← Course Index

DevOps · Module 9 · Lesson 35

Transactional Email

~20 min · Infrastructure

Ref
Primary Source
AWS SES Developer Guide

Official guide to sending email via Amazon SES including sandbox mode and production access. Read →

Email Authentication: SPF, DKIM, DMARC

SPF — Who Can Send

# DNS TXT record for yourapp.com:
"v=spf1 include:amazonses.com ~all"
# Says: only Amazon SES may send from @yourapp.com

DKIM — Cryptographic Signature

Signs every email. Receiving servers verify with your public key in DNS. Proves email wasn't tampered with in transit. AWS SES generates keys and provides CNAME records to add to DNS.

DMARC — Policy Enforcement

# DNS TXT record for _dmarc.yourapp.com:
"v=DMARC1; p=quarantine; rua=mailto:dmarc@yourapp.com"
# p=none       → monitor only (start here)
# p=quarantine → failed emails go to spam
# p=reject     → failed emails are rejected (goal)

Sending with AWS SES (Node.js)

npm install @aws-sdk/client-ses

import { SESClient, SendEmailCommand } from "@aws-sdk/client-ses";
const ses = new SESClient({ region: "us-east-1" });

async function sendWelcomeEmail(to, name) {
  await ses.send(new SendEmailCommand({
    Source: "hello@yourapp.com",     // Must be verified in SES
    Destination: { ToAddresses: [to] },
    Message: {
      Subject: { Data: "Welcome to YourApp!" },
      Body: {
        Html: { Data: "<h1>Welcome!</h1>" },
        Text: { Data: "Welcome!" }
      }
    }
  }));
}
⚠️ SES Sandbox

New SES accounts can only send to verified email addresses. Request production access in the SES console before launch (approval takes 1-2 business days).

Email Service Comparison

ServiceCostBest for
AWS SES$0.10/1,000 emailsHigh volume, already on AWS, cost-sensitive
ResendFree 3k/month, then $20/moDeveloper-friendly, React Email templates
SendGridFree 100/day, then $19.95/moMarketing + transactional combo
Postmark$15/mo for 10kBest deliverability for transactional
💡

Use separate sending domains for transactional and marketing emails. A spam complaint on your newsletter shouldn't tank the deliverability of password resets.

Check Your Understanding

1. A user never receives your password reset email. Most likely cause?
2. What is DMARC's role?
3. Budget-conscious startup, already on AWS. Which email service?