For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
SES configuration set cannot disable account level suppression list
We need to ensure that authentication code emails are delivered via SES, even to recipients who are on the account-level suppression list.
To achieve this, we configured a configuration set as described in the "Do not use any suppression" section of the AWS documentation Using the Amazon SES account-level suppression list as shown below.
Despite using this configuration set, emails sent to addresses on the account suppression list are still being bounced. Below is the related SES tracking information:
{
"eventType":"Bounce",
"bounce":{
"bounceType":"Permanent",
"bounceSubType":"OnAccountSuppressionList",
"bouncedRecipients":[
{
"emailAddress":"...",
"action":"failed",
"status":"5.1.1",
"diagnosticCode":"Amazon SES did not send the message to this address because it is on the suppression list for your account. For more information about removing addresses from the suppression list, see the Amazon SES Developer Guide at https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-email-suppression-list.html"
}
],
"timestamp":"2025-04-21T21:28:19.268Z",
},
"mail":{
"tags":{
"ses:operation":[
"SendTemplatedEmail"
],
"ses:configuration-set":[
"bypass-suppression"
],
}
}
}
Question: Why is the configuration set not bypassing the account-level suppression list as expected?
- Newest
- Most votes
- Most comments
Please focus on SES configuration set settings and IAM permissions such as verify the ses:configuration-set tag in the event data, ensure that your IAM role has the necessary permissions to override suppression settings, you may require to explicitly grant SES permissions to bypass suppression.
https://docs.aws.amazon.com/ses/latest/dg/sending-email-suppression-list-config-level.html
As shown in my original post, the event data has the tag ("ses:configuration-set":["bypass-suppression"]), indicating that the configuration set I use is correct.
We also tried to add the following permissions to the email sender IAM permissions, but it still does not work.
ses:ListSuppressedDestinations,ses:PutAccountSuppressionAttributes,ses:PutConfigurationSetSuppressionOptions.Furthermore, if I change the configuration set to: Override account level settings, with configuration set-level suppression enabled, and reason "complaints only"
It can bypass the account-level suppression list as expected. This suggests that the issue is not related to IAM permissions, and that the "disabled suppression list" setting is simply not functioning as intended. However, our use case requires bypassing both bounces and complaints.
Hey,
Hope you're keeping well.
In SES, the configuration set parameter SuppressionOptions with SuppressionsListReasons=[] only works in the SESv2 API (SendEmail and related calls). If you are sending through the older SESv1 API methods like SendEmail or SendTemplatedEmail from the original API namespace, the bypass setting in a configuration set is ignored, and account-level suppression will still apply. To bypass it, you must send using the SESv2 API and explicitly attach the configuration set that has suppression disabled, or remove the address from the account-level suppression list via the SES console or DeleteSuppressedDestination in SESv2 before sending.
Thanks and regards,
Taz
Relevant content
- asked 5 months ago
- AWS OFFICIALUpdated 9 months ago
hi,
SES is region-specific. Can you double-check that the config set was created in the same region you're sending the email from?
@Malini Agrawal Yes, the config set is created in the same region as the email is sent from.