Amazon SES (Simple Email Service) is the cheapest reliable way to send a newsletter at scale. Ten cents per thousand emails. No subscription, no per-contact pricing. Big publishers run their entire mailing on it — Substack, Beehiiv, Mailchimp, Resend, Postmark — all of them sit on top of SES or similar AWS infrastructure underneath.
The trade-off: you set it up yourself. AWS doesn’t hand-hold. This guide walks every step end-to-end so you don’t get stuck on the parts that catch most operators (DNS records, sandbox approval, bounce handling). Plan on 30–45 minutes the first time you do this.
Before you start
- A domain you own (e.g.
yourname.com). You’ll send fromhello@yourname.comor similar. SES verifies the entire domain, not individual email addresses, so this is the right approach for a newsletter. - Access to your domain’s DNS — wherever you registered the domain (Namecheap, GoDaddy, Cloudflare, Route 53). You’ll add 4–5 records.
- An AWS account. Free to create. AWS asks for a credit card but you won’t be charged unless you send mail.
- 10 minutes patience for DNS propagation between steps.
Step 1 — Sign in to AWS and open SES
Go to aws.amazon.com/console and sign in (or create an account — pick “Personal” or “Business”, give them a card, you’re done).
Once you’re in the AWS Console, type “SES” in the top search bar and click Amazon Simple Email Service. You’ll land on the SES home page.
Step 2 — Pick your region
This matters. SES is region-scoped — settings you make in one region don’t exist in another. Top right of the console there’s a region picker (it’ll say something like “N. Virginia” or “Oregon”).
Pick the region closest to most of your subscribers. For a US audience: us-east-1 (N. Virginia) or us-west-2 (Oregon). For Europe: eu-west-1 (Ireland) or eu-central-1 (Frankfurt). The region affects deliverability latency but only marginally. Pick one and stick with it — moving later means re-verifying your domain.
Step 3 — Verify your sending domain
In the left sidebar of SES, click Verified identities, then Create identity.
- Identity type: Domain (not Email address — domain verification covers every address on the domain).
- Domain: enter your domain (e.g.
yourname.com, nowww, nohttps://). - Tick Use a custom MAIL FROM domain and enter a subdomain like
mail.yourname.com. This is what shows up in bounce-handling headers — using your own MAIL FROM domain dramatically improves deliverability. - Under Advanced DKIM settings: leave Easy DKIM selected, RSA_2048_BIT. Tick Publish DNS records to Route 53 only if your DNS lives in Route 53; otherwise leave unticked.
- Click Create identity.
SES gives you a screen with DNS records to add. Keep this tab open — you’ll need it in the next step.
Step 4 — Add the DNS records
You’ll add four sets of DNS records. Log into your DNS host (Namecheap, GoDaddy, Cloudflare, etc.) in a separate tab.
4a — DKIM records (3 CNAMEs). SES gives you three CNAME records that look like abc123._domainkey.yourname.com pointing at abc123.dkim.amazonses.com. Add all three exactly as shown. These prove emails you send are actually from you.
4b — MAIL FROM records (2 records). One MX record on the subdomain you chose (mail.yourname.com) pointing at feedback-smtp.[region].amazonses.com with priority 10, and one TXT record on the same subdomain with value "v=spf1 include:amazonses.com ~all".
4c — SPF on the root domain. Add (or update) a TXT record on yourname.com with value "v=spf1 include:amazonses.com ~all". If you already have an SPF record, don’t add a second one — edit the existing one to include include:amazonses.com before the closing ~all.
4d — DMARC. This isn’t required by SES but Gmail and Yahoo now require it for bulk senders (5,000+/day). Add a TXT record on _dmarc.yourname.com with value "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourname.com; pct=100; adkim=s; aspf=r;". Replace the email address with one you check.
Wait 5–10 minutes, then back in the SES tab refresh the Verified identities page. The domain should flip to Verified with DKIM Successful. If it doesn’t after 30 minutes, your DNS records are wrong — open them in your DNS host and compare character-by-character to what SES shows.
Step 5 — Request production access (leave the sandbox)
By default, every new SES account is in sandbox mode: 200 emails per day, and you can only send to verified email addresses. That’s useless for a newsletter.
In the SES console sidebar, click Account dashboard. You’ll see a banner saying you’re in the sandbox. Click Request production access (or Get set up).
The form asks why you want to send mail. Answer honestly and specifically — vague applications get rejected. Good template:
Mail type: Marketing
Website URL: https://yourname.com
Use case description: “I run a newsletter at yourname.com. Subscribers sign up via a double-opt-in form on the website and confirm via a verification email. They receive a weekly newsletter on [your topic]. Unsubscribes are honoured immediately via one-click unsubscribe headers (RFC 8058) and a footer link. I will monitor bounces and complaints via SNS topics and remove problem addresses automatically. Expected initial volume: 1,000 emails/day, growing with the list.”
Additional contacts: “I do not buy email lists. All addresses come from people who actively signed up on my website.”
Submit. AWS typically approves within 24 hours, often within 2–4 hours. If they reject (usually for vague applications), reply with more specifics — they’ll re-review.
Step 6 — Create SMTP credentials
While you wait for production approval, set up the credentials your newsletter plugin will use to send.
In the SES sidebar, click SMTP settings. You’ll see the SMTP endpoint for your region (e.g. email-smtp.us-east-1.amazonaws.com) and a port (use 587 with STARTTLS).
Click Create SMTP credentials. AWS creates an IAM user behind the scenes that has permission to send mail through SES. Copy the SMTP username and password immediately — AWS shows them once and never again. Save them in a password manager.
Step 7 — Set up bounce and complaint handling (SNS)
This step is optional but strongly recommended. SES will email you about bounces and complaints by default, but for a real newsletter you want them processed automatically — bounces auto-removed from your list, complaints flagged for review.
In the AWS Console, search SNS and open Simple Notification Service. Create two topics — one called ses-bounces, one called ses-complaints. Note the ARN (Amazon Resource Name) of each.
Back in SES, open your verified domain identity, scroll to Notifications, and assign the SNS topics to Bounce and Complaint feedback. Save.
Now you can subscribe an HTTPS endpoint (your WordPress site) to those topics to auto-process events. Most decent newsletter plugins have a webhook endpoint for this. If yours doesn’t, leave the SNS topics in place and check them manually weekly — better than nothing.
Step 8 — Configure your newsletter plugin
Open your newsletter plugin’s settings (in WordPress: Newsletter → Settings → Sender or Email Provider). Pick SMTP as the provider type and enter:
- Host:
email-smtp.[your-region].amazonaws.com - Port:
587 - Encryption: TLS (also called STARTTLS)
- Username: the SMTP username from Step 6
- Password: the SMTP password from Step 6
- From email: any address on your verified domain (e.g.
hello@yourname.com) - From name: your newsletter’s name
Save the settings.
Step 9 — Send a test
From the newsletter plugin, send a test email to your own address. If it arrives, you’re done. If it doesn’t:
- Check the plugin’s send log for the error message.
- If you see “535 Authentication failed”: SMTP credentials are wrong. Re-create in SES (Step 6) and re-paste.
- If you see “Email address not verified”: you’re still in sandbox mode. Either wait for production approval, or verify your test recipient address in SES → Verified identities first.
- If you see “Daily sending quota exceeded”: you’ve hit the 200/day sandbox limit. Same fix — wait for production approval.
What it costs
SES pricing is straightforward: $0.10 per 1,000 emails sent. That’s it. A 10,000-subscriber newsletter sending one weekly issue costs $4/month. Compare to ConvertKit at $79/month for the same list, or Mailchimp at $100+. For pure deliverability infrastructure, nothing beats SES on price.
If you’re hosting your WordPress site on EC2, you also get 62,000 emails/month free from SES — only when sent from an EC2 instance. Most operators won’t hit this.
Common gotchas
Sandbox limits are real. Don’t announce your launch before production access is approved. Apply the day you set SES up.
DNS propagation is slow. If your records look right but the domain won’t verify, give it 30 minutes. Cloudflare propagates in 1–2 minutes; Namecheap can take 30+.
Don’t reuse the same SPF record. If you have one already (most domains do), edit it to include amazonses.com — don’t add a second TXT record. Multiple SPF records on the same domain break email auth entirely.
Watch your bounce rate. SES will throttle or suspend you if your bounce rate exceeds 5% or complaint rate exceeds 0.1%. Process bounces. Remove invalid addresses.
Warm up the IP. If you’re going from 0 to 50,000 sends overnight, AWS will throttle you anyway. Ramp gradually over 2–4 weeks if possible.
Once you’re up
That’s the whole setup. From here on, SES is the cheapest, most reliable workhorse in your stack — your newsletter plugin handles the editorial workflow, SES handles the sending, AWS bills you ten cents per thousand emails sent.
If you’re running One Two Three Send on WordPress, the SMTP provider option above is built in — paste the SES credentials into Newsletter → Settings → Email Provider and you’re sending. Same plugin, same workflow, infrastructure that costs $4/month instead of $100.
Subscribe to One Two Three Send for more no-nonsense guides on the infrastructure behind running a profitable newsletter.
Some links in this post are affiliate links — we earn a small commission if you sign up through them, at no cost to you. We only recommend tools we actually use.