Skip to content

Connecting Amazon SES

Plume sends through your own SES account using AWS SES v2. This page walks through credentials, domain verification, leaving the sandbox, and feedback.

Not on AWS? Plume also sends through any SMTP provider — Mailgun, SendGrid, Postmark, Resend, and more.

Your SES credentials — region, access key id, and secret — are entered in the app under Settings, not as environment variables. Plume stores them AES-encrypted at rest. Until you configure SES, Plume uses a built-in log provider that prints emails to stdout instead of sending them, so you can develop and test with zero AWS setup.

In AWS IAM, create a user with programmatic access and attach a policy scoped to SES send actions. Plume only needs to send mail and read sending statistics.

{
"Effect": "Allow",
"Action": ["ses:SendEmail", "ses:SendRawEmail"],
"Resource": "*"
}

Enter the resulting access key id, secret, and region in Settings. Plume encrypts them before saving.

Add your brand in Plume and it generates the DKIM and SPF records to publish at your DNS provider. Plume polls SES and flips the brand to verified automatically — usually within 30 minutes.

Bounce and complaint feedback reaches Plume through an SNS webhook. Point an SNS topic at Plume’s feedback endpoint:

POST https://your-host/webhook/ses

Note that this is a root path (/webhook/ses), not under /api. Plume processes the SNS notifications and updates suppression automatically — see Tracking & suppression.