- Newest
- Most votes
- Most comments
Ah, there's your problem. The MX record must point to
inbound-smtp.us-east-1.amazonaws.com
and not
inbound-smtp.us-east-1.amazonses.com
Everything needed would appear to be in place then. Would you still double-check that in SES's email reception configuration, you only have one rule set, the rule set is in "active" status, and the receipt rule it contains shows as "enabled"?
I just compared what you described to a working production deployment in my environment, and it's set up identically to what you're describing, except for having a bunch of additional security restrictions, which only make my configuration more restrictive. It's been working for years.
To be sure, you also haven't configured sender IP address filters under Email receiving in SES? And you aren't receiving a non-delivery notification from or to Gmail when sending a test message from there? The email just doesn't arrive but also doesn't bounce?
Nothing in Ip address filters have been added. Earlier I had some stuff set up in Main manager to try and fix this issue but I have deleted all of that days ago to try and reduce complexity to find the issue but that did not fix anything. As of now everything in Mail Manager is disabled. Do you have any suggestions for how I can fix this since AWS support won't help.
I just get AMAZON_SES_SETUP_NOTIFICATION messages in my bucket when I send emails to my self but the notifications dont actually tell me the issue.
Actually I just checked my gmail's box and I see Delivery Status Notification (Failure)
Address not foundthat says "Your message wasn't delivered to contact@example.com because the domain example.com couldn't be found. Check for typos or unnecessary spaces and try again." Then the response was the following.DNS Error: DNS type 'mx' lookup of example.com responded with code NOERROR DNS type 'aaaa' lookup of inbound-smtp.us-east-1.amazonses.com. responded with code NXDOMAIN DNS type 'a' lookup of inbound-smtp.us-east-1.amazonses.com. responded with code NXDOMAINBut why?
Where is your MX record pointing? It should point to inbound-smtp.REGION.amazonaws.com, such as inbound-smtp.eu-west-1.amazonaws.com.
To receive emails, you must verify the entire domain, and as you explained, you've done that. Verifying individual email addresses would only work for sending emails, not for receiving them.
The bucket policy is correct-ish, in that it is allowing emails to be delivered to S3, but only too well: anyone who knows or guesses the name of your bucket can set SES to deliver mails there, effectively injecting data of their choice into your reception process/pipeline. Also, the Block Public Access (BPA) setting will not interfere with SES's ability to deliver emails, and you should enable all the protection options of BPA. You should restrict the policy statement to allow access only on behalf of the AWS account ID that hosts SES for you, like so:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket-name/*",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "123456789012"
}
}
}
]
}
Ok yea I will replace SourceAccount with my account but I have been trying to get it working before I work on correcting security in order to reduce complexity and narrow down the actual root cause. Also I am using east-1 for both SES and S3 here is my MX Data
inbound-smtp.us-east-1.amazonses.comwhere I use an @ sign as the Name so it points directly to my domain name (I am not using sub domains rn). So based on that why is this not working? Also I already used online checkers and talked to my domain provider and the MX record is working. I tried talking to AWS support but they don't reply to technical support requests.Could you clarify what you mean by using an @ sign as the name?
When creating an MX record my DNS provider documents I should use an @ sign as the value to refer to the base domain address aka 'example.com' instead of specifying something like 'mail' which would point to 'mail.example.com'. also keep in mind I typed in my domain name aka 'example.com' into multiple MX checker websites and reached out to my DNS provider and everything says its working correctly. Here is the copy and paste from my DNS config page
MX @ inbound-smtp.us-east-1.amazonses.com. (Priority: 10) 1 Hour
Okay, clear. @ in that context stands for an "apex record" for your DNS zone, as you're describing. Is your S3 bucket set to use SSE-S3 default encryption?
Yes it forces me to use encryption so I selected
Server-side encryption with Amazon S3 managed keys (SSE-S3)also I have Bucket key's enabled.
What you've described covers everything that is needed. You've validated your domain name, you have the right MX record, the S3 bucket is in the same region as your SES installation, the S3 bucket policy is permissive enough, the correct email receive rule set is set to active, and the rule set contains one rule, with one recipient, and it's set to deliver the messages in your S3 bucket.
What exactly was contained in the AMAZON_SES_SETUP_NOTIFICATION object appearing in the bucket?
I used a hex editor and it was ASCII saying that an error occurred and to contact AWS without giving me any info on the actual error type but I just found some more clues in my gmail box. I pasted what I found in a previous comment above but it seems to be some sort of DNS issue although with my a records maybe?
I'm having the same issue, everything verified but no email is getting saved in the s3. https://stackoverflow.com/questions/79422941/aws-ses-email-receiving-deliver-to-s3-doesn-t-work
Relevant content
- asked a year ago
- asked 2 years ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
In 'Email receiving' I see my rule that is set as Active when I click on it at the top it also says Active and bellow I see that I have 1 rule created which is labeled
Enabled. Clicking on this rule I see that I have Status enabled, TLS requirements disabled (I will enable this later), Spam and virus scanning enabled, and then for the recipient conditions I havecontact@example.com. The last page I selected deliver to S3 bucket and selected the only S3 bucket I have created (the one I talked about above) with Message encryption disabled. Yes sending emails to contact@example.com wont showDoes my account have to be production ready for any of this to work because it does not say that is the case. If so that could be an issue since AWS just uses bots to authorize production access so getting accepted is super challenging but I only need to receive emails right now which is what I am focused on trying to get working.
No, it doesn't. My small production setup is also in sandbox mode, because it's only used to receive emails, not to send any.