Documentation

Amazon SES setup guide

sendvia uses your own Amazon SES account to send emails. This gives you full control over your sending reputation, costs, and limits. This guide walks you through creating an AWS account, setting up the necessary IAM permissions, and connecting it to sendvia.

On this page
  1. Create an AWS account
  2. Choose a region
  3. Create an IAM user
  4. Attach permissions
  5. Generate access keys
  6. Request production access
  7. Add your domain in sendvia
  8. Maximize deliverability (DMARC & BIMI)
1

Create an AWS account

If you don't have an AWS account, go to aws.amazon.com and click Create an AWS Account. You'll need a credit card and a phone number for verification.

New AWS accounts start in the SES sandbox, which limits sending to verified email addresses only. You'll request production access in step 6.

AWS has a Free Tier for SES — 3,000 messages/month free if sent from an EC2 instance, or 62,000/month free if using SES directly. After that, it's $0.10 per 1,000 emails.
2

Choose a region

Amazon SES is available in several regions. Choose the one closest to your users or your servers. Common choices:

  • us-east-1 — US East (N. Virginia) — most commonly used, highest limits
  • eu-west-1 — Europe (Ireland) — good for EU-based businesses
  • ap-southeast-2 — Asia Pacific (Sydney)

You'll enter this region when adding a domain in sendvia. Pick one and stick with it — your domain verification and access keys are region-specific.

Make sure the AWS console is set to your chosen region before completing the steps below. The region selector is in the top-right corner of the AWS console.
3

Create an IAM user

It's best practice to create a dedicated IAM user for sendvia rather than using your root account credentials.

  • In the AWS console, go to IAM → Users → Create user
  • Set the user name to something like sendvia-sender
  • Leave "Provide user access to the AWS Management Console" unchecked — this is a programmatic user only
  • Click Next and proceed to permissions
4

Attach permissions

On the permissions screen, choose Attach policies directly. You need to attach two AWS managed policies:

  • Search for AmazonSESFullAccess and select it — grants permission to send email, manage identities, and create configuration sets.
  • Search for AmazonSNSFullAccess and select it — required so sendvia can automatically create an SNS topic to receive delivery, bounce, and complaint notifications from SES.

Click Next, review, then click Create user.

The SNS policy is needed for bounce and complaint processing. Without it, sendvia cannot automatically update your email log statuses or add bounced/complained addresses to your blocklist.
5

Generate access keys

Once the user is created, go to IAM → Users → your user → Security credentials → Create access key.

  • Select Application running outside AWS as the use case
  • Click through and download the CSV, or copy the Access key ID and Secret access key now — you won't be able to see the secret again
Keep these credentials private. Never commit them to source code or share them publicly. sendvia stores them encrypted and only uses them to send email on your behalf.
6

Request production access

New AWS accounts are placed in the SES sandbox. In sandbox mode you can only send to email addresses you have individually verified — not suitable for production use.

To request production access:

  • In the AWS console, go to Amazon SES → Account dashboard
  • Click Request production access
  • Fill in the form: describe your use case (transactional email — password resets, verification codes, etc.), your expected volume, and how you handle bounces and complaints
  • AWS typically approves requests within 24 hours
You can add your domain in sendvia while still in sandbox mode. Verification and DNS setup work the same way — you just won't be able to send to unverified addresses until production access is granted.
7

Add your domain in sendvia

Once you have your access key ID, secret access key, and chosen region, you're ready to add a sending domain in sendvia.

  • Go to Dashboard → Domains → Add domain
  • Enter your domain (e.g. yourdomain.com), your AWS access key, secret key, and region
  • sendvia will automatically register the domain in SES and return three DNS records to add
  • Add the DKIM CNAME records, SPF TXT record, and DMARC TXT record to your DNS provider
  • Click Check verification — sendvia will confirm everything is set up correctly

Once verified, you can start sending immediately using the API. Grab your API key from Account settings.

8

Maximize deliverability (DMARC & BIMI)

DKIM, SPF and a basic DMARC record get you sending, but tightening your DMARC policy and adding BIMI significantly improves inbox placement and brand visibility.

DMARC enforcement

The initial DMARC record uses p=none, which monitors authentication failures without taking action. Once you've confirmed legitimate mail is passing (review the aggregate reports sent to your rua address), upgrade your policy in stages:

  • p=quarantine — failing emails go to spam instead of the inbox
  • p=reject — failing emails are blocked entirely (strongest protection)

Update your _dmarc TXT record by changing p=none to p=quarantine (and later p=reject). This protects your domain from spoofing and tells mailbox providers you take authentication seriously — directly improving deliverability.

BIMI — Brand Indicators for Message Identification

BIMI displays your brand logo next to your emails in supporting inboxes — including Apple Mail, Yahoo Mail, and Gmail. It builds trust with recipients and increases open rates.

Requirements:

  • DMARC with p=quarantine or p=reject (enforcement is mandatory)
  • A square logo in SVG Tiny PS (Portable/Secure) format, under 32 KB
  • The SVG hosted at a public HTTPS URL on your domain

Add this TXT record to your DNS:

Type: TXT
Name: default._bimi.yourdomain.com
Value: v=BIMI1; l=https://yourdomain.com/logo.svg; a=;
TTL: 300

Replace yourdomain.com with your actual domain and the l= URL with the full path to your SVG logo.

SVG Tiny PS is a restricted subset of SVG — no scripts, external references, or linked images are allowed. Most logo SVGs need conversion. Use the official BIMI Generator to create a compliant file from your existing logo.

Gmail & VMC: Gmail requires a Verified Mark Certificate (VMC) in addition to the BIMI record. A VMC is a digital certificate that verifies your logo ownership, issued by certificate authorities like DigiCert or Entrust. The certificate URL goes in the a= field of your BIMI record. Other mail clients (Apple Mail, Yahoo) display BIMI logos without a VMC.

sendvia automatically checks your BIMI record and shows its status on your Domains page alongside DKIM, SPF and DMARC.

Questions? Contact support and we'll help you get set up.