How to Configure AWS SES for Outbound Email and Gmail for Inbound Mail Receiving with DNS Setup in Route53


6 views

When building a business email system, it's common to want to leverage different services for their specialized capabilities. AWS Simple Email Service (SES) offers excellent deliverability and cost-effectiveness for sending emails, while Gmail/G Suite provides robust receiving and management features. The configuration challenge lies in properly setting up DNS records to make this hybrid approach work seamlessly.

The core of this setup revolves around three critical DNS record types in Route53:

MX Records - For mail routing to Gmail
SPF Records - For sender authentication
TXT Records - Additional verification

Here's the complete DNS setup you need in Amazon Route53 for your domain (example.com):

; MX Records
example.com.  IN  MX  1 ASPMX.L.GOOGLE.COM.
example.com.  IN  MX  5 ALT1.ASPMX.L.GOOGLE.COM.
example.com.  IN  MX  5 ALT2.ASPMX.L.GOOGLE.COM.
example.com.  IN  MX  10 ALT3.ASPMX.L.GOOGLE.COM.
example.com.  IN  MX  10 ALT4.ASPMX.L.GOOGLE.COM.

; SPF Record
example.com.  IN  TXT  "v=spf1 include:_spf.google.com include:amazonses.com ~all"

; SES Verification
example.com.  IN  TXT  "v=spf1 include:amazonses.com ~all"
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

The SPF record is crucial for preventing email spoofing. The correct format combines both Google and Amazon SES:

"v=spf1 include:_spf.google.com include:amazonses.com ~all"

This tells receiving servers that emails from your domain can come from either Google's servers (for receiving) or Amazon SES servers (for sending). The ~all indicates a soft fail for other sources.

In AWS SES console, you need to verify your domain. This generates a specific TXT record to add to Route53:

_amazonses.example.com. IN TXT "fmZbG/9wABcOmRzKjqzV4w7X4fExampleVerificationString"

For better email deliverability, set up DKIM with SES:

// AWS CLI command to enable DKIM
aws ses set-identity-dkim-enabled \
  --identity example.com \
  --dkim-enabled

This will generate 3 CNAME records in Route53 with names like:

xxxxxx._domainkey.example.com. IN CNAME xxxxxx.dkim.amazonses.com.

Use these commands to verify your setup:

# Check MX records
dig MX example.com +short

# Check SPF record
dig TXT example.com +short

# Check SES verification
dig TXT _amazonses.example.com +short

If emails aren't working properly:

  1. Wait 48 hours for DNS changes to propagate fully
  2. Verify all records exactly match what SES and Google provide
  3. Check for typos in domain names (common mistake: example.com vs www.example.com)
  4. Test with email header analyzers like MXToolbox or Google Admin Toolbox

To allow specific IAM users to send from your domain:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ses:SendEmail",
      "Resource": "arn:aws:ses:us-east-1:123456789012:identity/example.com"
    }
  ]
}

When integrating AWS Simple Email Service (SES) with Google Workspace (formerly G Suite), we're essentially creating a hybrid email system where:

  • SES handles outbound email delivery
  • Google Workspace manages email reception and inbox functionality

For Route53-hosted domains, these DNS records are critical:

; MX Records for Google Mail reception
@ 3600 IN MX 1 ASPMX.L.GOOGLE.COM.
@ 3600 IN MX 5 ALT1.ASPMX.L.GOOGLE.COM.
@ 3600 IN MX 5 ALT2.ASPMX.L.GOOGLE.COM.
@ 3600 IN MX 10 ALT3.ASPMX.L.GOOGLE.COM.
@ 3600 IN MX 10 ALT4.ASPMX.L.GOOGLE.COM.
; SPF Record combining both services
@ 3600 IN TXT "v=spf1 include:_spf.google.com include:amazonses.com ~all"

To authenticate your SES-sent emails:

  1. In SES console, verify your domain
  2. Generate DKIM records
  3. Add these CNAME records to Route53:
; Example DKIM records
xxxxxxxxxxxx._domainkey 3600 IN CNAME xxxxxxxxxxxx.dkim.amazonses.com
yyyyyyyyyyyy._domainkey 3600 IN CNAME yyyyyyyyyyyy.dkim.amazonses.com
zzzzzzzzzzzz._domainkey 3600 IN CNAME zzzzzzzzzzzz.dkim.amazonses.com

For comprehensive email security:

_dmarc 3600 IN TXT "v=DMARC1; p=none; rua=mailto:youremail@yourdomain.com; ruf=mailto:youremail@yourdomain.com; fo=1"

When configuring applications to use SES:

// Node.js example using AWS SDK
const AWS = require('aws-sdk');
AWS.config.update({region: 'us-east-1'});

const ses = new AWS.SES({apiVersion: '2010-12-01'});

const params = {
  Destination: {
    ToAddresses: ['recipient@example.com']
  },
  Message: {
    Body: {
      Text: {
        Data: 'This is the message body.'
      }
    },
    Subject: {
      Data: 'Test email'
    }
  },
  Source: 'sender@yourdomain.com'
};

ses.sendEmail(params).promise()
  .then(data => console.log(data))
  .catch(err => console.error(err));

Key verification steps:

# Check DNS propagation
dig MX yourdomain.com
dig TXT yourdomain.com

Remember to:

  • Wait for DNS propagation (up to 48 hours)
  • Verify SES domain in AWS console
  • Check Google Admin Console for proper domain configuration