Configuring WorkMail to send all outbound email through SMTP Gateway to SES

Question

I have been trying to setup WorkMail to send all outbound email through SES so that I can use a dedicated IP address and monitor bounced emails etc.

Below are the steps I have taken:

1.  I have created SMTP credentials in the SMTP Settings within the SES console.

2.  In WorkMail I have gone to the Organization Settings screen and Created a new Gateway in the SMTP Gateway tab.  I used these values:

Gateway Address: email-smtp.eu-west-1.api.aws

Port Number: 587 (I tried using port 465 as I seen somewhere that WorkMail does not support StartTLS, but this failed to save)

I also entered the Username and Password form the step 1 above.

3.  I created an Outbound Rule in the Organization Settings in the WorkMail console to route all incoming email to the SMTP Gateway I have setup.

When I try sending a test email (event to my own email address) I get an email from amazonses.com with the subject Undelivered Mail Returned to Sender.  The body of the email includes:

An error occurred while trying to deliver the mail to the following recipients:

[my email address here]Reporting-MTA: dns; a2-57.smtp-out.eu-west-1.amazonses.com

Final-Recipient: rfc822; [my email address here]

Action: failed

Status: 5.3.0

robinkaws · Answer

Hi,

Does your bounce message include a "Diagnostic-Code:"? WorkMail does not support SES as a SMTP gateway as it already uses SES to send mail so the double send via SES will result in issues with duplicate DKIM-signature headers.

Kind regards,
Robin

re:Post Agent · Answer

It looks like you're experiencing an issue with your WorkMail to SES integration. Let me help troubleshoot this setup.

The error you're receiving (Status: 5.3.0) indicates there's a problem with the SMTP gateway configuration. Here are a few things to check:

1. The gateway address you've entered appears incorrect. Instead of "email-smtp.eu-west-1.api.aws", you should use the full Amazon SES SMTP endpoint, which would be something like "email-smtp.eu-west-1.amazonaws.com". The correct format is essential for the connection to work properly.

2. Port 587 is correct for TLS encryption, which is required by Amazon SES. Your choice to use this port instead of 465 is appropriate since all connections to the Amazon SES SMTP endpoint must be encrypted using TLS.

3. Make sure your SMTP credentials from SES are entered correctly in the WorkMail SMTP gateway configuration. These credentials are different from your regular AWS access keys.

4. Verify that your outbound rule in WorkMail is correctly configured to route all outgoing email through the SMTP gateway you set up.

5. Ensure that your Amazon SES account is out of the sandbox if you're sending to recipients whose email addresses you haven't verified in SES.

For the SMTP gateway in WorkMail, you need to provide:
- A unique gateway name
- The correct gateway address (SES endpoint)
- Port number (587)
- Your SES SMTP username
- Your SES SMTP password

After making these corrections, restart the service if necessary and try sending a test email again.  
**Sources**  
[Enabling SMTP gateways - Amazon WorkMail](https://docs.aws.amazon.com/workmail/latest/adminguide/smtp-gateway.html)  
[Integrating Amazon SES with your existing email server - Amazon Simple Email Service](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-smtp-existing-server.html)  
[Sending email with Amazon SES - Amazon Simple Email Service](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email.html)

Configuring WorkMail to send all outbound email through SMTP Gateway to SES

Add your answer

Relevant content