
Access Control Rules	Block or allow specific protocols (IMAP, ActiveSync) per user or IP range	Organization-level access control rules

bash

# Create an access control rule to block IMAP for all users
aws workmail put-access-control-rule \
  --organization-id m-abc12345678 \
  --name BlockIMAPAll \
  --effect DENY \
  --description "Block IMAP access org-wide" \
  --ip-ranges "0.0.0.0/0" \
  --actions IMAP

# Allow ActiveSync only from corporate IP range
aws workmail put-access-control-rule \
  --organization-id m-abc12345678 \
  --name AllowActiveSyncCorporate \
  --effect ALLOW \
  --description "ActiveSync from corporate network only" \
  --ip-ranges "203.0.113.0/24" \
  --actions ActiveSync

⚠️

If you disable IMAP or ActiveSync org-wide via access control rules, existing users who rely on those protocols will immediately lose access. Test on a pilot group before rolling out access control changes broadly.

Pricing Model and Migration Considerations

WorkMail pricing is per-user per-month with a flat rate that includes storage. There are no data transfer charges for email sent within AWS services.

Component	Price
User mailbox	$4/user/month - includes 50 GB mailbox storage
Additional storage	$0.023/GB/month beyond 50 GB per user
Test messages (SES)	Included - WorkMail uses SES for sending at no additional charge
Lambda invocations for email rules	Standard Lambda pricing per invocation and GB-second

Migrating to WorkMail from Exchange or Office 365 typically involves exporting mailboxes as PST files and importing them via the WorkMail Migration Tool, or using a third-party migration tool that supports IMAP migration. For large migrations, AWS recommends using the WorkMail Migration API which supports delta syncs.

💡

WorkMail can coexist with an existing Exchange environment during migration using mail flow rules that route email for migrated users to WorkMail while keeping non-migrated users on Exchange. This allows a phased migration without disrupting email flow.

Comparison	WorkMail	Microsoft 365 Exchange Online	Self-hosted Exchange
Cost	$4/user/month	$6-12/user/month (Business Basic-Standard)	License + hardware + admin labor
Storage	50 GB/user	50-100 GB/user	Limited by storage hardware
Compliance	Via Lambda + S3 archiving	Built-in litigation hold, eDiscovery	Requires add-on products
AWS Integration	Native (SES, Lambda, KMS, CloudTrail)	Via connectors/APIs	Manual integration
Outlook Support	MAPI/HTTP, EWS	Full native support	Full native support

🎯

Interview Focus Points

1What DNS records are required to set up WorkMail for a domain, and what does each one do for deliverability?
2How would you use Lambda email flow rules to implement compliance archiving for all outbound email?
3A company is migrating from Office 365 to WorkMail. How would you execute a phased migration without disrupting mail flow?
4How does WorkMail handle email encryption at rest, and can you bring your own KMS key?
5An organization wants to restrict email access to corporate devices only. What WorkMail features would you use?
6Explain how Outlook auto-discovery works with WorkMail and what can go wrong during configuration.
7How does WorkMail compare in cost and features to Microsoft 365 for a 200-person company standardized on AWS?
8What are impersonation roles in WorkMail and when would a cloud engineer configure them?
9How would you set up a shared calendar resource (conference room) in WorkMail with booking rules?