/ Hacking

SES gotchas

AWS' documentation for setting up SES to receive emails at your custom domain (instead of say gmail.com) is pretty self explanatory but there are a few gotchas that tripped me up for a couple of hours.

With this post, I hope to save others a bit of headache.

Can't commingle MX and CNAME records

This is not really an AWS gotcha so much as a DNS RFC gotcha. The RFC does not allow webmasters to setup both MX and CNAME root level records.

In the case of this blog, I have a CNAME record telling my domain registrar's nameservers to send people looking for ramachandr.in to AWS CloudFront. This precludes me from setting up an MX record telling those same nameservers to send emails sent to my-emailaddr@ramachandr.in to AWS SES.

In my case, I am using my original domain name registrar's name server, not Route 53. YMMV if you are using Route 53.

Rejecting Emails

Once your domain has been verified by SES, by default, SES can deliver any-address@domain.com (so long as it meets the RFC for a properly formatted email address) to you.

The first thing you need to do to start receiving emails is to create a rule set routing those emails to either an S3 bucket, a Lambda function, or an SNS (Simple Notification System) endpoint.

The simplest way to reject most email addresses is to only specify the email addresses that you do want to accept as the first rule.

Having setup my first rule with a subset of acceptable email addresses, my impression was that to reject emails sent to addresses other than the ones in my accepted addresses list, I'd have to create a second rule which would Bounce all other emails. This second rule would not specify any acceptable emails.

Here is the gotcha with this.

SES continues processing rules even if the incoming email matches a specific rule. So, in my case, what happened was that not only would the incoming email be delivered to an S3 bucket using rule 1 but because that email address also matched the second rule, it would sent a bounce message back to the sender that their email was rejected.

Obviously, this is far from ideal.

The solution is to actually remove rule 2. Now, if SES determines that the incoming email does not match rule 1, it will automatically reject the email on your behalf.


You can email me at hello@sairamachandr.in

SES gotchas
Share this