Amazon SES now supports tenant management. This allows you to isolate and manage your tenants in your SES management console. If you are running multiple campaigns or services using SES and want to separate your email identities / configuration sets / reputation metrics then this functionality is what you might want to utilize now.
Minimize cross-tenant interference
Each tenant will get their own set of:
- Email identities
- Configuration sets
- Templates
- Reputation metrics
This ensures that all SES activities are separated between different use cases, isolating the blast radius in case of problems to one tenant. Previously this could have caused your account to be suspended.
As tenants have individual reputation metrics, you will have to adjust the reputation policies of each tenant. Depending on the selection here, different actions will be performed if a certain reputation threshold is breached.
- Standard: this will pause sending if high severity deliver-ability issues show up
- Strict: this will pause sending if any issues are found that affect deliver-ability
- None: regardless of findings, no action will be taken
Ready to adapt to tenants?
First, create a tenant in the AWS Management Console in the SES service or AWS CLI or using your favorite infrastructure as code like boto3 for python.
aws sesv2 create-tenant \
--tenant-name "MyTenant" \
--region eu-central-1create a tenant
Next, you need to assign the resources. At least one verified identity and one configuration set is required for a tenant to be able to send out mails, using the create-tenant-resource-association operation to link resources to a tenant.
aws sesv2 create-tenant-resource-association \
--tenant-name "MyTenant" \
--resource-arn "arn:aws:ses:eu-central-1:123456789012:configuration-set/MyConfigSet" \
--region eu-central-1assign a configuration set to a tenant
Follow up by updating the reputation policy.
aws sesv2 update-reputation-entity-policy \
--reputation-entity-type "RESOURCE" \
--reputation-entity-reference "arn:aws:ses:eu-central-1:123456789012:tenant/tenantId" \
--reputation-entity-policy "arn:aws:ses:eu-central-1:aws:reputation-policy/standard"update reputation policy
Sending out an email will just need a small adjustment to the API call or the SMTP header. SES will then verify if the used resources are attached to the tenant. Resources can be shared to multiple tenants or be exclusive to one. This association will be verified on every sending request, failing the request if the validation is rejected.
X-SES-TENANT: MyTenantIf using SMTP, add this to your headers
Otherwise provide the configuration set and tenant name in your request
aws sesv2 send-email \
--tenant-name "MyTenant" \
--from-email-address "sender@example.com" \
--destination "ToAddresses=recipient@example.com" \
--content "Simple={Subject={Data='Test Subject',Charset=utf-8},Body={Text={Data='Test email body',Charset=utf-8}}}" \
--configuration-set-name "MyConfigSet"example of sending an email using the aws cli
Congratulations, you can now use tenants in SES.
Limitations & notes
There are some limitations that apply:
- Tenants are scoped by region, they are not replicated into other regions
- Default quota is 10000 tenants, this limit can be increased using the Quota console
- Configuration sets must be specified (or be inherited from an identity) and associated with the tenant when sending
- A small extra fee per tenant is applied
TL;DR
Use the tenants feature in SES to separate email identities, configuration sets, templates and your sender reputation by tenant to isolate your environment.
