Amazon SES setup takes 30–60 minutes from a blank AWS account to a verified, production-ready email sending configuration. The process involves six distinct steps - skip any one of them and you'll either be stuck in sandbox mode or sending from an unauthenticated domain (AWS, Getting Started with Amazon SES, retrieved 2026-06-07).
This guide walks through each step in order with exact console navigation, the DNS records you need, and the common errors at each stage.
Key Takeaways
- Domain verification requires adding a TXT record and three CNAME records to your DNS - propagation takes minutes to 48 hours.
- All new accounts start in sandbox mode (200 emails/day, verified addresses only). You must request production access separately.
- DKIM signing is required for strong deliverability - SES generates the keys, you add the CNAME records.
- Setting up bounce/complaint handling via SNS is required before sending to real marketing lists.
For the Mailblast-specific version of these same steps (with the exact AWS console paths and screenshots), see Setting up and verifying your SES account in the help docs. For the bigger SES marketing picture, see our Amazon SES email marketing guide.
Before You Start: What You Need
An AWS account (free to create at aws.amazon.com)
Access to your domain's DNS settings (via Cloudflare, Route 53, GoDaddy, Namecheap, or your registrar)
An email address at your domain that can receive mail (for the verification check)
Roughly 30–60 minutes
Step 1: Access the Amazon SES Console
Sign in to the AWS Management Console and navigate to Amazon Simple Email Service. You can search "SES" in the services search bar.
Choose your AWS region carefully. SES is available in multiple regions (us-east-1, eu-west-1, ap-southeast-2, and others). Your sending quotas and reputation are tied to the specific region where you set up SES. For most teams sending globally, us-east-1 (N. Virginia) has the largest IP pool and longest track record.
Step 2: Create a Verified Identity (Your Sending Domain)
In the SES console, navigate to Configuration → Verified Identities → Create Identity.
Select Domain (not Email Address - domain verification is required for production marketing use). Enter your sending domain (e.g., yourdomain.com).
SES will ask whether to use Easy DKIM or BYODKIM (bring your own DKIM keys). Choose Easy DKIM - SES generates and manages the keys automatically.
You have two sub-options for DKIM key type: RSA-1024 or RSA-2048. Choose RSA-2048 - it's the stronger standard and what major mailbox providers expect in 2026.
Leave DKIM signing enabled (the default). Click Create Identity.
Step 3: Add DNS Records at Your Registrar
SES will display a set of DNS records you must add to your domain. These typically include:
1. Domain Verification Record (TXT):
Name: _amazonses.yourdomain.com
Type: TXT
Value: [unique string provided by SES]
2. DKIM Records (3× CNAME):
Name: [unique]._domainkey.yourdomain.com
Type: CNAME
Value: [unique].dkim.amazonses.com
(Repeat for all three CNAME records SES provides.)
Add all four records to your DNS provider's control panel. DNS propagation typically takes 5–30 minutes on Cloudflare or Route 53 and up to 48 hours on some traditional registrars.
Once SES detects the records, the identity status changes from "Pending" to "Verified." The DKIM status should also show "Successful."
Step 4: Configure DMARC (Recommended)
While DKIM and SPF protect your authentication, DMARC tells receiving mail servers what to do with unauthenticated messages claiming to come from your domain. It's not required by SES, but it's expected by Gmail and Yahoo in 2026 for bulk senders (AWS SES documentation, retrieved 2026-06-07).
Add a DMARC TXT record to your DNS:
Name: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com
Start with p=none (monitoring mode) before moving to p=quarantine or p=reject after confirming all legitimate sending is authenticated.
Step 5: Set Up Bounce and Complaint Notifications
This step is mandatory before sending to any real marketing list. Without it, you have no automated way to suppress future sends to addresses that bounce or complain.
In the SES console, navigate to Configuration → Configuration Sets → Create Configuration Set.
Name the set (e.g., marketing-sends). Within the configuration set, add Event Destinations:
Create an Amazon SNS topic for bounces (e.g.,
ses-bounces)Create an Amazon SNS topic for complaints (e.g.,
ses-complaints)Add event destinations pointing
Bounceevents to the bounces topic andComplaintevents to the complaints topic
If you're using a marketing frontend that exposes a webhook (like BigMailer), you'll subscribe its URL to these SNS topics manually. Mailblast does this differently - it provisions and subscribes to its own SNS topics using the IAM key you give it, so there's nothing to wire up by hand. Either way, the frontend handles the suppression logic automatically. See our bounce handling deep-dive or the help-doc How does Mailblast handle bounces?.
Step 6: Request Production Access (Exit Sandbox)
All new SES accounts are in sandbox mode: 200 emails per 24 hours, 1 email per second, and delivery only to verified email addresses. Real marketing sending requires production access.
In the SES console, navigate to Account Dashboard → Request Production Access.
You'll be asked to provide:
Use case description (marketing email, transactional email, or both)
How you collect subscriber consent (describe your opt-in process)
How you handle bounces and complaints (reference the SNS setup you just did)
Expected monthly sending volume
AWS reviews requests and typically approves legitimate marketing use cases within 24 hours. Specific, detailed descriptions of your opt-in process improve approval speed. For an exact field-by-field walk-through of the form, see Moving out of the AWS SES Sandbox or our sandbox-to-production guide.
Step 7: Connect a Marketing Frontend and Send
With verification complete, production access granted, and bounce handling configured, you're ready to send campaigns. The final step is connecting a marketing frontend - SES needs something to provide the campaign UI, list management, and analytics that it doesn't include.
For Mailblast, that means generating an IAM access key with our recommended policy and pasting it into the Mailblast AWS Settings page. Run a test send to a verified address before sending to your list. For a side-by-side of the frontend options, see Email marketing tools for Amazon SES.
Common Setup Errors
"Identity not verified" after adding DNS records. Wait up to 48 hours for DNS propagation. Use a DNS propagation checker to verify the records are visible globally before re-checking in SES.
DKIM status shows "Failed." The CNAME records weren't added correctly. Check that you didn't include your domain name twice (e.g., _abc._domainkey.yourdomain.com.yourdomain.com is a common error on some DNS providers that auto-append the domain).
Production access request denied. This usually means the use case description was too vague. Resubmit with specific details about your opt-in process, your relationship with subscribers, and your list management practices.
Frequently Asked Questions
How long does Amazon SES domain verification take?
Domain verification typically completes within 5–30 minutes once DNS records are added on fast providers (Cloudflare, Route 53). On traditional registrars with long TTLs, it can take up to 48 hours. You can check propagation status at any time in the SES Verified Identities console.
Do I need to verify my email address to use Amazon SES?
For production marketing sends to external lists, domain verification is the right approach - it authenticates the entire sending domain rather than individual addresses. Email address verification is sufficient only for sandbox testing.
Can I set up Amazon SES without AWS technical knowledge?
Basic SES setup requires adding DNS records and navigating the AWS console - both are manageable for non-engineers with a step-by-step guide. The harder parts are bounce/complaint handling (which requires SNS configuration) and ongoing monitoring. A marketing frontend like Mailblast handles much of this complexity automatically.
What is the Amazon SES sandbox and how do I leave it?
The sandbox is SES's testing environment for new accounts: you can only send to verified email addresses at a limit of 200 emails per 24 hours. To exit, submit a production access request in the SES console with details about your sending use case and consent practices - see our sandbox-to-production guide.