sendvia Features Pricing Setup guide All systems nominal
Documentation · ~10 minutes

Amazon SES setup guide

sendvia uses your own Amazon SES account to send emails. This gives you full control over your sending reputation, costs and limits. This guide walks you through creating an AWS account, setting up the necessary IAM permissions, and connecting it to sendvia.

Last updated: 20 April 2026

01Create an AWS account

If you don't have an AWS account, go to aws.amazon.com and click Create an AWS Account. You'll need a credit card and a phone number for verification.

New AWS accounts start in the SES sandbox, which limits sending to verified email addresses only. You'll request production access in step 06.

AWS Free Tier. SES is free for up to 3,000 messages/month when sent from an EC2 instance, or 62,000/month free if sending directly. After that, it's $0.10 per 1,000 emails.

02Choose a region

Amazon SES is available in several regions. Choose the one closest to your users or your servers. Common choices:

You'll enter this region when adding a domain in sendvia. Pick one and stick with it — your domain verification and access keys are region-specific.

Before you continue: make sure the AWS console is set to your chosen region. The region selector is in the top-right corner of the AWS console.

03Create an IAM user

It's best practice to create a dedicated IAM user for sendvia rather than using your root account credentials.

Why a dedicated IAM user? sendvia never uses your AWS root credentials. A scoped IAM user contains the blast radius if anything goes wrong — and you can revoke it in a click.

04Attach permissions

On the permissions screen, choose Attach policies directly. You need to attach two AWS-managed policies:

Click Next, review, then Create user.

Why SNS access? Without it, sendvia can't automatically update your email log statuses or add bounced and complained addresses to your blocklist. SES config sets are scoped to publish only bounce + complaint events, so SNS volume stays minimal.
Heads up: if your org uses SCPs (Service Control Policies), make sure the target account is allowed to use SES and SNS in your chosen region.

05Generate access keys

Once the user is created, go to IAM → Users → your user → Security credentials → Create access key.

Keep these private. Never commit them to source code or share them publicly. sendvia stores them in our database and only uses them to send email on your behalf.

06Request production access

New AWS accounts are placed in the SES sandbox. In sandbox mode you can only send to email addresses you've individually verified — not suitable for production. To request production access:

  1. In the AWS console, open Amazon SES → Account dashboard.
  2. Click Request production access.
  3. Pick Transactional or Marketing, set your expected volume, and describe your use case (password resets, verification codes, etc.).
  4. Explain how you handle bounces and complaints. sendvia's automatic blocklist covers this — you can reference it in your answer.
  5. Provide an unsubscribe mechanism for marketing mail (sendvia handles this automatically for newsletters).
Typical turnaround: 12–24 hours. AWS occasionally asks follow-up questions; answer them promptly to avoid a second review cycle.
You can add your domain while still in sandbox. Verification and DNS setup work the same way — you just won't be able to send to unverified addresses until production access is granted.

07Add your domain in sendvia

Once you have your Access Key ID, Secret Access Key and chosen region, you're ready to add a sending domain:

The DNS records you'll add are:

Propagation is usually under 5 minutes on modern DNS providers (Cloudflare, Route 53). sendvia watches live and flips the domain to Verified the moment it's green. Grab your API key from Account settings once the domain is verified.

08Send a test email

curl -X POST https://api.sendvia.io/v1/email \
  -H "Authorization: Bearer sv_live_•••" \
  -H "Content-Type: application/json" \
  -d '{
    "from":    "[email protected]",
    "to":      "[email protected]",
    "subject": "Hello from SES",
    "html":    "<h1>It works.</h1>"
  }'
Expected: a 200 OK with a message_id, and the email landing in under 3 seconds. If the dashboard shows it as delivered, you're done.

Don't want to write code yet? Use the built-in API tester to fire the same request from your browser.

09Maximise deliverability (DMARC & BIMI)

DKIM, SPF and a basic DMARC record get you sending, but tightening your DMARC policy and adding BIMI significantly improves inbox placement and brand visibility.

DMARC enforcement

The initial DMARC record uses p=none, which monitors authentication failures without taking action. Once you've confirmed legitimate mail is passing (review the aggregate reports sent to your rua address), upgrade your policy in stages:

Update your _dmarc TXT record by changing p=none to p=quarantine (and later p=reject). This protects your domain from spoofing and tells mailbox providers you take authentication seriously — directly improving deliverability.

BIMI — Brand Indicators for Message Identification

BIMI displays your brand logo next to your emails in supporting inboxes — Apple Mail, Yahoo Mail and Gmail. It builds trust with recipients and increases open rates.

Requirements:

Add this TXT record to your DNS:

# DNS TXT record
Type:  TXT
Name:  default._bimi.yourdomain.com
Value: v=BIMI1; l=https://yourdomain.com/logo.svg; a=;
TTL:   300

Replace yourdomain.com with your actual domain and the l= URL with the full path to your SVG logo.

SVG Tiny PS is a restricted subset of SVG — no scripts, external references or linked images are allowed. Most logo SVGs need conversion. Use the official BIMI Generator to create a compliant file from your existing logo.

Gmail & VMC. Gmail requires a Verified Mark Certificate (VMC) in addition to the BIMI record. A VMC is a digital certificate that verifies your logo ownership, issued by certificate authorities like DigiCert or Entrust. The certificate URL goes in the a= field of your BIMI record. Other mail clients (Apple Mail, Yahoo) display BIMI logos without a VMC.

sendvia automatically checks your BIMI record and shows its status on your Domains page alongside DKIM, SPF and DMARC.

10Troubleshooting

MAIL FROM domain not verified

Your sender address must match a verified domain. Check the Domains page shows Verified; if not, confirm the DKIM CNAMEs resolve: dig CNAME abc123._domainkey.mail.yourco.com.

Message rejected: Account is in sandbox

Production access hasn't been granted yet. See step 06.

Throttling errors (454, 554)

New SES accounts start with a 1 email/sec rate. It increases automatically with volume — or you can request a quota bump in the SES dashboard.

SNS subscription shows "confirmed" but events never arrive

Rare, but it happens. The fix is to delete the domain in sendvia (we'll clean up the SES identity, SNS topic and config set) and re-add it. A fresh subscription starts working immediately.

Stuck? Email [email protected] with your AWS account ID and the step you're on. We usually reply in under an hour during business hours.