DEV Community

Cover image for AWS Advanced: Getting SES Production Access
Warren Parad for AWS Community Builders

Posted on • Edited on

AWS Advanced: Getting SES Production Access

We made this decision because we believe that your use case would impact the deliverability of our service and would affect your reputation as a sender. We also want to ensure that other Amazon SES users can continue to use the service without experiencing service interruptions.

SES Denied

What to do?

If you've seen the above message, you are probably about to ask a question that looks like one of these:

Wants help with SES

Or like this:

How to validate email addresses before sending out an email to them?

But you need to ask yourself, Why did I get denied?. The goal of AWS SES is to send anything other than spam. AWS wants needs to make sure that it isn't spam for their own benefit. And you've gotten denied because they believe you are going to create spam. Are you going to do it? I'm not asking if your intention is genuine, I'm not asking what you think, I'm asking what do your email recipients think?

AWS believes you are going to send spam by default, because many people actually do create spam. So much so that there are whole products dedicated to circumventing being detected.

Reasons why AWS will deny your request

Would other people out there on the internet approve your request? Does it sound legit? Think for a moment, if I showed my answer to 100 engineers, how many of them would say you are going to send spam. If even one engineer thinks that is spam, then you won't get approved. After reviewing 100s of these requests, often the first thing I think is I wouldn't approve this request either. You’re trying to send 10,000 emails per day to your 3,000 subscribers?

That’s just spam

A lot of things can make them deny your request outright:

  • Your website looks even little inauthentic. They will go to your website and domain, and then validate that you are a real company with real needs.
  • you AWS account not having a good reputation, such as being recently opened or just not a lot of usage present
  • you have an uncommon website domain or no company domain attached tot he account
  • you didn't mention what address all these emails would come from
  • you also didn't make any mention of what you’re going to do to properly authenticate and sign your emails, such as configuring DKIM, SPF, DMARC records
  • you didn't specify how are you going to let people unsubscribe

trying to fool AWS

AWS knows more about email spam than you do, so you can’t fool them. Those requests go to a team whose entire job is just to find out who is trying to fool Amazon and deny the requests.

Why is this so hard?

Unfortunately, this isn’t Amazon’s fault or yours, blame all the people trying to use cloud services for email spam that have led companies like AWS to become incredibly strict on who they allow to send emails to, all to protect their IP and service reputation. Internet email denylists exists and are quick to block IP addresses sending spam. AWS is protecting themselves from having their entire service blocked from sending emails.

Let me repeat that, if you send spam, you will actually cause AWS to be negatively impacted. So they will do everything in their $billions of power to verify if you are truthful in your request.

Re-evaluate your use case

If I'm being perfectly honest - I'm trying to do b2b cold outreach, and no one has prices as low as amazon SES.

This is exactly why someone will get denied, if this is you, go somewhere else, you will just not get approved by AWS. For Authress, we were approved the first time with no back and forth. It was clear we are real a business with real customers who want real transactional emails. Is that also you?

So how do you get approved?

The best rule of thumb is:

For SES you should assume you will never get approved for sending marketing emails.

End.Of.Story.

There are for sure companies that do get approved for this, but they have proof that they aren't going to abuse that power and they have taken the appropriate steps to protect AWS sender reputation.

Start by reading

Yes, reading. Do you want to get approved? If yes, then read the rest of this article and then also read the links within. If you haven't followed all the advice, then you are for sure going to get denied.

So, the first thing is to actually understand the requirements. They are clearly listed in the AWS documentation on moving out of the SES Sandbox.

Further: Always required

~1000 words.

Assume you will need to do real work and write about what that work is, it will take about 1000 words to convince AWS. Are you at 500 words? Write more words. At 900 words? Write more words. I know it is 1000 words because that the shortest amount you can write and completely justify your case. This isn't a Hey what's up, can I production access, k thanx bye. Write the words.

Sufficient AWS Account setup for sending

Don't bother trying to get approved until you have these all setup 100% correctly:

  1. SPF, DKIM and DMARC setup on a custom domain
  2. Bounce and complaints completely automatically tracked and denylisted.
  3. Using the AWS SDK to send email, and your send rate limits are checked before sending.
  4. Captcha setup to prevent spam for emails entered. All emails have to be verified before sending additional messages. (Interestingly at Authress we use a full client side solution for Proof-Of-Work to make this happen)
  5. Clear and explicit business use case on what exact content will be in the email, when it will be sent, and why the users care.
  6. Clear and explicit user expectations for why you have the users emails, where you got the email from, and how you know that the users want these emails.
  7. Clear and explicit dashboards and automation tools to clearly identify what the status of the emails you send.

Know who you are.

Next, you'll want to answer these questions to yourself. It's very important to have these answers, as they will drive the conversation with AWS. There is no "just submit the form and get approved", you need to full understand from a business standpoint what the business justification is:

  1. Are you an individual or a company?
  2. Are you using a custom domain to send emails?
  3. What types of emails are you trying to send?
  4. Exactly how many? And to how many users, exactly?
  5. Are you ready to actually give AWS all this information and a detailed reason why you need SES production access?

Setup the required monitoring

Read all about SES event publishing. Set it up, and the validate it works.

Read all about Why are the emails that I send with Amazon SES marked as spam? directly from AWS.

Validate your AWS account

If your AWS account is set up with a gmail, hotmail address, or outlook address, there's almost no chance you're going to get approved for SES production access.

If your AWS was just created, there's almost no chance you're going to get approved for SES production access.

If your AWS account is spending $0 / month, there's almost no chance you're going to get approved for SES production access.

If your message to support looks copied from somewhere else, there's almost no chance you're going to get approved for SES production access.

If you've tried to do this in another AWS account, and did not provide sufficient information initially, there's almost no chance you're going to get approved for SES production access, and your AWS is most likely going to get a forced closure.

One last thing

One of the best things you can do to improve your chances is move to having Dedicated IP addresses* for your SES sender pool. It should have no impact on your deliverability and SES is more likely to approve your request. While it technically should come with increased deliverability, it really depends on the usage of these ip addresses and is hard to say fundamentally what will work the best. But at least to succeed in production access, private dedicated IP addresses is a great addition.

Conclusion

You are going to get denied. It isn't likely your fault. Unless it is spam you intend on sending, then just give up now, you will never get a validated account.

One last thing...I've said Exactly, a lot of times in this article, that means exactly what you think it means. It isn't "do something sort of like this and you will be successful", it is "do exactly this". Failing to following this advice will ensure you will forever be prevented from sending emails from your account, and in some cases might result in an AWS Account closure.

Do not send spam.

Acknowledgements

This article would not have been possible without Megamush's significant investment in understanding the requirements, supporting the gratuitous number of engineers asking about how they can get their access approved in the AWS Discord Server, and feedback for me in helping to refine this article. Thank you!


Come join our Community and discuss this and other security related topics!


Join the community

Top comments (3)

Collapse
 
talonx profile image
Hrish B

Thanks for writing this. Small companies or ones that are just starting up face this often (writing from personal experience). They don't have much credibility and volume in terms of either cloud usage, spend, or online presence and it makes it harder to get approved.

Collapse
 
rdarrylr profile image
Darryl Ruggles

Some excellent advice here! Thanks for sharing this.

Collapse
 
jasondunn profile image
Jason Dunn [AWS]

Great article!