# Setting up Amazon SES email receiving
This section describes the prerequisites that are required before you can begin to configure Amazon SES to receive your mail. It's important that you've read [Email receiving concepts & use cases](receiving-email-concepts.md) to understand the concepts of how Amazon SES works and to consider how you want to receive, filter, and process your email.
Before you can configure email receiving by creating a *rule set*, *receipt rules*, and *IP address filters*, you must first complete the following set up prerequisites:
+ Verify your domain with Amazon SES by publishing DNS records to prove that you own it.
+ Permit Amazon SES to receive email for your domain by publishing an MX record.
+ Give Amazon SES permission to access other AWS resources in order to execute receipt rule actions.
When you create and verify a domain identity, you're publishing records to your DNS settings to complete the verification process, but this alone is not enough to use email receiving. Specific to email receiving, it's also required to publish an MX record for specifying a custom mail-from domain. This record is used in your domain’s DNS settings to permit SES to receive email for your domain. Giving permissions is required because the actions you choose in your receipt rules won’t work unless Amazon SES has permission to use the respective AWS service required for those actions.
**Topics**
+ [Verifying your domain for Amazon SES email receiving](receiving-email-verification.md)
+ [Publishing an MX record for Amazon SES email receiving](receiving-email-mx-record.md)
+ [Giving permissions to Amazon SES for email receiving](receiving-email-permissions.md)
# Verifying your domain for Amazon SES email receiving
As with any domain you want to use for sending or receiving email with Amazon SES, you must first prove that you own it. The verification procedure includes initiating domain verification with SES and then publishing the DNS records, either CNAME or TXT, to your DNS provider depending on which verification method you use.
Through the console, you can verify your domains with either [Easy DKIM](send-email-authentication-dkim-easy.md) or [Bring Your Own DKIM (BYODKIM)](send-email-authentication-dkim-bring-your-own.md) and easily copy their DNS records to publish to your DNS provider - how to do this is explained in [Creating a domain identity](creating-identities.md#verify-domain-procedure). Optionally, you can use either the SES [https://docs.aws.amazon.com/ses/latest/APIReference/API_VerifyDomainDkim.html](https://docs.aws.amazon.com/ses/latest/APIReference/API_VerifyDomainDkim.html) or [https://docs.aws.amazon.com/ses/latest/APIReference/API_VerifyDomainIdentity.html](https://docs.aws.amazon.com/ses/latest/APIReference/API_VerifyDomainIdentity.html) APIs.
You can easily confirm that your domain or email address is verified by looking at its status in the [Verified identities](view-verified-domains.md) table in the SES console or by using either the SES [https://docs.aws.amazon.com/ses/latest/APIReference/API_GetIdentityVerificationAttributes.html](https://docs.aws.amazon.com/ses/latest/APIReference/API_GetIdentityVerificationAttributes.html) or [https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_GetEmailIdentity.html](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_GetEmailIdentity.html) APIs.
# Publishing an MX record for Amazon SES email receiving
A *mail exchanger* record (*MX record*) is a configuration that specifies which mail servers can accept email that's sent to your domain.
To have Amazon SES manage your incoming email, you need to add an MX record to your domain's DNS configuration. The MX record that you create refers to the endpoint that receives email for the AWS Region where you use Amazon SES. For example, the endpoint for the US West (Oregon) Region is *inbound-smtp.us-west-2.amazonaws.com*. For a complete list of endpoints, see [SES regions and endpoints](regions.md#region-endpoints).
**Note**
The endpoints that receive email in Amazon SES aren't IMAP or POP3 email servers. You can't use these URLs as incoming mail servers in email clients. If you need a solution that can both send and receive email by using an email client, consider using [Amazon WorkMail](https://aws.amazon.com/workmail).
The following procedure includes general steps for creating an MX record. *The specific procedures for creating an MX record depend on your DNS or hosting provider.* See your provider's documentation for information about adding an MX record to the DNS configuration for your domain.
**Note**
**To add an MX record to the DNS configuration for your domain**
1. (Prerequisite) To complete these procedures, you will need to modify the DNS records for your domain. If you can't access the DNS records, or you're not comfortable doing so, contact your system administrator for assistance.
1. Sign in to the management console for your DNS provider.
1. Create a new MX record.
1. For the MX record **Name**, enter your domain. For example, if you want Amazon SES to manage email that's sent to the domain *example.com*, enter the following:
```
example.com.
```
**Note**
Depending on your DNS provider: 1) The trailing `.` at the end of the domain extension may not be required. 2) The **Name** field may be referred to as the **Host**, **Domain**, or **Mail Domain**.
1. For **Type**, choose **MX**.
**Note**
Some DNS providers refer to the **Type** field as the **Record Type** or a similar name.
1. For **Value**, enter the following:
```
10 inbound-smtp.region.amazonaws.com
```
In the preceding example, replace *region* with the address of the endpoint that receives email for the AWS Region you use with Amazon SES. For example, if you're using the US East (N. Virginia) Region, replace *region* with `us-east-1`. For a complete list of email receiving endpoints, see [SES regions and endpoints](regions.md#region-endpoints).
**Note**
The management consoles of some DNS providers include separate fields for the record **Value** and the record **Priority**. If this is the case for your DNS provider, enter `10` for the **Priority** value, and enter the incoming mail endpoint URL for the **Value**.
**Important**
The specific procedures for creating an MX record depend on your DNS or hosting provider. See your provider's documentation or contact them for information about adding an MX record to the DNS configuration for your domain.
## Instructions for creating MX records for various providers
The procedures for creating an MX record for your domain depend on which DNS provider you use. This section includes links to the documentation for several common DNS providers. This list isn't a complete list of providers. If your provider isn't listed below, you can probably still use it with Amazon SES. Inclusion on this list isn’t an endorsement or recommendation of any company’s products or services.
| DNS/Hosting Provider Name | Documentation Link |
| --- | --- |
| Amazon Route 53 | [Creating Records by Using the Amazon Route 53 Console](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-creating.html) |
| GoDaddy | [Add an MX record](https://www.godaddy.com/help/add-an-mx-record-19234) (external link) |
| DreamHost | [How do I change my MX records?](https://help.dreamhost.com/hc/en-us/articles/215035328) (external link) |
| Cloudflare | [Set up email records](https://developers.cloudflare.com/dns/manage-dns-records/how-to/email-records/) (external link) |
| HostGator | [Changing MX records - Windows](https://www.hostgator.com/help/article/changing-mx-records-windows) (external link) |
| Namecheap | [How can I set up MX records required for mail service? ](https://www.namecheap.com/support/knowledgebase/article.aspx/322/2237/how-can-i-set-up-mx-records-required-for-mail-service) (external link) |
| Names.co.uk | [Changing your domain's DNS settings](https://www.names.co.uk/support/domains/1156-changing_your_domains_dns_settings.html) (external link) |
| Wix | [Adding or Updating MX Records in Your Wix Account](https://support.wix.com/en/article/adding-or-updating-mx-records-in-your-wix-account) (external link) |
# Giving permissions to Amazon SES for email receiving
Some of the tasks that you can perform when you receive email in SES, such as sending email to an Amazon Simple Storage Service (Amazon S3) bucket or calling a AWS Lambda function, require special permissions. This section includes example policies for several common use cases.
**Topics**
+ [Setting up IAM role permissions for Deliver to S3 bucket action](#receiving-email-permissions-s3-iam-role)
+ [Give SES permission to write to an S3 bucket](#receiving-email-permissions-s3)
+ [Give SES permission to use your AWS KMS key](#receiving-email-permissions-kms)
+ [Give SES permission to invoke a AWS Lambda function](#receiving-email-permissions-lambda)
+ [Give SES permission to publish to an Amazon SNS topic that belongs to a different AWS account](#receiving-email-permissions-sns)
## Setting up IAM role permissions for Deliver to S3 bucket action
The following points are applicable to this IAM role:
+ It can only be used for [Deliver to S3 bucket action](receiving-email-action-s3.md).
+ It must be used if want to write to an S3 bucket that exists in a region where SES [Email receiving](regions.md#region-receive-email) isn't available.
If want to write to an S3 bucket, you can provide an IAM role with permissions to access the relevant resources for the [Deliver to S3 bucket action](receiving-email-action-s3.md). You would also need to give SES permission to assume that role to perform the action through an IAM trust policy as explained in the [next section](#receiving-email-permissions-s3-iam-role-trust).
This permission policy must be pasted into the IAM role's inline policy editor—see [Deliver to S3 bucket action](receiving-email-action-s3.md) and follow the steps given in the **IAM role** item. (The following example also includes optional permissions in case you want to use SNS topic notification, or a customer managed key in the S3 action.)
**Note**
You have the option to set up the S3 action without specifying an IAM role by allowing just the SES service in the S3 bucket policy as shown [Give SES permission to write to an S3 bucket](#receiving-email-permissions-s3). This will work for cross-account scenarios as well.
If you specify an IAM role for the S3 action, SES assumes that role for 'PutObject' operation, and the IAM permissions specified here will be sufficient for same account usage. However, for cross-account usage, you'll need an additional bucket policy that allows the IAM role to 'PutObject' in the bucket. This is specified by the bucket owner granting cross-account bucket permissions as explained in [Bucket owner granting cross-account bucket permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-walkthroughs-managing-access-example2.html).
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "S3Access",
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket/*"
},
{
"Sid": "SNSAccess",
"Effect": "Allow",
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:111122223333:my-topic"
},
{
"Sid": "KMSAccess",
"Effect": "Allow",
"Action": "kms:GenerateDataKey*",
"Resource": "arn:aws:kms:us-east-1::111122223333:key/key-id"
}
]
}
```
------
Make the following changes to the preceding policy example:
+ Replace *amzn-s3-demo-bucket* with the name of the S3 bucket that you want to write to.
+ Replace *region* with the AWS Region where you created the receipt rule.
+ Replace *111122223333* with your AWS account ID.
+ Replace *my-topic* with the name of the SNS topic that you want to publish notifications to.
+ Replace *key-id* with the ID of your KMS key.
### Trust policy for S3 action IAM role
The following trust policy should be added into the *Trust relationships* of the IAM role to allow SES to assume that role.
**Note**
The manual addition of this trust policy is only required if you did not create your IAM role from the SES console using the steps given in the **IAM role** item of the [Deliver to S3 bucket action](receiving-email-action-s3.md) workflow. *When you create the IAM role from the console, this trust policy is automatically generated and applied to the role for you making this step unnecessary.*
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSESAssume",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"AWS:SourceAccount":"111122223333",
"AWS:SourceArn": "arn:aws:ses:region:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name"
}
}
}
]
}
```
------
Make the following changes to the preceding policy example:
+ Replace *region* with the AWS Region where you created the receipt rule.
+ Replace *111122223333* with your AWS account ID.
+ Replace *rule\$1set\$1name* with the name of the rule set that contains the receipt rule that contains the deliver to Amazon S3 bucket action.
+ Replace *receipt\$1rule\$1name* with the name of the receipt rule that contains the deliver to Amazon S3 bucket action.
## Give SES permission to write to an S3 bucket
When you apply the following policy to an S3 bucket, it gives SES permission to write to that bucket as long as it exists in a region where SES [Email receiving](https://docs.aws.amazon.com/general/latest/gr/ses.html#ses_inbound_endpoints) is available—if you want to write to a bucket outside of an *Email receiving* region, see [Setting up IAM role permissions for Deliver to S3 bucket action](#receiving-email-permissions-s3-iam-role). For more information about creating receipt rules that transfer incoming email to Amazon S3, see [Deliver to S3 bucket action](receiving-email-action-s3.md).
For more information about attaching policies to S3 buckets, see [Using Bucket Policies and User Policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-iam-policies.html) in the *Amazon Simple Storage Service User Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllowSESPuts",
"Effect":"Allow",
"Principal":{
"Service":"ses.amazonaws.com"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::amzn-s3-demo-bucket/*",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"111122223333",
"AWS:SourceArn": "arn:aws:ses:region:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name"
}
}
}
]
}
```
------
Make the following changes to the preceding policy example:
+ Replace *amzn-s3-demo-bucket* with the name of the S3 bucket that you want to write to.
+ Replace *region* with the AWS Region where you created the receipt rule.
+ Replace *111122223333* with your AWS account ID.
+ Replace *rule\$1set\$1name* with the name of the rule set that contains the receipt rule that contains the deliver to Amazon S3 bucket action.
+ Replace *receipt\$1rule\$1name* with the name of the receipt rule that contains the deliver to Amazon S3 bucket action.
## Give SES permission to use your AWS KMS key
In order for SES to encrypt your emails, it must have permission to use the AWS KMS key that you specified when you set up your receipt rule. You can either use the default KMS key (**aws/ses**) in your account, or use a customer managed key that you create. If you use the default KMS key, you don't need to perform any additional steps to give SES permission to use it. If you use a customer managed key, you need to give SES permission to use it by adding a statement to the key's policy.
Use the following policy statement as the key policy to allow SES to use your customer managed key when it receives email on your domain.
```
{
"Sid": "AllowSESToEncryptMessagesBelongingToThisAccount",
"Effect": "Allow",
"Principal": {
"Service":"ses.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"111122223333",
"AWS:SourceArn": "arn:aws:ses:region:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name"
}
}
}
```
Make the following changes to the preceding policy example:
+ Replace *region* with the AWS Region where you created the receipt rule.
+ Replace *111122223333* with your AWS account ID.
+ Replace *rule\$1set\$1name* with the name of the rule set that contains the receipt rule that you've associated with email receiving.
+ Replace *receipt\$1rule\$1name* with the name of the receipt rule that you've associated with email receiving.
If you're using AWS KMS to send encrypted messages to an S3 bucket with server-side encryption enabled, then you need to add the policy action, `"kms:Decrypt"`. Using the preceding example, adding this action to your policy would appear as follows:
```
{
"Sid": "AllowSESToEncryptMessagesBelongingToThisAccount",
"Effect": "Allow",
"Principal": {
"Service":"ses.amazonaws.com"
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey*"
],
"Resource": "*",
"Condition":{
"StringEquals":{
"AWS:SourceAccount":"111122223333",
"AWS:SourceArn": "arn:aws:ses:region:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name"
}
}
}
```
For more information about attaching policies to AWS KMS keys, see [Using Key Policies in AWS KMS](https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) in the *AWS Key Management Service Developer Guide*.
## Give SES permission to invoke a AWS Lambda function
To enable SES to call a AWS Lambda function, you can choose the function when you create a receipt rule in the SES console. When you do, SES automatically adds the necessary permissions to the function.
Alternatively, you can use the `AddPermission` operation in the AWS Lambda API to attach a policy to a function. The following call to the `AddPermission` API gives SES permission to invoke your Lambda function. For more information about attaching policies to Lambda functions, see [AWS Lambda Permissions](https://docs.aws.amazon.com/lambda/latest/dg/intro-permission-model.html) in the *AWS Lambda Developer Guide*.
```
{
"Action": "lambda:InvokeFunction",
"Principal": "ses.amazonaws.com",
"SourceAccount": "111122223333",
"SourceArn": "arn:aws:ses:region:111122223333:receipt-rule-set/rule_set_name:receipt-rule/receipt_rule_name",
"StatementId": "GiveSESPermissionToInvokeFunction"
}
```
Make the following changes to the preceding policy example:
+ Replace *region* with the AWS Region where you created the receipt rule.
+ Replace *111122223333* with your AWS account ID.
+ Replace *rule\$1set\$1name* with the name of the rule set that contains the receipt rule where you created your Lambda function.
+ Replace *receipt\$1rule\$1name* with the name of the receipt rule containing your Lambda function.
## Give SES permission to publish to an Amazon SNS topic that belongs to a different AWS account
To publish notifications to a topic in a separate AWS account, you must attach a policy to the Amazon SNS topic. The SNS topic must be in the same Region as the domain and receipt rule set.
The following policy gives SES permission to publish to an Amazon SNS topic in a separate AWS account.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": "SNS:Publish",
"Resource": "arn:aws:sns:us-east-1:111122223333:topic_name",
"Condition": {
"StringEquals": {
"AWS:SourceAccount": "444455556666",
"AWS:SourceArn": "arn:aws:ses:us-east-1:777788889999:receipt-rule-set/rule_set_name:receipt-rule/rule_name"
}
}
}
]
}
```
------
Make the following changes to the preceding policy example:
+ Replace *topic\$1region* with the AWS Region that the Amazon SNS topic was created in.
+ Replace *sns\$1topic\$1account\$1id* with the ID of the AWS account that owns the Amazon SNS topic.
+ Replace *topic\$1name* with the name of the Amazon SNS topic that you want to publish notifications to.
+ Replace *aws\$1account\$1id* with the ID of the AWS account that is configured to receive email.
+ Replace *receipt\$1region* with the AWS Region where you created the receipt rule.
+ Replace *rule\$1set\$1name* with the name of the rule set that contains the receipt rule where you created your publish to Amazon SNS topic action.
+ Replace *receipt\$1rule\$1name* with the name of the receipt rule containing the publish to Amazon SNS topic action.
If your Amazon SNS topic uses AWS KMS for server-side encryption, you have to add permissions to the AWS KMS key policy. You can add permissions by attaching the following policy to the AWS KMS key policy:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AllowSESToUseKMSKey",
"Effect": "Allow",
"Principal": {
"Service": "ses.amazonaws.com"
},
"Action": [
"kms:GenerateDataKey",
"kms:Decrypt"
],
"Resource": "*"
}
]
}
```
------