Amazon SES is a powerful and cheap email delivery service which can be used to send a massive number of emails from the Amazon cloud. Amazon provides a second service, Amazon SNS, to receive notifications about failed deliveries.
Create an Amazon AWS account
Amazon AWS is not the Amazon marketplace, so you need to create a specific account with them.
Generating the Amazon API keys
The API keys is a pair of codes used to access the Amazon AWS services. You need to get them and set them on Amazon SES addon for Newsletter. Here is how to generate them.
Note: this method is deprecated by Amazon AWS but still works. For security reasons, you should create the API keys using a IAM user as explained below. It seems a long procedure, but is rather simple.
First, enter the Amazon AWS console page located at
It is not easy to find this link in the Amazon AWS console since it is considered a deprecated procedure.
Press the button “Create New Access Key” and the keys are immediately created and shown with a popup like the one below. You need to copy those keys suddenly, they won’t be shown again.
Only 2 global access key pairs can be generated, if the button is shadowed, you need to use and already present key or delete one (of course is it is used by someone, the access will be revoked).
Now copy the two code in you Amazon SES addon for Newsletter configuration panel and then you can proceed with the setup. In that panel be sure to select the correct Amazon AWS region, as well.
Verify your sending address
Before sending your emails with Amazon, the SES service requires a validation of the email address you want to use as sender address. Your sender address is configured in the main Newsletter configuration.
The extension does everything automatically, just press the “check” button: a check is made with SES service and eventually a verification button is displayed.
If needed, start the verification: an email is delivered by Amazon at the sender address (so a real mailbox must be associated with it) with a link to confirm. Just follow the instructions message.
To check if the address has been correctly verified you can use the “check status” button or enter the SES console in the right Amazon region to see if your sender address is listed as verified.
How to run a test
If everything is configured correctly, you can run a test. A message is sent to all your test subscribers using the Amazon SES service (even if the addon is not enabled).
When the test is positive you can enable the extension so Newsletter will use it to send every email.
Get the API keys creating a IAM user
Amazon AWS is all but easy, so we need to complete some steps to get the API key to use Amazon SES in the way Amazon requires.
The correct way to proceed is to create a IAM user to which we give the ability to use Amazon SES (and/or other Amazon AWS services). There are some steps to complete: don’t worry, they sounds long, but actually they’re rather easy.
To create a new IAM user, go to the IAM console.
Press the “Add user” button and fill in the first two user settings: the username and the access type. In our case we need to enable the Programmatic access (it means the user will be used to access the services from software and not by a human being). Then press the “Next: permissions” button on the bottom of the page.
The we need to give permissions to this user to access the Amazon SES service (and not only). In the permissions panel we decide to attach permissions directly (without creating groups). This is the third option (Attach existing polices directly).
The page will show you a list of policies (Amazon AWS has hundreds of policies for all its services).
We need to search the policies required by Amazon SES. The first policy we need is the one required to send emails. So input “AmazonSES” (without spaces) in the search box and you’ll get a short list of policies. Enable the AmazonSESFullAccess.
The we need to grant the access to the Amazon SNS service: it is required to get the bounces (notification about problematic email address we’re sending to). In the search box, input “AmazonSNS” and a short list of policies appears. Select the AmazonSNSFullAccess policy.
Next we can move to the Tags page, but there is nothing for us there, so we can move on the next page, the Review.
The Review page just shows our user configuration. It should look like the one below and now it’s time to press that “Create user” button!
Once the user is finally create, the screen below is shown. In that screen the user-linked access key are shown and can be copied or downloaded.
This is the only opportunity to get them, so copy them or download them. We use them to configure the Amazon SES addon for Newsletter later.
Of course if you lose them, you can generate a new pair.
The pair of key (Access key and Secret access key) you got can be set on Amazon SES addon for Newsletter configuration panel. Be sure, on that panel, to select the correct Amazon AWS zone as well.
Then you can proceed with the addon configuration verifying the sender address (if not already added directly in the Amazon SES console). If you prefer you can verify the whole domain adding it in the Amazon SES console (but it requires modification to your DNS).
How to handle bounces
Amazon handles bounce notification in a rather complex way. This addon simplifies the configuration reducing it to a button: “Activate the bounce tracking”.
Once tracking is active, Amazon starts to notify the bounced addresses directly to this addon which in turn marks the notified address as bounced so it won’t be contacted anymore. You can the bounced addresses in your database checking their status.
The notification is asynchronous. It could take few seconds as well as days. Infact a formally correct address is invalid when the delivery of a message to that address fails. Amazon can try to deliver the message for few hours before determining the address is not valid. Or it needs to receive a DSN from the remote system to understand there is not an available mailbox or the mailbox is blocked (typically for exeeded quota).
Amazon usually sends back also an DSN (Delivery Status Notification) email message to the sender address. This could be quite annoying, so you can disable this Amazon feature directly in the Amazon SES console. See the screenshot below.
Hard and soft bounces
Amazon distinguishes between hard bounces (non recoverable delivery errors) and soft bounces (possibly recoverable errors, like full mailbox). If you prefer to mark as bounced even the addresses with recoverable errors, you can activate the processing of soft bounces.