Amazon SES for Email Alerts

Sep 15, 2025 · 2 min read · Amazon Cloud ·

Introduction

So many self-hosted applications support email-based alerting or notifications. One option is to create a free email address somewhere such as gmail or Outlook but I own my own domain and I wanted something tied to it. I looked at a few mail services but most of them seemed to be aimed at mass mailings like newsletters or something and use an API-based approach rather than the standard (or simple) SMTP approach. I decided to look into Amazon AWS Simple Email Service (SES). The Amazon SES service is used for sending emails. I am intending to use SES to send any "application" based emails, registrations, notifications, etc. This should be VERY low volume and fit within the free tier or < $1/mo. For context, I use Microsoft 365 as my email host.

Configuration

In SES, I set up 3 identities under Configuration > Identities:

[email protected] - email address identity (for testing) (this may not be needed?)
email.contoso.com - domain identity
[email protected] - email address identity

I use Cloudflare to manage the DNS for all of my domains. In Cloudflare, I added the following DNS entries:

Added email.contoso.com as a CNAME to contoso.com
Added 3 DKIM CNAMEs as specified by SES
Added include:amazonses.com to email TXT record in addition to MS365 entries

In MS 365, I added email.contoso.com as a domain and added aliases to shared mailboxes.

Note: MX and TXT SPF entries were automatically set up during this add process
I did not set up DKIM encryption in MS 365

This enables sending mail as <user>@email.contoso.com without changing settings related to contoso.com email. By having this in MS 365, you can create aliases for email.contoso.com.

SMTP Configuration

In SES, click "SMTP Settings" on the left and click Create SMTP Credentials button. Create a user and make sure you save the username and password. Once created, click "Manage my Existing SMTP Credentials" and click on your created account. Under "Permission Policies", click "Add Permissions" and select "Create inline policy". Change to "JSON" and paste the following policy.

Policy:

 1{
 2    "Version": "2012-10-17",
 3    "Statement": [
 4        {
 5            "Effect": "Allow",
 6            "Action": "ses:SendRawEmail",
 7            "Resource": [
 8                "arn:aws:ses:us-east-1:<some_number>:identity/[email protected]",
 9                "arn:aws:ses:us-east-1:<some_number>:identity/email.contoso.com"
10            ]
11        }
12    ]
13}

This allows the SMTP user to ONLY send mail using the email specified and/or the domain specified. Your SMTP settings are displayed in the SES console under "SMTP Settings".

Management

AWS SES Account Dashboard for US East 1: https://us-east-1.console.aws.amazon.com/ses/home?region=us-east-1#/account