openec2 Article Description

Part 4

Configure an SES/S3 Bucket for forwarding email

Keep in mind this lesson is about SES working with your previously created S3 email bucket. You will need to manually download an email at this stage from the bucket, add a .eml file extension to it in order to view the email. After the steps below, we will look at scripting and additional steps with our receiving rule in order to forward the emails to your own email address.

We will create an SES email identity, admin@mydomain.com (use your own domain name).

We then create an SES receiving rule to capture that address rather than any address.

Once verified, we add required addresses to comply with Amazon AWS SES services.

Then we request Amazon to take your account out of sandbox mode.


Go to Amazon SES – in our case to Oregon.

We first create a rule to capture our admin@ email address before we add admin@ as an identity.

Go to Configuration > Email receiving and click on default-rule-set.

Then click on “Create rule”.

You can click the default-rule-set later at any time to modify or disable rules.

The diagram below shows how we make a rule to capture admin@ if it comes into Amazon SES from the outside world, and send it to our bucket.

When you finish creating the rule, you may be asked to add permissions, so just say yes.

We now add the admin@ email address to SES as an identity, and verify it from when it lands in the bucket.

You cannot do this unless the domain name is out of pending state, and verified. If for some reason you made a type with the domain records, just fix them and wait a while until Amazon SES sends you a confirmation email. Expect two emails, one for DKIM keys, and one for MAIL FROM.

If things are terribly wrong, just delete the domain identity and start it again.

Assuming the domain is verified:

Go to Amazon SES – in our case to Oregon.
Go to Configuration > Identities > “Create identity” to create an identity.

Click on the email button rather than the domain button.

This is what you will see, however, do NOT add new “Mail From domain” or any other records on the summary screen.

The SES identity page will show the address is pending.

After creating the email address identity, you will see it is pending, so we next go to the S3 bucket you created and manually download the email to your PC. The SES identity page shows your work to date. You can click on the identities to view status, but for emails, if you make a mistake, you can click on Resend (top of page) for it to try the S3 bucket again.

Go to the S3 console and open the bucket, e.g. mydomain.com.inbox. Under Objects you should see the email awaiting you to verify admin@mydomain.com. Click on it to open the next page up. If it is not there, you need to go through the previous steps to see your typo or other mistake.

Click on the email, then click on download up the top. On you PC add the extension .eml to the file. Open it and click on the link. Back on the SES identity page, you can refresh the page and see it is verified. This is particularly important when you are still in sandbox mode, or need to get an email received from an SSL provider.

You still cannot send emails to SES from your PC as we are in sandbox mode. You could verify your own email in the same way as above if you wish without adding another domain. Just add an email address. Once that is done, you could send an email to admin@mydomain.com (use your own domain) and see it lands in the bucket after a few seconds.

Next we will add Lambda functions from the email region (Oregan in our example) that use coding to forward an email or notification. These Lambda functions will be added to our default-rule-set rule that we previously created. Before we can do that we create an IAM role to authorise use of the Lambda function(s). We will add a number of addresses to the SES rule so that we capture them. e.g. postmaster@, abuse@, noreply@, contact@, dmarc@, webmaster@. You can add as many as you like. This will all fall into place, but it is more work to learn.