Amazon SES Addon

Amazon SES is a powerful and cheap email delivery service that can be used to send a massive number of emails from the Amazon cloud.

For high volume mailing (more than 10,000) it is highly recommended.

Amazon provides a second service, Amazon SNS, to receive notifications about failed deliveries.

Amazon SDK requires at least PHP version 5.6 with curl, Zlib, and SSL but PHP 7+ is strongly recommended.

Create an Amazon AWS account

Amazon AWS is not the Amazon marketplace, so you need to create a specific account with them.

Go to create an Amazon AWS account.

New Amazon SES accounts are put in sandbox mode to prevent fraud. After the verification of your sending email address (see below) remember to unlock your account following the guide on this page.

Generating the Amazon API keys

The API keys are a pair of codes used to access the Amazon AWS services. You need to get them and set them on Amazon SES addon for Newsletter. Here is how to generate them.

Note: this method is deprecated by Amazon AWS but still works. For security reasons, you should create the API keys using an IAM user as explained below. It seems a long procedure but is rather simple.

First, enter the Amazon AWS console page located at

https://console.aws.amazon.com/iam/home#/security_credentials$access_key

It is not easy to find this link in the Amazon AWS console since it is considered a deprecated procedure.

The global access keys page in amazon AWS

Press the button “Create New Access Key” and the keys are immediately created and shown with a popup like the one below. You need to copy those keys suddenly, they won’t be shown again.

Only 2 global access key pairs can be generated, if the button is shadowed, you need to use an already present key or delete one (of course is it is used by someone, the access will be revoked).

Now copy the two code in you Amazon SES addon for Newsletter configuration panel and then you can proceed with the setup. In that panel be sure to select the correct Amazon AWS region, as well.

The Amazon keys copied on Amazon SES Addon settings panel.

Verify your sending address

Before sending your emails with Amazon, the SES service requires validation of the email address you want to use as sender address. Your sender address is configured in the main Newsletter configuration.

The extension does everything automatically, just press the “check” button: a check is made with SES service and eventually a verification button is displayed.

If needed, start the verification: an email is delivered by Amazon at the sender address (so a real mailbox must be associated with it) with a link to confirm. Just follow the instructions message.

To check if the address has been correctly verified you can use the “check status” button or enter the SES console in the right Amazon region to see if your sender address is listed as verified.

How to run a test

If everything is configured correctly, you can run a test. A message is sent to all your test subscribers using the Amazon SES service (even if the addon is not enabled).

When the test is positive you can enable the extension so Newsletter will use it to send every email.

Get the API keys using an IAM user

IAM users are “virtual” Amazon AWS users limited to act with your account services and with specific access privileges.

The first step is to create an IAM user and give it the ability to use Amazon SES (and/or other Amazon AWS services). There are some steps to complete: don’t worry, they sound long, but actually, they’re rather easy.

To create a new IAM user, go to the IAM console.

*The IAM console of Amazon AWS where a new user can be create. In the picture an example where a user already exists.*

Press the “Add user” button and fill in the first two user settings: the username and the access type. In our case, we need to enable Programmatic access (it means the user will be used to access the services from software and not by a human being). Then press the “Next: permissions” button on the bottom of the page.

Username and access type for the new IAM user

Then we need to give permissions to this user to access the Amazon SES service (and not only). In the permissions panel, we decide to attach permissions directly (without creating groups). This is the third option (Attach existing policies directly).

The page will show you a list of policies (Amazon AWS has hundreds of policies for all its services).

A list of the polices available on Amazon AWS with a search box to find the ones we needed

We need to search the policies required by Amazon SES. The first policy we need is the one required to send emails. So input “AmazonSES” (without spaces) in the search box and you’ll get a shortlist of policies. Enable the AmazonSESFullAccess.

Enabling the Amazon SES full access policy to our new IAM user

Then we need to grant access to the Amazon SNS service: it is required to get the bounces (notification about problematic email address we’re sending to). In the search box, input “AmazonSNS” and a shortlist of policies appears. Select the AmazonSNSFullAccess policy.

Enabling the Amazon SNS service to our IAM user to manage the bounces

Next, we can move to the Tags page, but there is nothing for us there, so we can move on to the next page, the Review.

The Review page just shows our user configuration. It should look like the one below and now it’s time to press that “Create user” button!

The review panel where to check the IAM user data and finally create it

Once the user is finally created, the screen below is shown. In that screen, the user-linked access keys are shown and can be copied or downloaded.

This is the only opportunity to get them, so copy them or download them. We use them to configure the Amazon SES addon for Newsletter later.

Of course if you lose them, you can generate a new pair.

The last screen shows the user and its keys. Copy them, there are no other chances to get those ones.

The pair of keys (Access key and Secret access key) you got can be set on Amazon SES addon for Newsletter configuration panel. Be sure, on that panel, to select the correct Amazon AWS zone as well.

Then you can proceed with the addon configuration verifying the sender address (if not already added directly in the Amazon SES console). If you prefer you can verify the whole domain by adding it to the Amazon SES console (but it requires modification to your DNS).

How to handle bounces

Amazon handles bounce notifications in a rather complex way. This add-on simplifies the configuration reducing it to a button: “Activate the bounce tracking”.

Once tracking is active, Amazon starts to notify the bounced addresses directly to this addon which in turn marks the notified address as bounced so it won’t be contacted anymore. You can the bounced addresses in your database checking their status.

The notification is asynchronous. It could take few seconds as well as days. In fact, a formally correct address is invalid when the delivery of a message to that address fails. Amazon can try to deliver the message for few hours before determining the address is not valid. Or it needs to receive a DSN from the remote system to understand there is not an available mailbox or the mailbox is blocked (typically for exceeded quota).

Amazon usually sends back also a DSN (Delivery Status Notification) email message to the sender address. This could be quite annoying, so you can disable this Amazon feature directly in the Amazon SES console. See the screenshot below.

Hard and soft bounces, complaints

Amazon distinguishes between hard bounces (non recoverable delivery errors) and soft bounces (possibly recoverable errors, like full mailbox). If you prefer to mark as bounced even the addresses with recoverable errors, you can activate the processing of soft bounces.
Complaints are processed as soft bounces.

Have you ever considered going premium?

With a premium plan, you'll get whole collection of 30+ professional addons, along with a full year of updates and priority support. No automatic renewals, frequent releases and a solid 30 days refund policy.

Go Premium Now!