InboxEagle
Blog ESP Comparison AWS SES Deliverability
Guide 5 of 6 · Updated 2026

AWS SES Deliverability:
Lowest Cost, Highest Monitoring Responsibility

AWS SES is the most cost-effective way to send email at scale — $0.10 per 1,000 emails versus $1.70+ for managed ESPs. But that cost advantage comes with strict enforcement thresholds and minimal built-in monitoring. One 0.11% complaint rate can pause your account without warning.

Monitor My SES Deliverability Check My Blacklist Status

What Makes AWS SES Different

AWS SES (Simple Email Service) occupies a unique position in the ESP landscape. It's not an email marketing platform — it's email infrastructure. The distinction matters: where Klaviyo, Mailchimp, and Constant Contact give you list management, campaign builders, automation flows, and analytics, SES gives you an SMTP endpoint and an API. Everything else is your responsibility.

What SES provides:

  • SMTP and HTTP API sending endpoints
  • Bounce and complaint notifications via Amazon SNS (Simple Notification Service)
  • Dedicated IP addresses at $24.95/IP/month
  • Configurable sending rate limits
  • CloudWatch metrics for delivery rates and bounce rates
  • Email templates (basic, not visual)
  • Virtual Deliverability Manager (paid add-on)

What SES does not provide:

  • Email template visual editor or drag-and-drop builder
  • Marketing automation or flow builder
  • A/B testing for campaigns
  • Audience segmentation tools
  • Unsubscribe list management UI (you build and maintain this)
  • Integrated analytics beyond delivery events
  • Built-in inbox placement data (requires VDM add-on or third-party tool)

The pricing makes this trade-off worthwhile at scale: $0.10 per 1,000 emails when sending from an EC2 instance, or $0.12 per 1,000 emails otherwise. At 1 million sends per month, SES costs approximately $100-120. Comparable volume on Klaviyo would cost $3,000-5,000+.

SES Enforcement Thresholds (The Ones That Will Get You Paused)

AWS enforces sending reputation thresholds more aggressively than most managed ESPs. The consequences are also more severe: a threshold breach can result in your account being paused — meaning zero email sends until AWS manually reviews and reinstates you.

Bounce Rate Thresholds

StatusBounce RateAWS Action
HealthyUnder 2%No action
Advisory2%–5%Warning notification sent
EnforcementOver 5%Sending may be restricted or paused
SevereOver 10%Account paused pending review

Complaint Rate Thresholds

StatusComplaint RateAWS Action
HealthyUnder 0.08%No action
Advisory0.08%–0.10%Warning notification sent
EnforcementOver 0.10%Sending restricted or paused

0.10% is an extremely tight threshold

Gmail's enforcement threshold for bulk senders is 0.30% (with serious issues at 0.10%). AWS SES enforces at 0.10% — the threshold most ESPs consider "advisory." This means SES senders need to maintain complaint rates that most managed ESP users would consider excellent. A single campaign to a stale segment can push you over the threshold and pause your account.

Why Account Pausing Is a Five-Alarm Event

When AWS pauses your SES account, all outbound email stops immediately — including transactional email. If you're a SaaS company using SES for both marketing campaigns and password reset emails, an account pause means your users can't log in. The reinstatement process requires submitting a support ticket to AWS with an explanation and remediation plan, and it typically takes 24-72 hours. During that window, your entire email program is offline.

The solution is proactive monitoring: watch your complaint rate and bounce rate continuously, not reactively. Google Postmaster Tools shows your Gmail spam rate in near-real-time. Yahoo Sender Hub shows Yahoo complaint rates. These signals often appear before AWS's own metrics cross the enforcement threshold — giving you a window to act.

Getting Out of the SES Sandbox

Every new AWS SES account starts in the Sandbox environment. In Sandbox mode, you can only send email to verified email addresses — addresses that you've explicitly confirmed through the AWS console. You cannot send to any arbitrary recipient, which makes the Sandbox useless for real email programs. You need Production Access to send to unverified recipients at scale.

The Production Access Request

To exit the Sandbox, submit a Production Access request through the AWS SES console. AWS reviews these manually, typically approving legitimate requests within 24 hours. Your request needs to include:

  1. Your use case — Describe what you're sending (transactional notifications, marketing campaigns, etc.)
  2. Expected daily send volume — Be accurate; understating volume and then exceeding it can raise flags
  3. How you handle bounces — Explain that you've configured SNS notifications for bounce events and that you suppress bounced addresses immediately
  4. How you handle complaints — Explain your complaint notification setup and suppression process
  5. How subscribers opted in — Describe your list acquisition method

AWS approves the vast majority of legitimate business requests. Denials typically happen when the description is vague, when there's no clear suppression mechanism, or when the request appears to be for high-volume unsolicited email. If denied, address the specific feedback in your denial response and reapply.

Authentication and DNS Setup in SES

AWS SES requires domain verification before you can send from a domain, and DKIM setup is the primary authentication mechanism. Here's the complete authentication setup:

Domain Verification and DKIM

  1. In the SES console, go to Configuration → Verified Identities → Create Identity
  2. Choose Domain and enter your sending domain
  3. SES generates 3 CNAME records for DKIM — add these to your DNS provider
  4. SES automatically verifies the domain once DNS propagates (usually within an hour)
  5. Optionally enable DKIM signing — this should always be enabled
  6. Choose Easy DKIM (2048-bit RSA, recommended) or Bring Your Own DKIM

SPF Configuration

SES automatically handles SPF alignment through its sending infrastructure. You do not need to add a custom SPF record for SES — the MAIL FROM domain SES uses is configured to pass SPF checks by default. However, if you configure a custom MAIL FROM domain (optional but recommended), you'll need to add an MX record and SPF record for that subdomain. Use InboxEagle's SPF Record Generator to create the correct record.

DMARC

After setting up DKIM, publish a DMARC record for your sending domain. Use InboxEagle's DMARC Record Generator to create the TXT record. Add it to your DNS as a TXT record for _dmarc.yourdomain.com.

SNS Notifications for Bounces and Complaints (Critical)

Configuring SNS notifications for bounces and complaints is mandatory for SES at production scale. This is not optional — if you don't process bounce and complaint notifications programmatically, you will hit SES's enforcement thresholds.

  1. In SES, go to your verified identity → Notifications
  2. Set up SNS topics for bounces, complaints, and deliveries
  3. Subscribe an HTTPS endpoint (your application server) or an SQS queue to the SNS topics
  4. Process each notification to suppress bounced addresses and complaint senders from future sends
  5. This suppression logic must be implemented in your application code — SES does not do this automatically

Virtual Deliverability Manager vs. What InboxEagle Adds

AWS introduced Virtual Deliverability Manager (VDM) as a paid add-on to SES in 2022. At $0.0001 per email processed, it provides some deliverability visibility that SES's base offering lacks. Understanding what VDM covers and where it falls short helps you plan your monitoring stack.

What Virtual Deliverability Manager Provides

  • Inbox placement data — VDM uses a seed list approach similar to InboxEagle's seed list testing to estimate inbox placement rates across major ISPs
  • Engagement dashboard — Open rates, click rates, and unsubscribe rates with ISP-level breakdown
  • Deliverability advisor — Automated recommendations based on your sending patterns (authentication, list hygiene, etc.)
  • Predictive insights — Machine learning-based predictions about deliverability changes

VDM Gaps That InboxEagle Fills

  • Google Postmaster reputation data — VDM's inbox placement estimates don't include your Gmail domain reputation score or Gmail spam rate from Postmaster Tools. InboxEagle's Postmaster integration surfaces these directly.
  • Yahoo Sender Hub complaint monitoring — VDM doesn't integrate with Yahoo Sender Hub data. InboxEagle monitors Yahoo complaint rates separately.
  • DMARC alignment tracking — VDM doesn't process DMARC aggregate reports. InboxEagle's DMARC monitoring shows alignment pass/fail rates across all ISPs sending DMARC reports.
  • Bot click detection — VDM's engagement data includes bot clicks from security scanners. InboxEagle's Bot Finder separates automated clicks from human engagement.
  • Blacklist monitoring — VDM doesn't monitor blacklist status for your sending IPs or domains. InboxEagle's blacklist checker does.

VDM + InboxEagle = complete SES deliverability coverage

VDM provides useful placement estimates and recommendations. InboxEagle adds the ISP-level reputation data (Gmail, Yahoo), DMARC alignment tracking, bot click detection, and blacklist monitoring that VDM doesn't cover. Together they provide comprehensive SES deliverability visibility.

Connect AWS SES Start Free Trial

SES vs. Managed ESP: The Real Cost Comparison

The headline cost comparison between SES and managed ESPs is dramatic — but the total cost of operating an SES-based email program includes infrastructure and labor costs that need to be factored in.

Cost at 500,000 Emails per Month

Cost ComponentAWS SESKlaviyo (~100K contacts)
Base sending cost~$60/month~$1,700/month
Dedicated IPs (2×)~$50/monthIncluded / add-on
VDM monitoring~$50/monthN/A (included)
InboxEagle monitoring~$79/month~$79/month
Developer time (bounce/complaint handling)~$200-400/month amortized$0 (ESP handles it)
Total estimated~$439-639/month~$1,779/month

SES wins significantly at high volume — but the developer cost line item is real. If you don't have engineering resources to implement bounce/complaint processing, build suppression management, and maintain the SNS pipeline, SES's operational complexity can cost more than the platform savings.

When SES Is the Right Choice

  • You have engineering resources to implement bounce/complaint handling
  • You send over 250,000 emails per month consistently
  • You need maximum infrastructure control (custom IP pools, custom MAIL FROM)
  • You're building a multi-tenant application where each customer has separate sending identity
  • Your email program is primarily transactional or notification-driven

When a Managed ESP Is the Right Choice

  • Your team doesn't have dedicated email engineering resources
  • You need marketing automation, campaign builders, or segmentation tools
  • You send under 100,000 emails per month (managed ESPs are cost-competitive here)
  • The operational risk of an account pause is not acceptable for your business
14-day free trial · No credit card required

Monitor SES Before AWS Pauses Your Account

InboxEagle monitors your SES complaint rates, Gmail domain reputation, Yahoo complaint data, DMARC alignment, and blacklist status — alerting you before you cross AWS's enforcement thresholds.

Start Free Trial ← Back to ESP Comparison