Amazon Web Services (AWS)

Simple Email Service (SES)

Reference: Setting up Email with Amazon SES

Verify a domain

  1. Go to SES’ Domains:

    1. Click Verify a New Domain
    2. Enter the domain in Domain:
    3. Check the Generate DKIM Settings box
    4. Click Verify This Domain
  2. Go to GoDaddy’s DNS Management:

    1. Add the TXT and CNAME records. Add the MX record if none exists.


      SES’ DKIM Record Set is a scrollable table with three records.


      Omit from hostnames. GoDaddy appends it automatically.

    2. Add or update the SPF record

  3. Wait for the domain’s verification status to become “verified” on SES’ Domains


    AWS will notify you by email. Last time, it took a few minutes.

Reference: Verifying a Domain

Verify an email address

  1. Check that the domain’s verification status is “verified” on SES’ Domains
  2. If an MX record didn’t exist, go to SES’ Rule Sets:
    1. Click Create a New Rule Set
    2. Click the rule set’s name
    3. Click Create Rule
    4. Click Next Step
    5. Select “S3” from the Add action dropdown
    6. Select “Create S3 bucket” from the S3 bucket dropdown
    7. Enter a bucket name in Bucket Name
    8. Click Create Bucket
    9. Click Next Step
    10. Enter a rule name in Rule Name
    11. Click Next Step
    12. Click Create Rule
    13. Go to SES’ Rule Sets
    14. Check the rule set’s box
    15. Click Set as Active Rule Set
  3. Go to SES’ Email Addresses:
    1. Click Verify a New Email Address
    2. Enter the email address in Email Address:
    3. Click Verify This Email Address
  4. If an MX record didn’t exist, go to S3 (otherwise, check your email):
    1. Click the bucket name
    2. Click the long alpha-numeric string (if there is none, double-check the earlier steps)
    3. Click Download
    4. Copy the URL in the downloaded file
    5. Open the URL in a web browser
  5. Check that the email address’s verification status is “verified” on SES’ Email Addresses
  6. If an MX record didn’t exist, cleanup:
    1. Delete the bucket
    2. Disable and delete the rule set
    3. Remove the MX record

Reference: Verifying an Email Address

Create SMTP credentials


You only need to do this once per AWS region.

  1. Go to SES’ SMTP Settings:
    1. Click Create My SMTP Credentials
    2. Enter a user name in IAM User Name:
    3. Click Create
    4. Click Download Credentials
    5. Click Close

Reference: Getting Your SMTP Credentials

Move out of sandbox


You only need to do this once per AWS account.

Reference: Moving Out of the Amazon SES Sandbox

Set up MAIL FROM domain


This optional step improves email deliverability.

Reference: Setting up a custom MAIL FROM domain

Disable account-level suppression list


This optional step can negatively affect sender reputation.

Reference: Disabling the account-level suppression list

Set up notifications

  1. Go to SNS’ Topics:
    1. Click Create topic
    2. Set Type to Standard
    3. Enter a hyphenated address in Name (data-open-contracting-org, for example)
    4. Click Create topic
  2. Click Create subscription:
    1. Select “Email” from the Protocol dropdown
    2. Enter an email address in Endpoint
    3. Click Create subscription
  3. Click the email address on SES’ Email Addresses:
    1. Expand Notifications
    2. Click Edit configuration
    3. Select the created topic from the Bounces: dropdown
    4. Check the Include original headers box
    5. Select the created topic from the Complaints: dropdown
    6. Check the Include original headers box
    7. Click Save Config

Reference: Configuring Amazon SNS notifications for Amazon SES

Check DMARC compliance

Check DMARC compliance, sending the email using SES.


SES adds two DKIM signatures (“The extra DKIM signature, which contains, is automatically added by Amazon SES. You can ignore it”). This signature’s domain is not aligned, but according to RFC 7489 <>, “a single email can contain multiple DKIM signatures, and it is considered to be a DMARC “pass” if any DKIM signature is aligned and verifies.”

Debug delivery issues

Bounces and complaints are sent to the subscribed address. The relevant properties of the notification message are:

Reference: DNS Blackhole List (DNSBL) FAQs

Aurora Serverless

Note: “You can’t give an Aurora Serverless DB cluster a public IP address.”; instead, you need to use an EC2 instance as a bastion host.

Create a VPC

  1. Set IPv4 CIDR block to
  2. Click Create

Reference: Create a DB instance in the VPC

Create subnets

  1. Set VPC to the created VPC
  2. Set Availability Zone to any zone
  3. Set IPv4 CIDR block to
  4. Click Create


  1. Set VPC to the created VPC
  2. Set Availability Zone to another zone
  3. Set IPv4 CIDR block to
  4. Click Create

Create security group

  1. Set Security group name to “postgresql-anywhere”
  2. Set Description to “Allows PostgreSQL connections from anywhere”
  3. Click Add rule under Inbound rules
  4. Set Type to “PostgreSQL”
  5. Set Source to “Anywhere”
  6. Click Create security group

Create database

  1. Choose a database creation method: (no changes)
  2. Engine options
    1. Engine type: Amazon Aurora
    2. Edition: Amazon Aurora with PostgreSQL compatibility
    3. Version: Aurora PostgreSQL (compatible with PostgreSQL 10.7)
  3. Database features: Serverless
  4. Settings: (no changes)
  5. Capacity settings
    1. Minimum Aurora capacity unit: 2
    2. Maximum Aurora capacity unit: 2
    3. Expand Additional scaling configuration
    4. Check Pause compute capacity after consecutive minutes of inactivity
    5. Set to 1 hours 0 minutes 0 seconds
  6. Connectivity
    1. Virtual private cloud (VPC): Select the created VPC
    2. Expand Additional connectivity configuration
    3. VPC security group:
      1. Select the created group
      2. Remove the default group
    4. Check Data API
  7. Additional configuration
    1. Initial database name: common
    2. Backup retention period: 1 day
  8. Click Create database