Skip to main content
Gå til innhold

Sending email from apps running on AWS

We recommend using Amazon Simple Email Service.
You should probably read the docs (RTFM), but here is a short walkthru for sending email:

Things you need to know first:

  • All AWS accounts starts in a sandbox, which means they are severely limited. You get to send maximum 200 emails per day (24h), and you can only send to email addresses you verify.
  • Amazon SES requires you to verify any sender address you use, or the sender domain. If you verify a domain, you can send from any addresses on that domain.
    Note: You will not be able to use any @sikt.no address (or the domain itself), as that will not be compatible with DMARC policies or DKIM and SPF records. You can verify a subdomain of sikt.no, if you have that.
  • SMTP credentials requires you to create an IAM user, which can only be performed a Platon admin.

We have a cloudformation template for bootstrapping SES for simple use. You can use it as-is, or copy it to customize if necessary.

If the domain you want to use in sender addresses is a route53 hosted zone in your account, and you have used the hosted zone blueprint for that zone, you can use the template like this:

aws cloudformation deploy --stack-name ses-configuration --template-file ses-configuration.yaml --capabilities CAPABILITY_NAMED_IAM --parameter-overrides HostedZoneStack=<name-of-your-hostedzone-stack>

This will create a default configuration set, a default email identity (based on the domain in your hostedzone stack), and create an IAM user with an access key. The access key id is written to the SSM parameter store, and the access key secret is written to the Secrets Manager.

After running the cloudformation template, you will need to go to Amazon SES in the AWS console, find the created identity, and press the Publish DNS records to Route53 button. This will verify DKIM for the domain in your hostedzone stack.

You can send email using the SMTP interface, or using the SES API. For the SMTP interface you will need credentials. They are as follows:

  • SMTP server: email-smtp.REGION.amazonaws.com (replace REGION with the AWS region you run the stack in)
  • SMTP username: see the output from the stack, or the AWS SSM Parameter created by the stack (/sikt/SES/SMTPusername by default)
  • SMTP password: Go to AWS Secrets Manager, find the secret SMTP_IAMUSER_secret_access_key. This secret contains the aws_secret_access_key for the IAMuser. In the blueprint repo there is a python script. This script will generate the password for you if you feed it this aws_secret_access_key. See the README in the repo for more info.

You can now send some test emails. Remember that your account starts in the sandbox which is severely limited. You need to add any test recipient email addresses on the Identities page.
When you are ready for production use, and be able to send email to any address, you need to bring the account out of the sandbox.