SendOps
Get Started
Engineering

AWS SES Best Practices: Protecting Deliverability at Scale

The essential checklist for keeping bounce rates low, avoiding spam traps, and maintaining a healthy sender reputation when sending at scale with AWS SES.

Kai Tanaka

Kai Tanaka
#aws-ses #deliverability #best-practices #email-infrastructure

Deliverability is fragile. A single bad send — a stale list, a misconfigured DMARC record, a sudden spike in volume — can crater your sender reputation and take weeks to recover.

This guide covers the practices we've learned from operating email infrastructure for hundreds of teams using AWS SES.

Warm Up New Sending Identities

AWS SES and ISPs alike track your sending history per identity. A brand-new domain or IP that suddenly sends 100,000 emails will be flagged immediately. The rule of thumb: double your daily volume every 3–4 days, starting from no more than 500–1,000 emails/day. SendOps has a built-in ramp schedule that automates this for new channels.

Authenticate Every Message

Unauthenticated email is treated with deep suspicion by every major ISP. Make sure you have all three in place: SPF authorizes your sending infrastructure, DKIM cryptographically signs your messages (SES provides 2048-bit DKIM keys — enable them), and DMARC tells ISPs what to do with messages that fail SPF/DKIM and sends you aggregate reports. Start with p=none to collect data, then move to p=quarantine, then p=reject.

Monitor Your Bounce and Complaint Rates

AWS SES will suspend your account if bounce rate exceeds 10% (warning at 5%) or complaint rate exceeds 0.5% (warning at 0.1%). These thresholds are strict. Set up monitoring via SNS notifications or use SendOps's built-in alerting to get paged before you hit the limits.

Segment Your Traffic

Don't send transactional and marketing email from the same domain or IP pool. A poorly-performing marketing campaign shouldn't impact your password reset emails. Recommended setup: mail.yourdomain.com for transactional, news.yourdomain.com for marketing, notify.yourdomain.com for notifications.

List Hygiene

The fastest way to destroy deliverability is sending to stale or invalid addresses. Remove hard bounces immediately — never retry them. Suppress soft bounces after 3–5 failures over 30 days. Honor unsubscribes within 10 days (CAN-SPAM) or 3 days (GDPR). Re-permission inactive subscribers before sending again after 6+ months of silence. SendOps automatically manages bounce and complaint suppression lists synced with SES's account-level suppression list.

Configuration Sets Are Mandatory

Never send without a configuration set. They're how you attach event destinations (SNS, Kinesis, CloudWatch) to track what happens after the send. At minimum, set up SNS event destinations for BOUNCE events to your suppression handler, COMPLAINT events to your suppression handler plus alert, and SEND/DELIVERY events to your analytics pipeline.

Summary

Email deliverability is an operational discipline, not a one-time setup. The teams with the best inbox placement treat it like they treat uptime — with monitoring, alerting, and regular review.