How best to handle SES's domain validation for forwarding incoming emails


Hi, I'm running a custom Lightsail Ubuntu instance which is running a multi-domain virtual web server which is configured by ISPConfig. I'm trying to integrate it with SES. I am out of the SES sandbox.

My setup so far:

Incoming email goes to an S3 Bucket then I get an SNS notification which points to a URL that triggers a script on my server. On my server I have a mount point for the bucket from which my script pulls the email then injects it into Postfix using Postdrop. This way Postfix can do all the work of delivering the email to the proper accounts on the server as if the email was sent directly to it. This way my users will still be able use the ISPConfig interface to change/add/edit their email accounts.

My problem:

The issue is when an incoming email needs to forward to an outside email. Unfortunately, SES requires a validated subdomain in the MAIL FROM field, and from what I'm seeing in my mail logs, probably the From and Reply-To headers as well. Normally those fields contain the sender's email address, so that when people reply, it goes to the sender. So changing the From or Reply-To header will cause reply delivery issues.

So, how do I configure Postfix and/or SES to validate properly but keep at least the Reply-to and From headers intact? As MAIL FROM isn't really a header, just an SMTP verb, I thought to just configure Postfix to use a valid static MAIL FROM address, but from what I see in my mail logs changing just the MAIL FROM address wasn't enough for SES. It complains now about the Reply-To field being unvalidated.


I setup a redirect on my server: -> Someone sends an email from: to Postfix parses the email and tries to forward it to using static credentials, but it fails authentication because the headers aren't valid. This is what is sent to SES:





I get "Not a validated domain in Reply-To" or such in my mail log.

Thanks for any help! Mike

1 Answer

When sending trough SES the From: and Reply-To: header must be a verified identity. In your use case the From: and/or the Reply-To: are not a verified identity

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions