In part 1 we covered our Architecture for the Custom Cloud.
Cognito and SES setup
Setting up Cognito with SES is required if you are going to send more than 50 emails a day. here are the steps to have SES and Cognito avoid spam.
Setting up Cognito with SES is required if you are going to send more than 50 emails a day. At first glance you just edit your Cognito settings to go to SES, but ensuring SES is setup in a way that prevents your email from going to spam is another process all together. Over this article I'll outline the steps to setup SES and Cognito so that authentication doesn't go to spam. At the end I'll cover some handy troubleshooting and monitoring tips.
To start AWS has extensive documentation for setting up SES and Cognito. My problem was that it was very detailed with out explaining what a setting would do or what was causing the problem.
To complete this you will need an AWS account with SES. Access to modify or create DNS records. (Route53 helps but is not required)
Step 1 - Verify email Domain
- Go do SES and Select Verified Identities from the left Menu.
- Create Identity
- Select Domain
- Enter your domain We'll assume for this that its domain.com
- Easy DKIM, RSA_2048_BIT
- Publish DNS Records to Route53 (If Route53 is used)
- DKIM Signatures enabled.
- If not using Route53 add the DKIM records for the Identity you just created to your DNS.
- Setup a MAIL FROM like mail.domain.com
Step 2. - Verify an email address.
- Create an Identity
- Select email addres: email@example.com
- Create Identity.
- With your domain setup first the email address should be verified.
- Add a MAIL FROM address to the email like mail.domain.com
- Setup DNS records provided for the MAIL FROM Address
Step 3. - Other DNS Settings
To help reduce spam several different DNS records have been created to prove a senders authentisity in sending a message. We've already setup 1 the DKIM. Now we are going to add DMARC, and SPF.
SPF - Chances Are you already have an SPF record. Its required for any email you are sending. To setup SPF record to allow SES to send email for you. You need to add
To your existing SPF Record. So your full record would like somthing like:
v=spf1 include:_spf.google.com include:amazonses.com ~all
An important note is that SPF records can have IP addresses, or cnames, but the protocal only requires email servers to do 10 lookups for CNAMES to get the IPs. This can be a problem if you have alot of providers sending messages or if like google. the cname points to other cnames. For example the example above is actually about 6 lookups not 2. I'll provide tools below to help troubleshoot these.
DMARC - Next is the DMARC record.Simply put the DMARC tells mail proiders what to do if they receive messages that don't authenticate. There are quite a few parameters. and I'll provide links at the bottom for more in depth explination. But a good generic one is:
v=DMARC1; p=quarantine; pct=5;rua=mailto:firstname.lastname@example.org
This tells mail providers to quarnatine messages that don't pass. and to report on 5% of messages to the email address in the record. . These reports will tell you if your emails are passing DKIM, DMARC, SPF for each sender IP and are incredibly helpful when troubleshooting problems.
Step 4 - Setup Cognito
- 1. In the AWS Console go to the user pool
- 2. Select the Messaging tab.
- Edit email settings.
- Select "Send Mail with Amaazon SES
- Select the AWS Region
- Select the from email address from the list (You should see the one you previously setup)
- Set aReply TO email address.
- Save Changes
Step 5 -
Request that SES gets out of Sandbox mode. The AWS instructions on this are very good. https://docs.aws.amazon.com/ses/latest/dg/request-production-access.html
Before doing this you will probably want to setup SNS Topics to handle, Bounce and Complaints in SES. This blog isn't going into setting that up but AWS Documentation is good for this.
Troubleshooting and Monitoring
Now that its setup how do you know its working? What do you do if a user says they aren't receiving an email notification?
Enable SES Virtual Delivery Manager
For an extra charge (See the AWS Pricing Page) you can use the Virtual Deliverability Manager for SES. This has several important tools.
- It has an advisor that will tell you if a DNS record is setup wrong or if it is expecting something else.
- There is a dashboard to see delivery statistics for emails. More important are the sub tabs.
- ISP will tell you delibery rates by ISP and is very helpful in seeing how widespread any problems are.
- Messages allows you to search for recipient email and will tell you delivery and open status of messages.
Note: Delivery indicates that the ISP accepted the message but not whether it was flagged as spam or not.
Lookup DNS Records
There are lots of ways to lookup DNS records when troubleshooting a problem though I will normally use https://mxtoolbox.com/ it makes it quick and easy to find a specific domain record and will provide feedback on formatting and content.
Above we setup a DMARC report. While this can generate a lot of email, one from every ISP that received an email the previous day, it is very handy to help trouble shoot problems. The report is an XML format that tells you various health metrics for DMARC, SPF, and DKIM and whether they passed or failed.
MXtoolbox has an tool to help parse the XML and make it human readable. https://mxtoolbox.com/Public/Tools/DmarcReportAnalyzer.aspx
If any of the columns have faild in it. Look up the IP to figure out which sender is having an issue and you can start to look into correcting it.
Google is a very large mail provider that many people and companies use for there email provider. Because of this I recommend using. https://postmaster.google.com/, with this tool you can setup a DNS record to prove ownership then you can see delivery statistics for Google.
Two notes on this tool.
- its reporting can lag behind up to 48 hours
- It is percentage based no raw numbers so larger volume could mean a smaller percentage fail.
Setting up email can be a complicated task, and troubleshooting can be daunting since failures can be inconsistent and difficult to reproduce. Below are some of the resources I use (some are also linked above) and some added informational resources I've used.
In conclusion, setting up Cognito with SES is crucial for ensuring that your authentication emails don't end up in spam folders. This blog post has outlined the step-by-step process of setting up SES and Cognito, from verifying email domains to adding DNS records for DKIM, SPF, and DMARC. Additionally, we've discussed the importance of requesting SES to exit Sandbox mode and provided troubleshooting and monitoring tips using tools like SES Virtual Delivery Manager, MXtoolbox, and Google Postmaster. By following these guidelines, you can streamline the integration of SES and Cognito, reduce spam issues, and ensure the successful delivery of your emails. For more in-depth information and additional resources, please refer to the links provided in the blog post. Start implementing these steps today and enjoy a smoother email authentication process with SES and Cognito.