Amazon SES setup guide

sendvia uses your own Amazon SES account to send emails. This gives you full control over your sending reputation, costs and limits. This guide walks you through creating an AWS account, setting up the necessary IAM permissions, and connecting it to sendvia.

01Create an AWS account

If you don't have an AWS account, go to aws.amazon.com and click Create an AWS Account. You'll need a credit card and a phone number for verification.

New AWS accounts start in the SES sandbox, which limits sending to verified email addresses only. You'll request production access in step 06.

02Choose a region

Amazon SES is available in several regions. Choose the one closest to your users or your servers. Common choices:

• us-east-1 — US East (N. Virginia) — most commonly used, highest limits.
• eu-west-1 — Europe (Ireland) — good for EU-based businesses.
• ap-southeast-2 — Asia Pacific (Sydney).

You'll enter this region when adding a domain in sendvia. Pick one and stick with it — your domain verification and access keys are region-specific.

03Create an IAM user

It's best practice to create a dedicated IAM user for sendvia rather than using your root account credentials.

• In the AWS console, open IAM → Users → Create user.
• Set the user name to something like sendvia-sender.
• Leave "Provide user access to the AWS Management Console" unchecked — this is a programmatic user only.
• Click Next and proceed to permissions.

04Attach permissions

On the permissions screen, choose Attach policies directly. You need to attach two AWS-managed policies:

• AmazonSESFullAccess — grants permission to send email, manage identities, and create configuration sets.
• AmazonSNSFullAccess — required so sendvia can automatically create an SNS topic to receive delivery, bounce and complaint notifications from SES.

Click Next, review, then Create user.

05Generate access keys

Once the user is created, go to IAM → Users → your user → Security credentials → Create access key.

• Select Application running outside AWS as the use case.
• The Access Key ID starts with AKIA….
• Click through and download the CSV, or copy the Access Key ID and Secret Access Key now — you won't be able to see the secret again.

06Request production access

New AWS accounts are placed in the SES sandbox. In sandbox mode you can only send to email addresses you've individually verified — not suitable for production. To request production access:

1. In the AWS console, open Amazon SES → Account dashboard.
2. Click Request production access.
3. Pick Transactional or Marketing, set your expected volume, and describe your use case (password resets, verification codes, etc.).
4. Explain how you handle bounces and complaints. sendvia's automatic blocklist covers this — you can reference it in your answer.
5. Provide an unsubscribe mechanism for marketing mail (sendvia handles this automatically for newsletters).

07Add your domain in sendvia

Once you have your Access Key ID, Secret Access Key and chosen region, you're ready to add a sending domain:

• Go to Dashboard → Domains → Add domain.
• Enter your domain (e.g. mail.yourco.com), your AWS Access Key, Secret Key and region.
• sendvia will register the domain in SES on your behalf, create an SNS topic for events, and return DNS records to add.

The DNS records you'll add are:

• 3 × DKIM CNAMEs — under *._domainkey.
• 1 × SPF TXT — usually v=spf1 include:amazonses.com ~all on the mail.yourdomain.com subdomain (SES custom MAIL FROM).
• 1 × DMARC TXT — start with p=none while you warm up. You'll tighten this in step 09.

Propagation is usually under 5 minutes on modern DNS providers (Cloudflare, Route 53). sendvia watches live and flips the domain to Verified the moment it's green. Grab your API key from Account settings once the domain is verified.

08Send a test email

curl -X POST https://api.sendvia.io/v1/email \
  -H "Authorization: Bearer sv_live_•••" \
  -H "Content-Type: application/json" \
  -d '{
    "from":    "[email protected]",
    "to":      "[email protected]",
    "subject": "Hello from SES",
    "html":    "<h1>It works.</h1>"
  }'

Don't want to write code yet? Use the built-in API tester to fire the same request from your browser.

09Maximise deliverability (DMARC & BIMI)

DKIM, SPF and a basic DMARC record get you sending, but tightening your DMARC policy and adding BIMI significantly improves inbox placement and brand visibility.

DMARC enforcement

The initial DMARC record uses p=none, which monitors authentication failures without taking action. Once you've confirmed legitimate mail is passing (review the aggregate reports sent to your rua address), upgrade your policy in stages:

• p=quarantine — failing emails go to spam instead of the inbox.
• p=reject — failing emails are blocked entirely (strongest protection).

Update your _dmarc TXT record by changing p=none to p=quarantine (and later p=reject). This protects your domain from spoofing and tells mailbox providers you take authentication seriously — directly improving deliverability.

BIMI — Brand Indicators for Message Identification

BIMI displays your brand logo next to your emails in supporting inboxes — Apple Mail, Yahoo Mail and Gmail. It builds trust with recipients and increases open rates.

Requirements:

• DMARC with p=quarantine or p=reject — enforcement is mandatory.
• A square logo in SVG Tiny PS (Portable/Secure) format, under 32 KB.
• The SVG hosted at a public HTTPS URL on your domain.

Add this TXT record to your DNS:

# DNS TXT record
Type:  TXT
Name:  default._bimi.yourdomain.com
Value: v=BIMI1; l=https://yourdomain.com/logo.svg; a=;
TTL:   300

Replace yourdomain.com with your actual domain and the l= URL with the full path to your SVG logo.

Gmail & VMC. Gmail requires a Verified Mark Certificate (VMC) in addition to the BIMI record. A VMC is a digital certificate that verifies your logo ownership, issued by certificate authorities like DigiCert or Entrust. The certificate URL goes in the a= field of your BIMI record. Other mail clients (Apple Mail, Yahoo) display BIMI logos without a VMC.

10Troubleshooting

MAIL FROM domain not verified

Your sender address must match a verified domain. Check the Domains page shows Verified; if not, confirm the DKIM CNAMEs resolve: dig CNAME abc123._domainkey.mail.yourco.com.

Message rejected: Account is in sandbox

Production access hasn't been granted yet. See step 06.

Throttling errors (454, 554)

New SES accounts start with a 1 email/sec rate. It increases automatically with volume — or you can request a quota bump in the SES dashboard.

SNS subscription shows "confirmed" but events never arrive

Rare, but it happens. The fix is to delete the domain in sendvia (we'll clean up the SES identity, SNS topic and config set) and re-add it. A fresh subscription starts working immediately.