Skip to content

Instantly share code, notes, and snippets.

@parweb

parweb/Amazon SES.md

Created February 6, 2025 23:07
Show Gist options
  • Save parweb/ebe20f315d3b10cd3da87419d8a160e6 to your computer and use it in GitHub Desktop.
Save parweb/ebe20f315d3b10cd3da87419d8a160e6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Amazon SES.md

AWS SES Configuration for Sending Emails with Node.js: A Step-by-Step Guide

This document provides a comprehensive guide to configuring Amazon Simple Email Service (SES) for sending emails from your Node.js applications. We will cover setting up IAM permissions, verifying email addresses and domains, and configuring the AWS SDK in your Node.js project.

Prerequisites:

  • An AWS Account: You need an active AWS account.
  • Node.js and npm (Node Package Manager) installed: Ensure you have Node.js and npm set up on your development machine.
  • AWS CLI (Optional but Recommended): The AWS Command Line Interface is helpful for programmatic IAM user creation and retrieving domain verification details. Install it from AWS CLI documentation.

Step 1: Create an IAM User with SES Permissions

For security, it's best practice to create a dedicated IAM user with specific permissions for SES, instead of using your root account credentials. You can achieve this programmatically using the AWS CLI or manually through the AWS Management Console.

Option 1a: Programmatic IAM User Creation using AWS CLI (Recommended for Automation)

  1. Install and Configure AWS CLI: If you haven't already, install and configure the AWS CLI with credentials that have sufficient IAM permissions (e.g., an administrator account for initial setup).

    • Install AWS CLI: Follow instructions from AWS CLI documentation.
    • Configure AWS CLI: Run aws configure and provide your AWS Access Key ID, Secret Access Key, default region, and output format.

  2. Create an IAM Policy for SES: Create a file named ses-policy.json with the following policy document:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESAccess",
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail",
                "ses:SendTemplatedEmail"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowSESIdentityManagement",
            "Effect": "Allow",
            "Action": [
                "ses:VerifyEmailIdentity",
                "ses:GetEmailIdentityVerificationAttributes",
                "ses:DeleteEmailIdentity",
                "ses:ListEmailIdentities",
                "ses:GetEmailIdentityPolicies",
                "ses:PutEmailIdentityPolicy"
            ],
            "Resource": "*"
        }
    ]
}

  3. Create the IAM Policy using AWS CLI: Run this command in your terminal, replacing ses-policy.json with the path to your file:

    aws iam create-policy --policy-name SESPolicyForEmailSending --policy-document file://ses-policy.json

    Note: Copy the Policy ARN from the output of this command.

  4. Create an IAM User using AWS CLI: Run this command to create a new IAM user (e.g., ses-mailer-user):

    aws iam create-user --user-name ses-mailer-user

    Note: Copy the User ARN from the output of this command.

  5. Attach the SES Policy to the IAM User: Run this command, replacing <POLICY_ARN> with the Policy ARN from step 3 and <USER_NAME> with the User Name from step 4:

    aws iam attach-user-policy --policy-arn <POLICY_ARN> --user-name <USER_NAME>
    • Example: aws iam attach-user-policy --policy-arn arn:aws:iam::123456789012:policy/SESPolicyForEmailSending --user-name ses-mailer-user

  6. Create Access Keys for the IAM User: Run this command to generate access keys:

    aws iam create-access-key --user-name <USER_NAME>

    Important: Securely store the SecretAccessKey and AccessKeyId from the output. This is the only time you will see the Secret Access Key. Do not lose it and do not commit it to your code repository.

Option 1b: Manual IAM User Creation in AWS Console

  1. Sign in to the AWS Management Console and navigate to the IAM service.
  2. Go to Users and click Add users.
  3. Enter a User name (e.g., ses-mailer-user).
  4. Select "Access key - Programmatic access" as the credential type and click Next: Permissions.
  5. Choose "Attach existing policies directly".
  6. Search for "SES" and select the AmazonSESFullAccess policy (or create a custom policy like in Option 1a for stricter permissions).
  7. Click Next: Tags (optional), then Next: Review.
  8. Click Create user.
  9. Download the .csv file containing the Access Key ID and Secret Access Key, or copy and store them securely.

Step 2: Configure AWS SDK with IAM User Credentials in Node.js

You need to configure the AWS SDK in your Node.js application to use the IAM user credentials you created.

Option 2a: Using Environment Variables (Recommended for Security)

This is the most secure and flexible approach. Set the following environment variables in your system or application's environment:

  • AWS_ACCESS_KEY_ID: Your IAM user's Access Key ID.
  • AWS_SECRET_ACCESS_KEY: Your IAM user's Secret Access Key.
  • AWS_REGION: The AWS region where you want to use SES (e.g., us-east-1).

The AWS SDK will automatically detect and use these environment variables. No code changes are needed for credential configuration in this case.

Option 2b: Hardcoding Credentials in Code (Not Recommended for Production)

Warning: Hardcoding credentials directly in your code is highly discouraged for production environments due to security risks. Use this method only for local testing and development.

You can configure the AWS SDK directly in your code using AWS.config.update():

const AWS = require('aws-sdk');

AWS.config.update({
  region: 'YOUR_AWS_REGION', // e.g., 'us-east-1'
  accessKeyId: 'YOUR_ACCESS_KEY_ID',
  secretAccessKey: 'YOUR_SECRET_ACCESS_KEY',
});

Replace 'YOUR_AWS_REGION', 'YOUR_ACCESS_KEY_ID', and 'YOUR_SECRET_ACCESS_KEY' with your actual values.

Step 3: Verify Email Address in SES

Before sending emails from or to specific email addresses, you need to verify them with SES.

Option 3a: Manual Email Verification via AWS Console

  1. Navigate to the SES service in the AWS Management Console.
  2. Go to Email Addresses under Configuration in the navigation pane.
  3. Click Verify a New Email Address.
  4. Enter the email address you want to verify (e.g., your sender email address).
  5. Click Verify New Email Address.
  6. AWS will send a verification email to the entered address.
  7. Open the verification email and click the verification link.
  8. In the SES console, the email address status should change to "verified".

Option 3b: Programmatic Email Verification using AWS SDK (Node.js)

You can use the sesv2.verifyEmailIdentity method in your Node.js application to request email verification programmatically:

const AWS = require('aws-sdk');
const sesv2 = new AWS.SESV2();

async function verifyEmailIdentity(emailAddress) {
  const params = {
    EmailIdentity: emailAddress,
  };

  try {
    const data = await sesv2.verifyEmailIdentity(params).promise();
    console.log(`Verification email sent to ${emailAddress}. Check your inbox.`);
    return data;
  } catch (err) {
    console.error("Error verifying email identity:", err);
    throw err;
  }
}

async function main() {
  // AWS.config.update({ region: 'YOUR_AWS_REGION' }); // If not using env vars, configure region here

  const emailToVerify = 'your-email@example.com'; // Replace with your email
  try {
    await verifyEmailIdentity(emailToVerify);
  } catch (error) {
    console.error("Verification failed:", error);
  }
}

main();

Run this script (after configuring AWS SDK). It will trigger a verification email to be sent. You still need to manually click the verification link in the email to complete the process.

Step 4: Request Production Access (If Needed)

New SES accounts are initially placed in a "sandbox" environment with limitations. To send emails to unverified addresses or exceed sandbox limits, you need to request production access.

Manual Request via AWS Console:

  1. Go to the SES service in the AWS Management Console.
  2. In the dashboard, find the "Sandbox Sending" section.
  3. Click "Request a Sending Limit Increase".
  4. Fill out the form with details about your use case, required sending limits, and compliance with AWS policies.
  5. Submit the request. AWS will review it, and upon approval, your account will be moved out of the sandbox. This review process may take some time.

Step 5: Domain Verification (Recommended for Production)

Verifying your domain is highly recommended for improved deliverability and sender reputation, especially for production use.

Option 5a: Domain Verification via AWS Console

  1. Go to the SES service in the AWS Management Console.
  2. Navigate to Domains under Configuration.
  3. Click Verify a New Domain.
  4. Enter your domain name (e.g., example.com).
  5. Choose "Easy DKIM (Recommended)" for simplified DKIM setup.
  6. Click Verify New Domain.
  7. AWS will provide DNS records (CNAME and/or TXT records). You need to add these records to your domain's DNS settings using your domain registrar's or DNS provider's control panel.
  8. Wait for DNS propagation. This can take some time (up to 24-48 hours).
  9. Check the verification status in the SES console. Domain status should become "verified" and DKIM status "success" after DNS records propagate.

Option 5b: Programmatic Domain Verification using AWS SDK (Node.js) and AWS CLI

  • Programmatically Request Domain Verification (SDK - Node.js):

    const AWS = require('aws-sdk');
const sesv2 = new AWS.SESV2();

async function verifyDomainIdentity(domainName) {
  const params = {
    EmailIdentity: domainName,
  };

  try {
    const data = await sesv2.verifyEmailIdentity(params).promise();
    console.log(`Verification requested for domain: ${domainName}`);
    console.log("DNS records to add (TXT record for verification):", data.VerificationToken); // You'll also need DKIM records.
    return data;
  } catch (err) {
    console.error("Error verifying domain identity:", err);
    throw err;
  }
}

async function main() {
  // AWS.config.update({ region: 'YOUR_AWS_REGION' }); // If not using env vars, configure region here

  const domainToVerify = 'yourdomain.com'; // Replace with your domain
  try {
    await verifyDomainIdentity(domainToVerify);
  } catch (error) {
    console.error("Domain verification request failed:", error);
  }
}

main();

  • Get DKIM DNS Records using AWS CLI: After requesting domain verification, retrieve DKIM records using the AWS CLI:

    aws sesv2 get-email-identity --email-identity yourdomain.com

    Replace yourdomain.com with your domain. Look for DkimDnsTokens in the output – these are the CNAME records for DKIM.

  • Manually Add DNS Records: You must manually add the provided DNS records (TXT for verification and CNAMEs for DKIM) to your domain's DNS settings through your domain registrar or DNS provider's interface.

Step 6: Sending HTML Email Programmatically (Node.js SDK)

Once you have completed the configuration steps above, you can use the Node.js code example provided in the previous responses to send HTML emails using SES. Ensure you have installed the aws-sdk package (npm install aws-sdk).

// ... (Code for sendHtmlEmail function and main function from previous response) ...

// Example Usage within main function:
async function main() {
  // ... (AWS configuration and email details from previous example) ...

  try {
    await sendHtmlEmail(senderEmail, recipientEmail, emailSubject, emailHtmlBody, emailTextBody);
    console.log("HTML Email sent!");
  } catch (error) {
    console.error("Failed to send HTML email:", error);
  }
}

main();

Security and Best Practices:

  • IAM Least Privilege: Use the custom IAM policy (Option 1a) to grant only necessary SES permissions. Avoid AmazonSESFullAccess in production.
  • Secure Credential Management: Utilize environment variables or AWS configuration files for IAM user credentials. Never hardcode credentials in your code.
  • Email and Domain Verification: Always verify sender email addresses or domains for better deliverability.
  • Production Access: Request production access if you need to send to unverified recipients or exceed sandbox limits.
  • Monitor Sending Limits and Reputation: Regularly check your SES sending limits and sender reputation metrics in the AWS console.
  • Handle Bounces and Complaints: Configure bounce and complaint notifications in SES to maintain a healthy sender reputation.

Conclusion:

By following these steps, you can successfully configure AWS SES for sending emails from your Node.js applications. Remember to prioritize security, domain verification, and best practices for email deliverability. Always refer to the official AWS SES documentation for the most up-to-date information and advanced configurations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment