By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS SES with Cognito failing to send verification emails

0

Hi

We have developed an app for a client where we use Cognito as the Auth provider, and using SES to send verification and systems messages.

New users are added through and app API using the @aws-sdk/client-cognito-identity-provider SDK. It all works well.

Administrators and supervisors of the system all belong to the specific app domain, meaning they have email addresses at this domain, which is also the app domain. This app domain has be verified with SES, along some admin email addresses from which verification email are sent.

So everything works fine when new users are added through the site front-end, and which do not belong to this main app domain. They instantaneously get their email verification email prompting for a password change, after which they can sign in for access to certain information.

However, when adding new users, in specific app roles (admin, agents, support etc.) for the same domain, meaning they are to log in and perform system functions, they do not receive the expected invitation or other system emails.

Now I've checked everything on the side of SES in terms of policies, verified entities etc. And on the side of the Cognito User pool, where there is not much detailed configuration to be done, everything has been checked.

But somehow it seems like email to users of the app domain is getting suppressed.

Does anybody have some insights into this as I cannot seem to find anything on the web.

Any help will be greatly appreciated!

  • Sujit Singh
    9 months ago

    Double-check the SPF and DKIM settings for the verified SES domain and sender email addresses. Make sure they align with your domain's DNS records.

Topics
Security, Identity, & ComplianceFront-End Web & MobileBusiness Applications
Tags
Amazon CognitoAmazon Simple Email Service
Language
English
PatonPersonnel
asked 9 months ago417 views
2 Answers
0
Accepted Answer

this is a tough cookie to crack then, i do believe that it does affect it, so try this:

If you have a DMARC policy that is set to reject or quarantine emails from your domain, then Amazon SES will not be able to send verification emails to users with email addresses that end in your domain.

To resolve this issue, you need to update your DMARC policy to allow or permit emails from your domain. You can do this by following these steps:

Go to the Google Admin console. Click the Security tab. Click the DMARC tab. Click the Edit button next to your domain. In the Policy field, select Allow or Permit. Click the Save button. Once you have updated your DMARC policy, verification emails should start being sent to users with email addresses that end in your domain.

Here are some additional things to check:

Make sure that you have updated your DMARC policy to allow or permit emails from your domain. Make sure that the email addresses that you are trying to send verification emails to are actually verified in Amazon SES. Make sure that the email addresses that you are trying to send verification emails to are not in the Amazon SES backlist.

profile picture
Subhaan_Ahmed
answered 9 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 25 days ago
  • PatonPersonnel
    9 months ago

    Hi Subhaan

    Many thanks again for your generous reply!

    You are right. After a few hours of research and internal reflection to evaluate if I should make a career change, I came to the same solution.

    I all has to do with the DMARC and SPF DNS records.

    Once that was fixed, all ships were sailing, and I delayed my contemplated career change...

    Many thanks again. Hope someone else can benefit too.

    Nantus

0

there's generally 4 main reasons why this occurs,

The user's email address might be on the Amazon SES suppression list. You can check this by going to the Amazon SES console and navigating to the Suppression lists page. If the user's email address is on the list, you can remove it by clicking the Remove button.

The email address might be blocked by Amazon SES. You can check this by going to the Amazon SES console and navigating to the page. If the user's email address is on the list you can remove it by clicking the Remove button. The email might be caught by the user's spam filter. You can ask the user to check their spam folder to see if the email is there.

There might be a problem with the Cognito user pool configuration. You can check the Cognito user pool configuration by going to the Amazon Cognito console and navigating to the User Pools page. Make sure that the Email settings are configured correctly.

profile picture
Subhaan_Ahmed
answered 9 months ago
  • PatonPersonnel
    9 months ago

    Hi Subhaan

    Many thanks taking the time to respond.

    None of the issue you are pointing out is causing the problem. I have checked those a number of times.

    My suspicion is that it has to do with DMARC configuration.

    Investigating along those lines.

    The details of my setup is as follows:

    The verified domain is paton.co.za. The verified email address is info@paton.co.za.

    When a new administrator, like admin@paton.co.za is signed up via Cognito, the invitation emails does not arrive.

    But when another new candidate, like peter@abc.co.za is registered, all works just fine. He gets his email with temporary password which he is forced to change, after which login happens flawlessly.

    Cannot figure why this would be the case.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content