Ingress endpoints - Amazon Simple Email Service
Configuring your environmentCreating an ingress endpoint (console)

Ingress endpoints

An ingress endpoint is the key infrastructure component in Mail Manager that receives, routes, and manages your email by utilizing policies and rules you configure to determine which emails should be rejected, which ones should be allowed, and which ones should be acted upon.

Each ingress endpoint has its own traffic policy to determine which emails to block or allow, and its own rule set to perform actions on the email you do allow in; therefore, by creating multiple ingress endpoints, you can delegate each one to manage and route specific types of email. This level of granularity will help you to build an email management system that's tailored to your business needs.

Prerequisite workflow to create an ingress endpoint

At the time of creating your ingress endpoint, you must assign it a traffic policy and a rule set that have already been created. Therefore, the workflow for creating an ingress endpoint should be in the following order:

  1. Start by creating a traffic policy to determine the email you want to block or allow. For details, see Creating traffic policies and policy statements in the SES console.

  2. Next, create a rule set to perform actions on the email you allow in. For details, see Creating rule sets and rules in the SES console.

  3. Finally, create your ingress endpoint and assign to it the traffic policy and rule set you just created or any others you previously created.

Once you create your ingress endpoint, you must configure it with the environment you're using to receive email, whether that be the configuration of an on-premise SMTP client or a web-based DNS domain host. This is discussed below in Configuring your environment to use an ingress endpoint.

Configuring your environment to use an ingress endpoint

Using the "A" record

At the time you create an ingress endpoint, an "A" record for the endpoint will be generated and its value displayed on the ingress endpoint's summary screen in the SES console. The way you use the value of this record depends on the type of endpoint you created and your use case:

  • Open endpoint – Mail sent to your domain will resolve directly to your ingress endpoint—no authentication required.

    • Copy and paste the value of the "A" record either directly into the SMTP configuration of an on-premise SMTP client or into an MX record for your domain in your DNS configuration.

  • Authenticated endpoint – Mail sent to your domain has to come from authorized senders whom you’ve shared your SMTP credentials with, such as your on-premise email servers.

    • Copy and paste the value of the "A" record directly into the SMTP configuration of an on-premise SMTP client as well as your user name and password.

If you're using an MX record in your configuration, keep in mind that while every DNS provider has different procedures and interfaces for configuring records, the key pieces of information you need to put into you DNS settings are listed in the following example:

All email sent to recipient@marketing.example.com will go to your ingress endpoint because you entered the ingress endpoint's "A" record as the value for an MX record in your domain’s DNS settings:

  • Domainmarketing.example.com

  • MX record value890123abcdef.ghijk.mail-manager-smtp.amazonaws.com (This is the "A" record value copied from your ingress endpoint.)

  • Priority10

The procedure in the next section will walk you through creating an ingress endpoint in the SES console.

Creating an ingress endpoint in the SES console

The following procedure shows you how to use the Ingress endpoint page in the SES console to create ingress endpoints and manage the ones you've already created.

To create an manage ingress endpoints using the console

  1. Sign in to the AWS Management Console and open the Amazon SES console at https://console.aws.amazon.com/ses/.

  2. In the left navigation panel, choose Ingress endpoints under Mail Manager.

  3. On the Ingress endpoints page, select Create ingress endpoint.

  4. On the Create new ingress endpoint page, enter a unique name for your ingress endpoint.

  5. Choose whether it will be a Open or Authenticated endpoint.

    • If you choose Authenticated, select either SMTP password and enter a password, or Secret and select one of your secrets from Secret ARN. If you select a previously created secret, it must contain the policies indicated in the following steps for creating a new secret.

    • You have the option to create a new secret by choosing Create new—the AWS Secrets Manager console will open where you can continue to create a new key:

    1. Choose Other type of secret in Secret type.

    2. In Key/value pair, enter password for the key, and your actual password for the value.

      Note

      For Key, you must only enter password (anything else will cause authentication to fail).

    3. Select Add new key to create a KMS customer managed key (CMK) in Encryption key—the AWS KMS console will open.

    4. Choose Create key on the Customer manged keys page.

    5. Keep the default values on the Configure key page and select Next.

    6. Enter a name for your key in Alias (optionally, you can add a description and tag), followed by Next.

    7. Select any users (other than yourself) or roles you want to permit to administer the key in Key administrators followed by Next.

    8. Select any users (other than yourself) or roles you want to permit to use the key in Key users followed by Next.

    9. Copy and paste the KMS CMK policy into the Key policy JSON text editor at the "statement" level by adding it as an additional statement separated by a comma. Replace the region and account number with your own.

    10. Choose Finish.

    11. Select your browser's tab where you have the AWS Secrets Manager Store a new secret page open and select the refresh icon (circular arrow) next to the Encryption key field, then click inside the field and select your newly created key.

    12. Enter a name in the Secret name field on the Configure secret page.

    13. Select Edit permissions in Resource permissions.

    14. Copy and paste the Secrets resource policy into the Resource permissions JSON text editor and replace the region and account number with your own. (Be sure to delete any example code in the editor.)

    15. Choose Save followed by Next.

    16. Optionally configure rotation followed by Next.

    17. Review and store your new secret by choosing Store.

    18. Select your browser's tab where you have the SES Create new ingress endpoint page open and choose Refresh list, then select your newly created secret in Secret ARN.

  6. Select a traffic policy to determine the email you want to block or allow.

  7. Select a rule set containing the rule actions you want to perform on the email you allow in.

  8. Select Create ingress endpoint.

  9. In General details, "Provisioning" will be displayed while your ingress endpoint is being created—refresh the page until "Active" is displayed and the ARecord field contains a value. Copy the "A" record value and paste it into your DNS configuration or your SMTP client as discussed in Configuring your environment.

  10. You can view and manage the ingress endpoints you've already created from the Ingress endpoints page. If there's an ingress endpoint you want to remove, select it's radio button followed by Delete.

  11. To edit an ingress endpoint, select its name to open its summary page:

    • You can change the endpoint's active status by choosing Edit in General details followed by Save changes.

    • You can select a different rule set or traffic policy by choosing Edit in either Rule set or Traffic policy followed by Save changes.