Connection settings
- Host
- email-smtp.us-east-1.amazonaws.com
- Port
- 587
- Security
- STARTTLS
Amazon SES exposes regional SMTP endpoints for sending email. Each AWS region that supports SES has its own hostname in the format email-smtp.<region>.amazonaws.com — for example email-smtp.us-east-1.amazonaws.com or email-smtp.eu-west-1.amazonaws.com. You must use the endpoint that matches the region where you created your SMTP credentials.
SES SMTP credentials are not the same as your AWS access keys. They are a derived username/password pair generated from the SES console or CLI specifically for SMTP authentication.
Recommended settings
- Host:
email-smtp.<your-region>.amazonaws.com - Port: 587 (STARTTLS) or 465 (implicit TLS)
- Username: your SES SMTP username (a 20-character alphanumeric string)
- Password: your SES SMTP password (a long Base64 string)
- Auth method: Auto or PLAIN
- From: an email address or domain verified in SES in the same region
Creating SMTP credentials
- Open the Amazon SES console in your target region.
- Go to Account dashboard → SMTP settings.
- Click "Create SMTP credentials." This creates an IAM user with a policy scoped to
ses:SendRawEmail. - The console shows a username and password. Download or copy them immediately — the password is displayed only once.
- The username looks like
AKIAIOSFODNN7EXAMPLE(20 characters). The password is a longer derived string (not the IAM secret key itself — SES transforms it).
If you need to rotate credentials, delete the IAM user in the IAM console and repeat the process. You can also generate SMTP credentials from an existing IAM user's secret access key using the signing algorithm documented by AWS — but the console method is simpler.
Testing with SMTP Tester
- Set host to your region's SMTP endpoint (e.g.
email-smtp.us-east-1.amazonaws.com). - Port 587, security STARTTLS (or port 465 with TLS).
- Enter the SES SMTP username and password.
- From address: a verified identity in the same region (email or domain).
- To address: in sandbox mode, this must also be a verified address.
- Click Run. A
235 Authentication successfulconfirms credentials. A250 Okafter DATA confirms SES accepted the message.
Common errors
535 "Authentication Credentials Invalid"
- Region mismatch: SMTP credentials are region-specific. Credentials created in
us-east-1will not authenticate againsteu-west-1. Match the endpoint to the region where you generated them. - Using AWS access keys instead of SMTP credentials: your IAM access key ID and secret key will not work directly as SMTP credentials. You must create SMTP credentials through the SES console (which derives a password from the secret key using a specific algorithm).
- Credential rotation: if you recently regenerated credentials, ensure your config uses the new pair.
554 "Email address is not verified"
This error appears after authentication succeeds — the SMTP session was fine, but SES rejected the message content. In sandbox mode:
- The From address must be a verified identity (email or domain) in the SES region you are using.
- The To address must also be verified (sandbox restricts recipients too).
- The error message names which identity failed verification.
Fix: verify the From domain (or email) and, in sandbox mode, also verify the recipient address in the same region.
454 "Throttling failure"
SES rate-limits sending based on your account's sending quota and maximum send rate. New accounts in sandbox start at 1 message per second and 200 messages per day. If you exceed this, SES returns a 454 temporary error.
Check your current limits in SES → Account dashboard → Sending statistics. Request production access to raise them.
Connection timeout
SES SMTP only accepts connections on ports 587, 465, 2587, and 2465. Port 25 is not supported for submission. If 587 times out, your network may block it — try port 2587 (STARTTLS) or 2465 (TLS) as alternatives that some corporate firewalls allow.
Sandbox vs production
Every new SES account starts in sandbox mode with restrictions:
- Send only to verified email addresses (both From and To must be verified).
- Maximum 200 messages per 24 hours.
- Maximum send rate of 1 message per second.
To send to arbitrary recipients (real users), request production access through the SES console. AWS reviews the request (typically approved within 24 hours). Once approved, you only need to verify the From identity — recipients can be anyone.
SES regions and endpoints
Common SMTP endpoints:
| Region | Endpoint |
|---|---|
| US East (N. Virginia) | email-smtp.us-east-1.amazonaws.com |
| US West (Oregon) | email-smtp.us-west-2.amazonaws.com |
| EU (Ireland) | email-smtp.eu-west-1.amazonaws.com |
| EU (Frankfurt) | email-smtp.eu-central-1.amazonaws.com |
| Asia Pacific (Mumbai) | email-smtp.ap-south-1.amazonaws.com |
| Asia Pacific (Sydney) | email-smtp.ap-southeast-2.amazonaws.com |
Always use the endpoint in the region where your identities are verified and your SMTP credentials were created. Cross-region calls will fail authentication.
SES SMTP vs SES API
SES offers two ways to send: SMTP and the REST API (SendEmail/SendRawEmail). SMTP works from any language or tool that speaks SMTP — no AWS SDK needed. The REST API offers more control (configuration sets, tags, event publishing) but requires the SDK or signed HTTP requests.
For testing connectivity and authentication, SMTP Tester uses the SMTP interface directly. If SMTP works in SMTP Tester, it will work from your application with the same credentials and endpoint.
Security notes
- SES SMTP credentials are sensitive. Store them in environment variables or AWS Secrets Manager, not in source code.
- SMTP Tester redacts credentials from the protocol transcript automatically.
- Use the minimum IAM permissions (
ses:SendRawEmail) for the SMTP user. The SES console does this by default. - Enable SES event publishing and feedback notifications (bounces, complaints) in production to protect your sender reputation.