Domain and Email Address Identity have different Feedback notification settings for different SNS topics but both of them go to the same topic as what is set for the domain identity

0

I have 2 verified identities:

The reason for both is that I want email from account@domain.com to go to one SNS topic (Account Topic) while everything else in that domain goes to a different SNS topic (Domain Topic). That is the idea but the email sent from account@domain.com has its notifications go to the same SNS topic as domain.com.

I know this should work because it is listed here https://docs.aws.amazon.com/ses/latest/dg/creating-identities.html

Verified email address identity settings override verified domain identity settings.

Note: I am not in the sandbox

Troubleshooting

  • Verified that each identity has different SNS Feedback notifications
  • Created a different-account@domain.com as a verified email address identity and set Bonce, Complaint, and Delivery notifications to go to the same SNS topic as account@domain.com (Account Topic) - this worked as expected with notifications going to the correct SNS topic (Account Topic)
  • Made sure that the character cases match for account@domain.com when sending email since email identities are case-sensitive
  • Deleted the Email address identity (account@domain.com), waiting 15 minutes, and then creating a new identity with the same account@domain.com address - the identity was immediately verified and still had the previous Bonce, Complaint, and Delivery settings as before which makes me think this account was never deleted off of AWS in the backend.
1 Answer
1
Accepted Answer

This is now fixed. I had to purchase the AWS support for $29 for this answer but it was worth it because it is now fixed so hopefully I save you from also having to pay for support.

For those of you that happen to stumble on this post and have the same issue, here is the fix.

The reason was due to the difference between how v2 and v1 SES APIs verify the email identity.

Generally, with SES if the domain at large is verified it is not required to verify a specific email address within that domain. That is unless you want changes to the configuration as to how certain email addresses should operate. However, to make use of email address identity while sending email using SES SMTP, you need to verify the email address using the v1 API.

In your web console, it might be showing as verified since it is using v2 calls. However, if you check the same using CLI, you will see the status as “Failed or pending”. This is very strange behavior and almost seems like a bug to me, but I do not work at AWS.

You can verify this by running this command: (Replace user@example.com with your email identity)

aws ses get-identity-verification-attributes --identities "user@example.com"

And it will show this…

{
    "VerificationAttributes": {
        "user@example.com": {
            "VerificationStatus": "Pending"
        }
    }
}

Which is completely different than what is shown in the console.aws.amazon.com/ses

Mitigation:

  1. Open the Amazon SES console.
  2. From the AWS Region selector in the navigation bar, select the Region that your identity is in.
  3. From the list of Verified identities, select the email identity. Then, choose Delete
  4. Choose Create Identity. Then, re-enter the email identity details
  5. Then run this CLI command (Replace user@example.com with your email identity)
aws ses verify-email-identity --email-address user@example.com  

Note: This command adds an email address to the list of identities for your Amazon SES account in the current AWS region and attempts to verify it. As a result of executing this operation, a verification email is sent to the specified address.

  1. Click that verification link received in your mailbox for this email identity and verify the email address on AWS console as well as AWS CLI by running the verification attribute command
aws ses get-identity-verification-attributes --identities user@example.com

The result should look like this...

{
    "VerificationAttributes": {
        "user@example.com": {
            "VerificationStatus": "Success"
        }
    }
}
  1. Once the verification status is "Verified" on the console and shows "Success" on the CLI level, you can test by sending an email for the email identity and verify it is using the correct configuration set on SES.
answered 2 years ago
profile picture
EXPERT
reviewed 5 months ago
profile picture
EXPERT
reviewed 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions