Setting up Customer Engagement: Amazon Simple Email Service (SES) with the RockRMS SMTP Transport

Amazon Simple Email Service (SES) is a free SMTP mail delivery service that also falls into the free tier if you are hosting your RockRMS environment on Amazon's AWS services. You can send up to 50,000 emails per month within this free limit. For those hosting on premises or another cloud provider such as Azure or Google Cloud Services this still has a robust feature set that's worthy of looking into and competitively priced from existing integrated services such as Mailgun and Sendgrid, see AWS SES Pricing for details.

As it works today with the standard SMTP mail transport it does not capture open or click tracking back into RockRMS. We have another video at the end of this article that shows an overview on how you are able to get Open/Clicks tracking through AWS CloudWatch and PostFix. (If anyone is willing to help with developing a modified Email Analytics and Communication Details blocks to pull in the AWS CloudWatch Click/Open data into RockRMS with the Cloudwatch API please contact us)

This recipe is part of the much more detailed Free Tier AWS Hosting for RockRMS write-up. I decided to break it out as it can live on it's own to show another option for email sending services outside of the often used Mailgun and Sendgrid world.

RockRMS_AWS DemoSiteInstall_Part6_SES from Harvest Pittsburgh North on Vimeo.

Table of Contents

Click on the topics below to jump to that section:

  1. Setup SES on your existing AWS account  Back to Top
    [Video Timestamp - 0:00:00]
    1A: After you've logged into your Amazon account at
    In the top header go to the "Services" drop-down next to the AWS logo

    In the search bar type "SES" and select the first result "Simple Email Service"


    This loads the SES Home Dashboard where we will setup our email communications service

    1B: Click the "Domains" link in the left-hand navigation menu. Then click the blue "Verify a New Domain" button to add your domain identity.

    Enter your domain (removing any sub domain prefixes) and select the Generate DKIM Settings toggle and then click the blue "Verify This Domain" button.

    After that step you can expand your domain identity section details to see the status, which will be unverified at this time. You can return to this area to check on the status as you continue the verification process.
    [Video Timestamp - 0:01:30]
    1C: Click on the actual Domain Identity link, this page will show you all of the detail regarding the status and records on the domain that you are validating. Amazon will give you a few validation records that you will need to copy and put in your domains DNS settings.
    Log in to your DNS service and add a new TXT record. Copy and paste the TXT Name and TXT Value provided in this Domains dashboard so that AWS can validate the ownership of your domain for the SES service.
    Once you've added these records in your DNS settings you will see the status of your domain record update from Pending to Verified.
    Now you can successfully use your new SES service to send emails. However, out of the gate AWS puts your new domain into a "sandbox" for testing purposes reducing the number of emails you can send as well as only allowing sends from within your own domain space (you can't send to any other email account such as,, until moving on to the next step).

  2. Update SES Account from Sandbox to Production Back to Top
    [Video Timestamp - 0:02:00]
    2A: Open up a support ticket by clicking on the "Support" menu in the upper-right hand corner of the page then click on the "Support Center" link within the drop-down menu.

    P6-2B: In the Support Center page you'll begin the process of getting out of the SES sandbox by clicking the orange "Create case" button in the upper-right hand corner of the My support cases area.

    In the newly opened case, provide details as to what you will be using the SES service for. Feel free to use ours as a template below and modify according to your organization and AWS account details:

    Limit Increase Request 1
    Service: SES Sending Limits
    Region: US East (Northern Virginia)
    Limit Name: Desired Daily Sending Quota
    New Limit value: 500
    Limit Increase Request 2
    Service: SES Sending Limits
    Region: US East (Northern Virginia)
    Limit Name: Desired Maximum Send Rate
    New Limit value: 25
    Use case description: We are primarily using the SES service for internal system email from a ChMS system. We plan in the future to send correspondences to those signing up for events and overall notifications for volunteers / staff members.
    Mail Type: Marketing
    Website URL:
    Describe how you will comply with and : We only send to recipients in our system's collection
    Describe how you will only send to recipients who have specifically requested your mail: Users must provide their email and opt-in to receiving our communication.
    Describe the process that you will follow when you receive bounce and complaint notifications: We can remove stale email addresses and have a 'Unsubscribe / Remove me from your list' link in all of our email templates.

    Category: Service Limit Increase, SES Sending Limit
    Cage Type: Service limits


    Once the case has been marked Resolved and the temporary sandbox restriction lifted you can now move on. This may take a few business days.
    You may now go back to your Domain Settings in the SES dashboard.

    [Video Timestamp - 0:04:28]
    2C: In order for us to use this mail transport we need to create SMTP credentials in order to authenticate our AWS account within RockRMS for the SMTP transport.
    Click on the "SMTP Settings" link from the left-hand navigation and then click the blue "Create My SMTP Credentials" button.
    Provide an IAM User Name that is recognizable for your organizational needs. Then click on the blue "Download Credentials" button in the lower right-hand corner of this screen.

    Save your credentials file (CSV) on your desktop or wherever you can easily find it later. Do not lose track of this file.

    You may now close the SMTP Credentials window and it'll return you to the Identity and Access Management (IAM) dashboard. There is no action we need to take here at this time.

  3. Ensure the EC2 has outbound access for the SMTP service Back to Top
    [Video Timestamp - 0:05:53]
    3A: We now need to ensure that our EC2 has outbound access to the mail relay ports. So we'll do this by checking our security groups Outbound rules settings.
    In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "EC2" or find it in your history.

    3B: Navigate to the Security Groups from within the EC2 dashboard by clicking on "Security Groups" from the left-hand navigation under the Network and Security section.

    Select the "web_sg" security group if that's what you named yours and navigate to the "Outbound" rules tab.

    3C: Create a new Custom TCP Rule on port 587 with a destination of, you can add a description of "SMTP" so that you remember why this port is opened, for outgoing mail service.

  4. Setting up the RockRMS SMTP Mail Transport Back to Top
    [Video Timestamp - 0:06:35]
    4A: You are now ready to setup your RockRMS SMTP Mail Transport with the AWS SES service.
    Begin by logging into your RockRMS admin site, navigate to Admin Tools (Briefcase Icon on left-hand nav) and then Communications.
    Once you get to the Communications page you'll want to select the Communication Transports button notated by the truck icon.


    4B: Within the Communication Transports page you'll then want to click on the SMTP transport to edit it and enter your new AWS SES credentials we previously generated.

    [Video Timestamp - 0:07:30] 
    4C: In order to properly setup the SMTP Transport you need some an access key for the new SES user we previously created.
    In the top header go to the "Services" drop-down next to the AWS logo
    In the search bar type "IAM" to go to the Identity and Access Management dashboard or find it in your history.
    From this dashboard click on the "Users" link in the left-hand navigation and then select your newly created ses IAM user account.

    In the Summary screen for this user click on the "Security Credentials" tab.
    Here you can copy the Access Key ID for the ses IAM account below and paste it into the User Name field of the SMTP Transport in RockRMS.

    [Video Timestamp - 0:08:40]
    4D: Open up the credentials.csv file that was your saved AWS SES credentials in order to copy/paste the Password (highlighted in green below) into the RockRMS SMTP setting dialog. Ensure that the Port is set to 587, the transport is set to Active, and that Use SSL is set to Yes.
    You will need to update the Server field to the region that you are running your AWS services from such as
    Note: The SES service is only available on 5 or so regions, pick the one closest to the region you are hosting from that has SES available, it does not have to directly match yours.
    Click the "Save" button on the SMTP Properties dialog.

  5. Send an Internal Communication Email Test - Back to Top
    [Video Timestamp - 0:10:05]

    5A: Now that all of the SES and SMTP settings have been established we can send the first internal email communication for testing purposes. You'll want to be familiar with how to send emails within RockRMS so you'll want to read and reference the Communicating Using Rock manual and/or check out all of the Communication RockU Videos
    Communicating in Rock
    Ensure that your domain has been validated in the SES dashboard then in RockRMS go to People - New Communication to create a test email.

    5B: Once the New Communication email has been sent you can check the status within RockRMS by navigating to People - Communication History and finding the email communication sent to check the delivery status. 
    5C: You can also check your domain's reputation status in the SES dashboard by clicking the "Reputation Dashboard" link from the left-hand navigation menu. Once your Service Ticket for the sending limits has been approved and the limits lifted you'll be able to send easily outside of your domain and to your entire congregation.
    Note: At this time clicks and opens are not tracked within RockRMS for SES. We do have an upcoming how-to which we'll update here for doing that through AWS's Cloudwatch service and a simple turn-key Linux VM using the PostFix service to capture each communication and re-write the header information in order to then track Clicks and Opens in your email communications. See video below on an overview of how this is done w

    If anyone is interested in partnering with us to modify/fork the existing Communications Analytics block to digest the AWS Cloudwatch API we'd greatly appreciate the support. Please email for inquiries.

    RockRMS_AWS DemoSiteInstall_Part6_PostfixCloudwatchAnalytics from Harvest Pittsburgh North on Vimeo.

    Back to Top