Setting up Cognito with SES is required if you are going to send more than 50 emails a day. At first glance you just edit your Cognito settings to go to SES, but ensuring SES is setup in a way that prevents your email from going to spam is another process all together. Over this article I'll outline the steps to setup SES and Cognito so that authentication doesn't go to spam. At the end I'll cover some handy troubleshooting and monitoring tips.
To start AWS has extensive documentation for setting up SES and Cognito. My problem was that it was very detailed with out explaining what a setting would do or what was causing the problem.
To complete this you will need an AWS account with SES. Access to modify or create DNS records. (Route53 helps but is not required)
Step 1 - Verify email Domain
Step 2. - Verify an email address.
Step 3. - Other DNS Settings
To help reduce spam several different DNS records have been created to prove a senders authentisity in sending a message. We've already setup 1 the DKIM. Now we are going to add DMARC, and SPF.
SPF - Chances Are you already have an SPF record. Its required for any email you are sending. To setup SPF record to allow SES to send email for you. You need to add
include:amazonses.com
To your existing SPF Record. So your full record would like somthing like:
v=spf1 include:_spf.google.com include:amazonses.com ~all
An important note is that SPF records can have IP addresses, or cnames, but the protocal only requires email servers to do 10 lookups for CNAMES to get the IPs. This can be a problem if you have alot of providers sending messages or if like google. the cname points to other cnames. For example the example above is actually about 6 lookups not 2. I'll provide tools below to help troubleshoot these.
DMARC - Next is the DMARC record.Simply put the DMARC tells mail proiders what to do if they receive messages that don't authenticate. There are quite a few parameters. and I'll provide links at the bottom for more in depth explination. But a good generic one is:
v=DMARC1; p=quarantine; pct=5;rua=mailto:dmarcreports@domain.com
This tells mail providers to quarnatine messages that don't pass. and to report on 5% of messages to the email address in the record. . These reports will tell you if your emails are passing DKIM, DMARC, SPF for each sender IP and are incredibly helpful when troubleshooting problems.
Step 4 - Setup Cognito
Step 5 -
Request that SES gets out of Sandbox mode. The AWS instructions on this are very good. https://docs.aws.amazon.com/ses/latest/dg/request-production-access.html
Before doing this you will probably want to setup SNS Topics to handle, Bounce and Complaints in SES. This blog isn't going into setting that up but AWS Documentation is good for this.
Now that its setup how do you know its working? What do you do if a user says they aren't receiving an email notification?
For an extra charge (See the AWS Pricing Page) you can use the Virtual Deliverability Manager for SES. This has several important tools.
Note: Delivery indicates that the ISP accepted the message but not whether it was flagged as spam or not.
There are lots of ways to lookup DNS records when troubleshooting a problem though I will normally use https://mxtoolbox.com/ it makes it quick and easy to find a specific domain record and will provide feedback on formatting and content.
Above we setup a DMARC report. While this can generate a lot of email, one from every ISP that received an email the previous day, it is very handy to help trouble shoot problems. The report is an XML format that tells you various health metrics for DMARC, SPF, and DKIM and whether they passed or failed.
MXtoolbox has an tool to help parse the XML and make it human readable. https://mxtoolbox.com/Public/Tools/DmarcReportAnalyzer.aspx
If any of the columns have faild in it. Look up the IP to figure out which sender is having an issue and you can start to look into correcting it.
Google is a very large mail provider that many people and companies use for there email provider. Because of this I recommend using. https://postmaster.google.com/, with this tool you can setup a DNS record to prove ownership then you can see delivery statistics for Google.
Two notes on this tool.
Setting up email can be a complicated task, and troubleshooting can be daunting since failures can be inconsistent and difficult to reproduce. Below are some of the resources I use (some are also linked above) and some added informational resources I've used.
In conclusion, setting up Cognito with SES is crucial for ensuring that your authentication emails don't end up in spam folders. This blog post has outlined the step-by-step process of setting up SES and Cognito, from verifying email domains to adding DNS records for DKIM, SPF, and DMARC. Additionally, we've discussed the importance of requesting SES to exit Sandbox mode and provided troubleshooting and monitoring tips using tools like SES Virtual Delivery Manager, MXtoolbox, and Google Postmaster. By following these guidelines, you can streamline the integration of SES and Cognito, reduce spam issues, and ensure the successful delivery of your emails. For more in-depth information and additional resources, please refer to the links provided in the blog post. Start implementing these steps today and enjoy a smoother email authentication process with SES and Cognito.