Provider setup

Amazon SES SMTP test — regional endpoints and credentials

Test Amazon SES SMTP using your region's email-smtp endpoint on port 587 with STARTTLS and IAM SMTP credentials.

4 min read Credentials redacted No signup

Connection settings

Host
email-smtp.us-east-1.amazonaws.com
Port
587
Security
STARTTLS

Amazon SES exposes regional SMTP endpoints for sending email. Each AWS region that supports SES has its own hostname in the format email-smtp.<region>.amazonaws.com — for example email-smtp.us-east-1.amazonaws.com or email-smtp.eu-west-1.amazonaws.com. You must use the endpoint that matches the region where you created your SMTP credentials.

SES SMTP credentials are not the same as your AWS access keys. They are a derived username/password pair generated from the SES console or CLI specifically for SMTP authentication.

Recommended settings

Creating SMTP credentials

  1. Open the Amazon SES console in your target region.
  2. Go to Account dashboard → SMTP settings.
  3. Click "Create SMTP credentials." This creates an IAM user with a policy scoped to ses:SendRawEmail.
  4. The console shows a username and password. Download or copy them immediately — the password is displayed only once.
  5. The username looks like AKIAIOSFODNN7EXAMPLE (20 characters). The password is a longer derived string (not the IAM secret key itself — SES transforms it).

If you need to rotate credentials, delete the IAM user in the IAM console and repeat the process. You can also generate SMTP credentials from an existing IAM user's secret access key using the signing algorithm documented by AWS — but the console method is simpler.

Testing with SMTP Tester

  1. Set host to your region's SMTP endpoint (e.g. email-smtp.us-east-1.amazonaws.com).
  2. Port 587, security STARTTLS (or port 465 with TLS).
  3. Enter the SES SMTP username and password.
  4. From address: a verified identity in the same region (email or domain).
  5. To address: in sandbox mode, this must also be a verified address.
  6. Click Run. A 235 Authentication successful confirms credentials. A 250 Ok after DATA confirms SES accepted the message.

Common errors

535 "Authentication Credentials Invalid"

554 "Email address is not verified"

This error appears after authentication succeeds — the SMTP session was fine, but SES rejected the message content. In sandbox mode:

Fix: verify the From domain (or email) and, in sandbox mode, also verify the recipient address in the same region.

454 "Throttling failure"

SES rate-limits sending based on your account's sending quota and maximum send rate. New accounts in sandbox start at 1 message per second and 200 messages per day. If you exceed this, SES returns a 454 temporary error.

Check your current limits in SES → Account dashboard → Sending statistics. Request production access to raise them.

Connection timeout

SES SMTP only accepts connections on ports 587, 465, 2587, and 2465. Port 25 is not supported for submission. If 587 times out, your network may block it — try port 2587 (STARTTLS) or 2465 (TLS) as alternatives that some corporate firewalls allow.

Sandbox vs production

Every new SES account starts in sandbox mode with restrictions:

To send to arbitrary recipients (real users), request production access through the SES console. AWS reviews the request (typically approved within 24 hours). Once approved, you only need to verify the From identity — recipients can be anyone.

SES regions and endpoints

Common SMTP endpoints:

Region Endpoint
US East (N. Virginia) email-smtp.us-east-1.amazonaws.com
US West (Oregon) email-smtp.us-west-2.amazonaws.com
EU (Ireland) email-smtp.eu-west-1.amazonaws.com
EU (Frankfurt) email-smtp.eu-central-1.amazonaws.com
Asia Pacific (Mumbai) email-smtp.ap-south-1.amazonaws.com
Asia Pacific (Sydney) email-smtp.ap-southeast-2.amazonaws.com

Always use the endpoint in the region where your identities are verified and your SMTP credentials were created. Cross-region calls will fail authentication.

SES SMTP vs SES API

SES offers two ways to send: SMTP and the REST API (SendEmail/SendRawEmail). SMTP works from any language or tool that speaks SMTP — no AWS SDK needed. The REST API offers more control (configuration sets, tags, event publishing) but requires the SDK or signed HTTP requests.

For testing connectivity and authentication, SMTP Tester uses the SMTP interface directly. If SMTP works in SMTP Tester, it will work from your application with the same credentials and endpoint.

Security notes

Try it on your own server

Run these settings against your SMTP server and watch the live, credential-redacted protocol transcript.

Open SMTP Tester