AWS SES & SNS Setup Guide

Complete step-by-step guide to configure Amazon Simple Email Service (SES) and Simple Notification Service (SNS) for pitit - Email Marketing.

~5 min with script ~30 min manual Beginner-friendly English

Overview

To use pitit - Email Marketing for sending email campaigns, you need an Amazon Web Services (AWS) account. AWS provides Simple Email Service (SES) as a reliable and cost-effective way to send bulk emails.

What will you configure?
IAM User
API access to AWS
Amazon SES
Email sending
Amazon SNS
Bounce/complaint notifications
Quick start: Use our automatic setup script to configure everything in ~5 minutes via AWS CloudShell. The script handles steps 1-6 automatically — you only need to add DNS records.
Tip: AWS SES costs only $0.10 per 1,000 emails. For most users, this means less than a few euros per month.
Important: Requirements for Amazon SES
Own domain required

To send emails via Amazon SES you must own your own domain (e.g., yourcompany.com). This domain must be verified via DNS records (DKIM, SPF, and DMARC) before you can go into production.

Domain verification proves to Amazon that you are the owner of the domain from which you send emails. This is required for production access.

Free email domains not allowed

Using free email domains as sender addresses is not possible. The following domains are not supported by Amazon SES:

gmail.com outlook.com hotmail.com yahoo.com live.com icloud.com mail.com aol.com protonmail.com ziggo.nl kpnmail.nl

These domains are owned by third parties and cannot be verified by you in Amazon SES. You need a domain where you can manage the DNS records.

Production access required: By default, your AWS SES account is in sandbox mode, which means you can only send to pre-verified email addresses. To be able to email all your subscribers, you must request production access from AWS. Domain verification is a requirement for this.
Popular

Don't want to do this yourself?

We'll handle the complete AWS setup for you

Let our team handle the complete Amazon SES and SNS configuration for you. Everything will be ready to use within 24-48 hours.

  • Complete AWS SES configuration in your account
  • Domain verification with DKIM, SPF, and DMARC
  • SNS notifications for bounces and complaints
  • Webhook connection with pitit - Email Marketing
  • Production access request to AWS
  • Test to verify everything works

One-time setup

€49,-

Including VAT

FREE with annual subscription!

Request
24-48 hours Secure

€49,- standalone or free with annual subscription (€90,-)

Prerequisites

  • A valid email address (for AWS account registration)
  • A credit card or payment card (AWS requires this, but you only pay for what you use)
  • The email address or domain you want to use as sender
  • Access to DNS settings of your domain (optional, but recommended)

Automatic Setup Recommended

The fastest way to configure AWS SES and SNS is with our automatic setup script. This script creates all necessary AWS resources at once — no manual clicking through the AWS Console needed.

The script automatically handles:
  • IAM user with proper SES sending permissions
  • SES domain identity with DKIM verification
  • Configuration Set for open/click tracking
  • SNS Topic for bounce and complaint notifications
  • Webhook connection to your pitit - Email Marketing account
  • All required DNS records are displayed
Option A: Via AWS CloudShell Fastest

AWS CloudShell is a browser-based terminal that is already configured with your AWS credentials. You don't need to install anything.

1. Generate a CloudShell link

Go to pitit - Email Marketing → Settings and click "Automatic AWS Setup" → Generate Link. You'll get a command that's valid for 30 minutes.

2. Open AWS CloudShell

Log in to the AWS Console and open CloudShell (click the icon in the top right of the AWS Console).

3. Paste the command and press Enter

The command downloads the personalized script and executes it. The script looks like:

# Example — copy the real command from Settings
curl -sS 'https://pitit.eu/api/aws-setup-script.php?token=...' \
  -o setup-pitit.sh && chmod +x setup-pitit.sh && ./setup-pitit.sh
4. Confirm the settings

The script displays an overview of your configuration (domain, region, webhook URL) and asks for confirmation. Type y to continue.

5. Add DNS records

After completion, the script displays the DNS records (TXT, CNAME, SPF) that you need to add at your domain provider (e.g., Cloudflare, TransIP, Versio). This is the only manual step.

6. Enter credentials

The script displays the Access Key and Secret Key. Copy these and enter them in pitit - Email Marketing → Settings → AWS SES.

Security: The CloudShell link contains a temporary token that's valid for 30 minutes. After use or expiration, the link becomes unusable. The script itself is generated based on your account settings and contains no passwords.
Option B: Download script and run locally

If you prefer to work locally or don't want to use CloudShell, you can also download the script:

  1. Go to pitit - Email Marketing → Settings and click Download .sh file
  2. Make sure AWS CLI is installed and configured with aws configure
  3. Run the script:
    chmod +x setup-pitit-aws-*.sh
    ./setup-pitit-aws-*.sh
Tip: The script is idempotent — you can safely run it multiple times. Existing resources will be skipped.

Prefer to configure everything manually? No problem — follow the steps below.

To manual steps

Manual Setup For experts or if the automatic script is not available

1 Create AWS Account

If you don't have an AWS account yet, create one:

Go to AWS

Open aws.amazon.com and click "Create an AWS Account"

Enter your details

Enter your email address, password, and account name. Choose a "Personal" account unless you represent a company.

Add payment method

AWS requires a credit card for verification. You'll only be billed if you exceed the free tier.

Verify your identity

AWS sends a verification code to your phone.

Choose a support plan

Select "Basic Support - Free" - this is sufficient for most users.

Congratulations! You now have an AWS account. Log in to the AWS Console.

2 Create IAM User

Important: Never use your root account credentials. Always create a separate IAM user for applications.
Open IAM Console

Go to console.aws.amazon.com/iam or search for "IAM" in the AWS Console.

Create a new user

Click "Users" in the left menu, then "Create user".

IAM Console → Users → Create user
Set username

Give the user a clear name, for example: pitit---email-marketing-ses-user

Set permissions

Choose "Attach policies directly" and search for "AmazonSESFullAccess". Check this box.

For extra security, you can create a custom policy with only the necessary permissions. See the example below.
Create Access Keys

After creating the user, click on the username, go to "Security credentials" and click "Create access key".

Choose "Application running outside AWS" as the use case.

Save keys

IMPORTANT: Copy and save the Access Key ID and Secret Access Key securely. The Secret Key is only shown once!

Recommended IAM Policy (optional)

For maximum security, you can use this minimal policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ses:SendEmail", "ses:SendRawEmail", "ses:GetSendQuota", "ses:GetSendStatistics" ], "Resource": "*" } ] }

3 Configure Amazon SES

Open SES Console

Go to console.aws.amazon.com/ses

Choose the right region

Select a region in the top right that's close to your target audience. For Europe, eu-central-1 (Frankfurt) or eu-west-1 (Ireland) is recommended.

Note: Remember which region you choose! You must use the same region in pitit - Email Marketing.
Sandbox Mode

New SES accounts start in Sandbox mode. This means you can only send to verified email addresses. Later you'll request production access.

4 Domain Verification

Own domain is required. Amazon SES requires a verified domain to request production access. Without domain verification, you can only send to verified email addresses (sandbox mode) and the tool is not usable for campaigns.

With domain verification, you prove to Amazon that you are the owner of the domain from which you send emails (e.g., yourcompany.com). After verification, you can send from any address @yourdomain.com.

Verify domain in SES
  1. Go to SES Console → Verified identities
  2. Click "Create identity"
  3. Select "Domain"
  4. Enter your domain (e.g., yourcompany.com)
  5. Check:
    • "Use a custom MAIL FROM domain" (optional but recommended)
    • "Enable DKIM signing" (required for production)
  6. Click "Create identity"
Add DNS Records

After creating, AWS displays the DNS records you need to add at your domain provider (e.g., Cloudflare, TransIP, Versio):

Type Name Value Purpose
CNAME xxxxx._domainkey.yourdomain.com xxxxx.dkim.amazonses.com DKIM verification (3x)
TXT _amazonses.yourdomain.com (verification token) Domain ownership
MX mail.yourdomain.com feedback-smtp.eu-central-1.amazonses.com Custom MAIL FROM
TXT mail.yourdomain.com v=spf1 include:amazonses.com ~all SPF record
Tip: DNS changes can take up to 72 hours to propagate, but usually it's done within an hour. You can track the status in the SES Console under "Verified identities".
DMARC record (recommended)

Also add a DMARC record for optimal deliverability:

# DNS TXT record for _dmarc.yourdomain.com
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
After successful verification a green checkmark appears next to your domain in the SES Console. You can now send emails from any address @yourdomain.com.

Not suitable for production. With only a verified email address, you remain in SES sandbox: you can then only send to other verified addresses (max. 200 per day). For campaigns, you always need domain verification.

If you just want to test if SES works:

  1. Go to SES Console → Verified identities
  2. Click "Create identity"
  3. Select "Email address"
  4. Enter your email address (e.g., news@yourcompany.com)
  5. Click "Create identity"
  6. Open your email and click the AWS verification link

After testing, you still need to verify your domain (above) to request production access.

5 Create SNS Topic

Amazon SNS (Simple Notification Service) stuurt bounce en complaint notificaties naar pitit - Email Marketing, zodat ongeldige e-mailadressen automatisch worden gemarkeerd.

Open SNS Console

Ga naar console.aws.amazon.com/sns

Zorg dat je in dezelfde regio zit als je SES configuratie!
Maak een nieuw Topic

Klik op "Topics" in het linkermenu, dan "Create topic".

Topic configureren
  • Type: Standard
  • Name: pitit---email-marketing-ses-notifications
  • Display name: pitit - Email Marketing SES

Klik op "Create topic".

Topic ARN kopiëren

Na het aanmaken zie je de Topic ARN. Dit is een string zoals arn:aws:sns:eu-central-1:123456789:ses-notifications. Je hebt deze nodig in de volgende stap.

6 Connect Webhook

Nu gaan we SNS koppelen aan pitit - Email Marketing via een webhook.

A. SNS Subscription aanmaken
Open je SNS Topic

Klik op het topic dat je zojuist hebt aangemaakt.

Maak een Subscription

Klik op "Create subscription".

Configureer de subscription
  • Protocol: HTTPS
  • Endpoint: Je webhook URL uit pitit - Email Marketing
    Vind je webhook URL in pitit - Email Marketing onder Instellingen → Webhook URL
Bevestig de subscription

AWS stuurt automatisch een bevestigingsverzoek naar je webhook. pitit - Email Marketing bevestigt dit automatisch. De status verandert van "Pending confirmation" naar "Confirmed".

B. SES koppelen aan SNS
Ga naar SES Verified Identities

Open je geverifieerde e-mail of domein in de SES Console.

Open Notifications tab

Klik op het tabblad "Notifications".

Configureer Feedback notifications

Klik op "Edit" bij Feedback notifications en stel in:

  • Bounce feedback: Je SNS topic selecteren
  • Complaint feedback: Je SNS topic selecteren
  • Delivery feedback: Je SNS topic selecteren (optioneel)
Gefeliciteerd! Je webhook is nu gekoppeld. Bounces en complaints worden automatisch verwerkt.

7 Testing

Credentials invoeren
  1. Ga naar pitit - Email Marketing → Instellingen
  2. Vul bij AWS SES Instellingen in:
    • AWS Regio (bijv. eu-central-1)
    • Access Key ID
    • Secret Access Key
  3. Klik op "Opslaan"
  4. Klik op "Test Verbinding" om te controleren of de credentials werken
Webhook testen
  1. Ga naar Webhook Logs in pitit - Email Marketing
  2. Klik op "Test Webhook"
  3. Je zou een succesmelding moeten zien
Test e-mail versturen
  1. Maak een testgroep met je eigen e-mailadres
  2. Maak een eenvoudige testcampagne
  3. Verstuur de campagne naar je testgroep
  4. Controleer of je de e-mail ontvangt
Sandbox limitatie: In sandbox mode kun je alleen naar geverifieerde e-mailadressen sturen. Voeg je test e-mailadressen toe als verified identities in SES.

Request Production Access

Om naar niet-geverifieerde e-mailadressen te kunnen sturen, moet je productie-toegang aanvragen bij AWS.

Vereisten voor productie-toegang
  • Domeinvalidatie is verplicht - Je moet een eigen domein hebben geverifieerd met DKIM, SPF en DMARC records
  • Eigen domein vereist - Gratis e-maildomeinen (gmail.com, outlook.com, hotmail.com, etc.) worden niet geaccepteerd
  • Bounce/complaint handling - SNS notificaties moeten geconfigureerd zijn (stap 5 & 6)
Open SES Console

Ga naar Account dashboard in de SES Console.

Request production access

Klik op "Request production access".

Vul het formulier in
  • Mail type: Transactional (of Marketing, afhankelijk van je gebruik)
  • Website URL: Je website adres
  • Use case description: Beschrijf waarvoor je SES gaat gebruiken
Wacht op goedkeuring

AWS beoordeelt je aanvraag binnen 24-48 uur. Je ontvangt een e-mail zodra je account is goedgekeurd.

Tip voor snellere goedkeuring:
  • Wees specifiek over je use case
  • Vermeld dat je een opt-in lijst gebruikt
  • Leg uit hoe je bounces en complaints afhandelt
  • Geef aan dat je een unsubscribe link in je emails hebt

Troubleshooting

  • Check that your Access Key ID and Secret Key are copied correctly (no extra spaces)
  • Ensure the IAM user has the correct permissions (AmazonSESFullAccess)
  • Verify you have selected the correct AWS region

  • Sandbox mode: In sandbox you can only send to verified addresses
  • Check your spam/junk folder
  • Review the campaign details in pitit - Email Marketing for error messages
  • Check the SES Console for bounce/complaint notifications

  • Check that your webhook URL is correct (including https://)
  • Ensure your website is reachable from the internet (not localhost)
  • Check the Webhook Logs in pitit - Email Marketing for incoming requests
  • Try deleting the subscription and creating it again

  • DNS changes can take up to 72 hours to propagate
  • Verify the CNAME records were copied exactly (no typos)
  • Use a tool like MXToolbox to verify your DNS records
  • Some DNS providers require you to omit the trailing dot (.)

  • Provide more details about your use case
  • Explicitly mention that you have an opt-in mailing list
  • Explain how you handle bounces and complaints (via SNS webhook)
  • State that your emails include an unsubscribe link
  • You can submit a new request with more information

No, this is not possible.

Amazon SES requires you to verify the domain of your sender address via DNS records (DKIM, SPF, DMARC). Since you don't own domains like gmail.com, outlook.com, hotmail.com etc., you cannot set up these DNS records.

Unsupported domains (examples):

gmail.com, googlemail.com, outlook.com, hotmail.com, hotmail.nl, live.com, live.nl, msn.com, yahoo.com, yahoo.nl, icloud.com, me.com, aol.com, mail.com, protonmail.com, proton.me, ziggo.nl, kpnmail.nl, xs4all.nl, and all other domains you don't own.

Solution:

Still having problems?

Check the official AWS documentation or contact us.

AWS SES Documentation AWS SNS Documentation