The cheapest path at scale once you are out of the sandbox - roughly $0.10 per 1,000 emails plus $0.12/GB for attachments. Requires more setup than the other providers but the unit economics are unbeatable above ~50k sends/month.
Regional SMTP endpoints
SES SMTP credentials are unique per AWS region. If you send from more than one region, you must generate a separate set of credentials per region. The 15 currently active SMTP endpoints:
Required IAM permissions (the console gotcha)
The IAM user clicking "Create SMTP Credentials" must have permission to create OTHER IAM resources, because SES generates a new IAM user behind the scenes. You need all five:
- iam:CreateUser
- iam:CreateGroup
- iam:PutGroupPolicy
- iam:AddUserToGroup
- iam:CreateAccessKey
Without all five, the console either errors or (worse) silently creates credentials without the right SES sending policy attached, and your sends fail with "554 not authorized".
Generate your SMTP credentials
- Sign in to the AWS Console and open
console.aws.amazon.com/ses/. - Switch to the AWS region you will send from (top-right region picker).
- Left nav, click SMTP settings.
- Click Create SMTP credentials in the upper-right. AWS opens the IAM console.
- Leave the auto-suggested user name OR rename to something memorable like "ses-smtp-inflowave-us-east-1".
- Click Create user.
- Click Show next to SMTP password. Copy username + password OR click Download .csv file.
- Click Return to SES console.
One-time view: AWS does NOT show the SMTP password again. If you lose it, delete the IAM user and repeat the process.
Connect to Inflowave
- Inflowave → Settings → Email → Add sending domain → Custom SMTP.
- Host: the regional endpoint matching your region (e.g.
email-smtp.us-east-1.amazonaws.com). - Port:
587. - Username: the SMTP username from the CSV (NOT your AWS access key - they look similar, double check).
- Password: the SMTP password from the CSV (NOT your AWS secret key).
- Save, send a test.
Get out of the SES sandbox
Until you request production access, SES is sandboxed: you can only send TO verified addresses, only 200 emails per 24 hours, and only 1 email per second. To request production access:
- SES console, Account dashboard.
- Top banner, click Request production access.
- Fill out the use-case form - be specific about volume, bounce handling, and unsubscribe mechanism. Vague applications get rejected.
- AWS typically responds within 24-48 hours.
Troubleshooting
You are in sandbox. The recipient (or your From address) must be verified in the SES console until you request production access.
You pasted the AWS access key + secret instead of the SMTP username + password. They are different values - regenerate via SMTP settings.
The IAM user backing your SMTP credentials lacks the SES sending policy. This usually means you skipped the IAM permission step. Recreate the credentials via SES console (don't manually create the IAM user).
You hit the per-second rate cap. In sandbox the cap is 1/sec; in production it scales with your reputation. Lower concurrency in Inflowave or wait for AWS to raise your cap.
September 2024 IAM migration note
SMTP credentials created after Sept 6, 2024 use a group policy attached to the IAM user. Older credentials use an inline policy. Both work, but the group-policy version is more secure and AWS recommends migrating. The migration steps are documented in the AWS SES "Migrating a SMTP user from an existing inline policy to a group policy" section of their docs (link below).
Official sources
- AWS Documentation - Obtaining Amazon SES SMTP credentials
- AWS Documentation - Amazon SES endpoints and quotas (regional SMTP endpoints)
- AWS Documentation - Request production access (moving out of the sandbox)
- AWS Documentation - Service quotas in Amazon SES (sandbox and production limits)
- AWS Documentation - Types of Amazon SES credentials (SMTP vs API)
