Amazon SES Email Deliverability Consulting | FactualMinds

## What is AWS SES?

AWS Simple Email Service (SES) is a cloud-based email platform that enables businesses to send and receive emails at scale with industry-leading deliverability, security, and cost efficiency. Whether you need to send transactional emails (order confirmations, password resets, shipping notifications), marketing campaigns, or automated notifications, SES provides the infrastructure to handle millions of emails per day at a fraction of the cost of traditional email service providers.

SES is not just an SMTP relay. It is a full email platform with domain authentication, deliverability tools, sending analytics, content filtering, and email receiving capabilities — all integrated into the broader AWS ecosystem. At FactualMinds, we help organizations design, deploy, and optimize SES implementations that deliver consistently to the inbox. We have helped clients scale from thousands to [over 200 million emails per month](/case-study/aws-ses) while maintaining strong sender reputation and deliverability.

> **Looking to migrate from SendGrid, Mailgun, or SparkPost to SES?** See our dedicated [SES Migration & Email Delivery Services](/services/aws-ses-migration) for migration-specific planning, IP warming, and cutover strategies.

## Why Organizations Choose AWS SES

### Unmatched Cost Efficiency

SES pricing is straightforward: $0.10 per 1,000 emails sent, with no monthly minimums, no contracts, and no per-feature charges. At enterprise scale, the cost difference is substantial:

| Monthly Volume    | AWS SES | SendGrid Pro               | Mailgun Scale              |
| ----------------- | ------- | -------------------------- | -------------------------- |
| 100,000 emails    | $10     | $19.95                     | $35                        |
| 500,000 emails    | $50     | $99.95                     | $90                        |
| 1,000,000 emails  | $100    | $249+                      | $250+                      |
| 10,000,000 emails | $1,000  | Custom (typically $2,000+) | Custom (typically $1,500+) |

Dedicated IPs on SES cost $24.95/month each — compared to $80-$100/month on most providers.

### AWS Ecosystem Integration

SES integrates natively with other AWS services, enabling powerful email workflows:

- **Lambda** — Trigger functions on email events (bounce, complaint, delivery) for real-time processing
- **SNS** — Publish email events to topics for fan-out to multiple subscribers
- **SQS** — Queue email events for reliable, ordered processing
- **S3** — Store received emails and email templates
- **CloudWatch** — Monitor sending metrics, set alarms on bounce/complaint rates
- **Kinesis Data Firehose** — Stream email events to data lakes for analytics

### Proven Scale

SES handles a significant portion of Amazon's own email — order confirmations, shipping notifications, and marketing communications for hundreds of millions of customers. This battle-tested infrastructure means SES can scale to handle virtually any volume without you managing a single mail server.

## Email Authentication: The Foundation of Deliverability

Email authentication is the single most important factor in inbox placement. Without proper authentication, your emails are far more likely to be flagged as spam, regardless of content quality. We configure all three authentication protocols as part of every SES implementation.

### SPF (Sender Policy Framework)

SPF tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. We configure SPF records to include SES sending IPs and any other authorized sources (Google Workspace, Microsoft 365, marketing platforms).

### DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every email, allowing receivers to verify the email was not tampered with in transit and was genuinely sent from your domain. SES supports Easy DKIM with 2048-bit keys and automatic key rotation.

### DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication — monitor, quarantine, or reject. We implement DMARC with a phased approach:

1. **Monitor mode** (`p=none`) — Collect reports without affecting delivery
2. **Quarantine mode** (`p=quarantine`) — Send failing emails to spam
3. **Reject mode** (`p=reject`) — Block unauthenticated emails entirely

We analyze DMARC reports to identify unauthorized senders using your domain (spoofing) and ensure all legitimate sources pass authentication before moving to enforcement.

Reaching DMARC enforcement (`p=quarantine` or `p=reject`) also unlocks **BIMI (Brand Indicators for Message Identification)** — a standard that displays your brand logo next to your sender name in Gmail, Yahoo Mail, and Apple Mail. BIMI requires a DMARC policy at enforcement level as a prerequisite, plus a Verified Mark Certificate (VMC) from an approved authority (Entrust or DigiCert, approximately $1,000–$1,500/year). For brands where inbox recognition and trust signals matter, BIMI is a compelling reason to accelerate DMARC enforcement.

## 2024 Google and Yahoo Bulk Sender Requirements

In February 2024, Google and Yahoo jointly enforced new requirements for anyone sending 5,000 or more emails per day to Gmail or Yahoo addresses. These are no longer recommendations — they are delivery requirements enforced at the inbox provider level, independent of your SES account standing.

### What Is Required

**1. Email Authentication (SPF + DKIM + DMARC)**

Bulk senders must have all three authentication records configured and passing with alignment. DMARC is now mandatory at minimum `p=none` — a missing DMARC record will cause Gmail to apply additional filtering to your messages.

**2. One-Click Unsubscribe (RFC 8058)**

All marketing and bulk email must include a `List-Unsubscribe-Post` header (RFC 8058). When a Gmail user clicks "Unsubscribe" in the Gmail UI, Gmail sends a machine-processable POST request to this header URL, and the sender must honor it within two business days. A standard unsubscribe link in the email body is not sufficient.

SES does not add this header automatically — it must be included in your email templates or sending code. We implement RFC 8058-compliant unsubscribe handling as part of every campaign architecture.

**3. Gmail Spam Rate Threshold**

Gmail Postmaster Tools now enforces spam rate limits at the inbox provider level:

| Spam Rate     | Gmail Response                               |
| ------------- | -------------------------------------------- |
| Below 0.08%   | Normal delivery                              |
| 0.08% – 0.10% | Warning threshold — inbox placement degrades |
| Above 0.10%   | Delivery throttling begins                   |
| Above 0.30%   | Messages blocked or rejected                 |

This is separate from the SES account suspension threshold (0.1% complaint rate via SES feedback loops). Your SES account can be in good standing while Gmail is actively downgrading your inbox placement. We monitor both.

### Why This Matters for Your SES Setup

These requirements affect all bulk senders — not just new ones. If you set up SES before February 2024 and have not audited your implementation since, you may be operating below the enforcement thresholds without realizing it. Common gaps we find:

- DMARC policy exists but is at `p=none` without a plan to reach enforcement
- Email templates lack `List-Unsubscribe-Post` headers
- Spam rate not monitored in Gmail Postmaster Tools (separate from SES complaint metrics)
- SPF and DKIM passing individually but not achieving DMARC alignment

[Contact us to audit your SES setup for 2024 compliance →](/contact-us)

## SES Architecture Best Practices

### Separate Transactional and Marketing Email

Transactional emails (password resets, order confirmations, receipts) have fundamentally different deliverability requirements than marketing emails (newsletters, promotions, re-engagement campaigns). A spam complaint on a marketing campaign should never impact your transactional email delivery.

We implement separation at multiple levels:

- **Separate configuration sets** — Different sending configurations, event destinations, and suppression lists
- **Separate dedicated IPs** — Transactional emails on their own IP pool isolated from marketing reputation
- **Separate subdomains** — `mail.yourdomain.com` for transactional, `marketing.yourdomain.com` for campaigns
- **Separate monitoring** — Independent bounce/complaint dashboards and alert thresholds

### Dedicated IP Management and Warming

When you add a new dedicated IP to SES, it has no sending history — mailbox providers like Gmail and Microsoft do not trust it yet. Sending high volumes immediately from a cold IP will result in throttling or blocking.

We implement a structured warm-up plan:

| Day   | Daily Volume   | Notes                                    |
| ----- | -------------- | ---------------------------------------- |
| 1-3   | 200-500        | Send only to your most engaged contacts  |
| 4-7   | 500-1,000      | Gradually include broader audience       |
| 8-14  | 1,000-5,000    | Monitor bounce rates closely             |
| 15-21 | 5,000-25,000   | Check inbox placement at major providers |
| 22-30 | 25,000-100,000 | Approach target volume                   |
| 30+   | Target volume  | Full sending with ongoing monitoring     |

We adjust this schedule based on bounce rates, complaint rates, and inbox placement testing at each stage.

### Bounce and Complaint Management

SES suspends accounts that exceed a 5% bounce rate or 0.1% complaint rate. Proactive management is essential:

- **Hard bounce suppression** — Automatically add hard-bounced addresses to the SES account-level suppression list
- **Complaint processing** — Process feedback loop (FBL) complaints via SNS and automatically unsubscribe complainants
- **Soft bounce retry logic** — Implement exponential backoff for temporary failures without over-retrying
- **List hygiene** — Verify email addresses before sending using validation services; remove inactive subscribers after defined periods

## Building Email Workflows with SES

### Transactional Email Pipeline

For applications that need reliable transactional email delivery:

```
Application → SQS Queue → Lambda (template rendering) → SES API → SNS (events) → CloudWatch (monitoring)
```

This architecture decouples email sending from your application logic, handles retries gracefully, and provides complete visibility into delivery status.

### Marketing Campaign Architecture

For bulk marketing campaigns:

```
Campaign Manager → S3 (recipient lists) → Step Functions (orchestration) → Lambda (batching + throttling) → SES API → Kinesis Firehose → S3 (event archive)
```

Step Functions orchestrate the campaign lifecycle: validate the recipient list, batch sends to respect SES rate limits, track progress, and generate post-campaign analytics.

### Inbound Email Processing

SES can receive emails and trigger automated workflows:

```
Incoming Email → SES Receipt Rules → S3 (store) + Lambda (process) + SNS (notify)
```

Use cases include automated support ticket creation, document intake (invoices, contracts), lead capture from email inquiries, and automated forwarding with transformation.

## Email Deliverability Checklist

Use this checklist to evaluate your current email infrastructure health:

- [ ] SPF record configured and passing validation
- [ ] DKIM enabled with 2048-bit keys
- [ ] DMARC policy in enforcement mode (quarantine or reject)
- [ ] Dedicated IPs properly warmed (if using dedicated IPs)
- [ ] Transactional and marketing email separated on different IPs/subdomains
- [ ] Bounce rate monitored and consistently below 2%
- [ ] Complaint rate monitored and consistently below 0.05%
- [ ] Suppression list automatically updated on hard bounces
- [ ] Feedback loop complaints processed and unsubscribed
- [ ] Email content tested against spam filters before sending
- [ ] Unsubscribe links present and functional in all marketing emails
- [ ] One-click unsubscribe (RFC 8058 List-Unsubscribe-Post header) implemented for bulk mail
- [ ] List hygiene process in place (remove inactive subscribers)
- [ ] CloudWatch alarms configured for delivery metrics
- [ ] DMARC reports analyzed regularly for unauthorized senders
- [ ] Gmail Postmaster Tools connected and spam rate monitored (separate from SES complaint metrics)
- [ ] AWS Virtual Deliverability Manager (VDM) enabled and inbox placement tested

If any items are unchecked, your deliverability is at risk. [Contact us for a free deliverability assessment →](/contact-us)

## SES Monitoring and Analytics

We implement comprehensive monitoring so you always know the health of your email infrastructure:

### Real-Time Dashboards

CloudWatch dashboards showing:

- Sends, deliveries, bounces, complaints, and rejections per hour/day
- Bounce rate and complaint rate trends with threshold indicators
- Delivery rate by mailbox provider (Gmail, Microsoft, Yahoo)
- Dedicated IP reputation scores

### AWS Virtual Deliverability Manager (VDM)

Amazon SES includes Virtual Deliverability Manager — a native deliverability intelligence tool that provides inbox placement testing, engagement analytics, and automated recommendations without requiring third-party tools.

**What VDM provides:**

- **Inbox placement testing** — Send to a seed list across 35+ mailbox providers (Gmail, Microsoft, Yahoo, Apple Mail, and more) to see where your emails land before sending to your real list
- **VDM Advisor** — Automated recommendations surfacing authentication issues, poor IP reputation, high bounce rates, and problematic sending patterns
- **Engagement analytics** — Open and click tracking at the configuration set level, segmented by mailbox provider
- **Deliverability dashboard** — Centralized view of sending reputation, inbox placement rates, and complaint trends over time

VDM costs $0.0009 per message processed (approximately $0.90 per 1,000 emails), in addition to standard SES sending costs. For most clients, the cost is negligible relative to the deliverability visibility it provides.

We enable and configure VDM as part of all new SES implementations and retrofits.

### Automated Alerting

CloudWatch alarms that trigger when:

- Bounce rate exceeds 3% (warning) or 5% (critical)
- Complaint rate exceeds 0.05% (warning) or 0.1% (critical)
- Sending quota utilization exceeds 80%
- Delivery failures spike above baseline

### Long-Term Analytics

Using Kinesis Data Firehose to stream SES events to S3, we enable long-term analytics:

- Campaign performance trends over time
- Engagement segmentation (opens, clicks by audience)
- Optimal send time analysis
- Revenue attribution for transactional emails

## SES and Compliance

### CAN-SPAM Act

All commercial emails must include a physical mailing address, a clear unsubscribe mechanism, and honest subject lines. We configure SES templates and sending logic to enforce compliance automatically.

### GDPR

For organizations sending to EU recipients, we implement consent management, data retention policies, and the ability to purge all email data for a specific individual on request. SES integrates with your consent management platform through Lambda and DynamoDB.

### HIPAA

SES is HIPAA-eligible when used within a BAA-covered AWS account. We configure SES for healthcare organizations with encryption in transit (TLS enforcement), audit logging, and access controls that meet HIPAA requirements. We also ensure [broader AWS security compliance](/services/aws-cloud-security) for healthcare environments.

## Getting Started

Whether you are implementing SES for the first time, optimizing an existing setup, or [migrating from another email provider](/services/aws-ses-migration), our team brings deep email infrastructure expertise and hands-on SES experience at scale.

[Contact us to discuss your email infrastructure needs →](/contact-us)

Application → SQS Queue → Lambda (template rendering) → SES API → SNS (events) → CloudWatch (monitoring)

Campaign Manager → S3 (recipient lists) → Step Functions (orchestration) → Lambda (batching + throttling) → SES API → Kinesis Firehose → S3 (event archive)

Incoming Email → SES Receipt Rules → S3 (store) + Lambda (process) + SNS (notify)