Sign inStart free →
HomeDocsConnecting AWS SES

Connecting AWS SES

SES Mailbox sends email through your own AWS account — you own the sending infrastructure, the IP reputation, and the cost. This page covers IAM setup, credential management, region selection, and getting out of sandbox mode.

IAM user and policy

Never use your AWS root account credentials. Create a dedicated IAM user with the minimum permissions SES Mailbox needs.

Step 1 — Create the IAM user

  1. Sign in to the AWS IAM console
  2. Click Users → Create user
  3. Username: sesmailbox
  4. Do not enable AWS Management Console access — this is a programmatic user only
  5. Click Next

Step 2 — Create and attach the policy

  1. On the permissions screen, select Attach policies directly
  2. Click Create policy (opens a new tab)
  3. Switch to the JSON tab and paste the policy below
  4. Name it SESMailboxPolicy, create it, then return to the user creation tab
  5. Refresh the policy list, select SESMailboxPolicy, click Next → Create user
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SESMailboxSend",
      "Effect": "Allow",
      "Action": [
        "ses:SendEmail",
        "ses:SendRawEmail",
        "ses:GetSendQuota",
        "ses:GetSendStatistics"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SESMailboxDomainVerify",
      "Effect": "Allow",
      "Action": [
        "ses:VerifyDomainIdentity",
        "ses:VerifyDomainDkim",
        "ses:ListIdentities",
        "ses:GetIdentityVerificationAttributes",
        "ses:GetIdentityDkimAttributes"
      ],
      "Resource": "*"
    }
  ]
}

Step 3 — Generate access keys

  1. Open the newly created user → Security credentials tab
  2. Click Create access key
  3. Use case: Third-party service
  4. Copy the Access key ID and Secret access key — the secret is only shown once
Store your secret key immediately. AWS does not show it again after you close the creation dialog. If you lose it, delete the key and create a new one.

Step 4 — Paste into SES Mailbox

In SES Mailbox: Settings → AWS Credentials. Enter the Access Key ID, Secret Access Key, and your AWS region. Click Test connection — we verify the credentials and display your current sending quota.

Choosing a region

AWS SES is available in multiple regions. Your verified domains and sending reputation are tied to the region you choose. Pick the one closest to your recipients for lowest latency — though for email, the latency difference is negligible.

RegionCodeBest for
US East (N. Virginia)us-east-1Most US businesses — highest capacity
US West (Oregon)us-west-2US West Coast businesses
Europe (Ireland)eu-west-1European businesses (GDPR-friendly)
Europe (Frankfurt)eu-central-1Germany / Central Europe
Asia Pacific (Singapore)ap-southeast-1Southeast Asia
Asia Pacific (Sydney)ap-southeast-2Australia / New Zealand
Changing regions later: you can update the region in SES Mailbox settings at any time, but you will need to re-verify your domains in the new region and rebuild your sender reputation from scratch. Avoid region changes once you're live.

Getting out of sandbox mode

Every new AWS account starts in SES sandbox mode. In sandbox mode:

  • You can only send to verified email addresses
  • Maximum 200 emails per 24 hours
  • Maximum 1 email per second

To send real campaigns, you need production access.

How to request production access

  1. In the AWS SES console, go to Account Dashboard
  2. Click Request production access
  3. Fill in the form (see guidance below)
  4. Submit — AWS typically responds within 24 hours on business days

What to write in the form

The use case description is the most important field. Be specific:

We operate [describe your business] and use AWS SES to send [marketing newsletters / transactional emails] to subscribers who have explicitly opted in via a double-opt-in form on our website.

Our list currently has approximately [X] subscribers. We send [frequency]. We manage unsubscribes using SES Mailbox, which automatically processes list-unsubscribe headers and suppresses bounces and complaints. Expected monthly volume: [X] emails.

For detailed tips on getting approved quickly — including what to do if you're rejected — see our blog post: AWS SES production access: how to get approved in under 24 hours.

Sending quota and rate limits

After getting production access, your default limits are:

  • Daily sending quota: 50,000 emails per 24 hours
  • Maximum send rate: 14 emails per second

If you need higher limits, request an increase in the SES console → Account Dashboard → Request increase. AWS usually approves legitimate requests within 1–2 business days. Provide your current volume, expected growth, and confirmation that your bounce/complaint rates are under threshold.

Rotating credentials

It is good security practice to rotate your AWS access keys every 90 days. To rotate:

  1. In AWS IAM, create a second access key for the same user (you can have two active at once)
  2. Update SES Mailbox with the new credentials and test the connection
  3. Once confirmed working, delete the old key in IAM
← PreviousQuickstart