What are the primary reasons emails sent through Amazon SES might not be delivered?

Common causes include unverified sender identities (especially in sandbox mode), missing or incorrect SPF/DKIM/DMARC records, poor sender reputation, high spam scores due to email content, and recipient-side filtering by ISPs. It's often a combination of these factors.

Does Amazon SES's sandbox mode affect email delivery to unverified recipients?

If your account is in sandbox mode, you must verify both the sender and every recipient email address. For production, only sender identities need to be verified. Failing to verify recipients in sandbox mode will prevent delivery.

My SES bounce and complaint rates are low, but emails are still not delivered. Why?

Even with healthy bounce and complaint rates, your sender reputation can be impacted by low recipient engagement, consistent sending to invalid addresses, or being listed on private blocklists. ISPs use a broader set of metrics beyond what SES provides.

What does it mean if emails are 'silently dropped' without a bounce notification?

Emails can be silently dropped due to strong DMARC policies at the recipient's server if your authentication fails, or if the recipient's ISP aggressively filters based on content or hidden reputation factors, without sending a bounce notification back to SES.

How can I monitor the specific reasons for delivery failures in SES?

Utilize Amazon SES event publishing to CloudWatch to get granular logs on deliveries, bounces, and complaints. Also, regularly check Google Postmaster Tools and Yahoo's equivalent for domain reputation and specific insights.

Why are some emails not being delivered through Amazon SES? - Troubleshooting - Email deliverability - Knowledge base

Experiencing email delivery issues with Amazon Simple Email Service (SES) can be incredibly frustrating. You might be sending emails, seeing them processed successfully in your SES dashboard, yet recipients report not receiving anything. This can feel like a mystery, especially when your bounce and complaint rates appear healthy. Often, the cause isn't immediately obvious, requiring a deeper dive into configurations, sender reputation, and recipient-side factors. It's not just about getting emails out, but ensuring they land in the inbox.

This guide explores the common reasons why your emails might not be delivered through Amazon SES, even when everything seems to be in order.

Common configuration issues

One of the most common reasons for undelivered emails, especially for new SES users, relates to unverified identities. If your Amazon SES account is still in sandbox mode, you must verify every recipient email address you send to, in addition to your sending email addresses or domains. Failing to do so will result in emails not being processed or delivered, without a clear bounce notification sometimes.

Beyond the sandbox, ensure you've properly set up a custom Return-Path and DKIM signing for your domain. While SES works without these, using SES without proper customization can hinder your email's ability to pass authentication checks at recipient servers. This can lead to emails being sent to spam or silently dropped, making it seem like they were never delivered at all. Proper configuration is a foundational step for reliable email delivery and avoiding issues like emails going missing or getting silently dropped.

Incorrect SMTP credentials or connection issues can also prevent emails from being sent. Even if your SES setup appears correct, a mismatch in credentials between your application and SES, or issues with the encryption used for the connection, can lead to delivery failures. It's crucial to confirm that your application's SMTP settings align precisely with your SES credentials and that an encrypted connection is established.

Sandbox mode verification

If your SES account is in sandbox mode, ensure that all recipient email addresses are verified within SES. This is a common pitfall that can cause emails to appear as not delivered, even if your sender identity is verified. Move out of sandbox mode as soon as possible for full functionality.

Example verification status

Amazon SES Verified Identity Exampletext

Domain: example.com
Verification Status: Verified
DKIM Status: Verified

Authentication and sender reputation

Email authentication mechanisms like SPF, DKIM, and DMARC are critical for email deliverability. Even if your bounce and complaint rates are low, a lack of proper authentication can cause emails to be rejected or sent to junk folders. Internet Service Providers (ISPs) heavily rely on these records to verify the legitimacy of incoming mail. If your DMARC policy is set to p=reject or p=quarantine and your emails fail SPF or DKIM alignment, they simply won't reach the inbox, resulting in DMARC verification failures.

Even with healthy bounce and complaint rates in your SES reputation dashboard, underlying reputation issues can exist. ISPs maintain their own internal blocklists (or blacklists) and scoring systems. If your domain or IP address is on an email blocklist (or blacklist), even a private one, it can severely impact delivery. Reputation is dynamic, influenced by factors like sending volume, consistency, and recipient engagement. A sudden increase in volume, or sending to a poorly maintained list, can negatively affect your sender score without immediately reflecting in the SES console metrics.

Additionally, a drop in engagement from your subscribers can signal to ISPs that your emails are not valuable, leading to filtering. If recipients consistently don't open or click your emails, or even mark them as spam, your sender reputation will suffer over time. This can cause emails to start going to spam or even be silently discarded.

Authentication failures

Problem: Missing or incorrectly configured SPF, DKIM, or DMARC records.
Impact: Emails fail authentication, leading to rejections or spam folder placement, particularly by major providers like Microsoft and Google.

Low sender reputation

Problem: High bounce rates, spam complaints, or low engagement, even if SES dashboard looks good.
Impact: Emails sent to junk, throttled, or silently dropped by recipient servers.

Authentication solutions

Configure Records: Set up SPF, DKIM, and DMARC DNS records for your sending domain. Use SES's Easy DKIM for simplified setup.
Monitor DMARC Reports: Utilize DMARC reports to identify authentication failures and adjust your configuration as needed.

Reputation improvement

List Hygiene: Regularly clean your email lists to remove inactive or invalid addresses. Avoid sending to spam traps.
Engagement Monitoring: Segment your audience and tailor content to improve engagement. Consider removing unengaged subscribers.
Blocklist Monitoring: Regularly check if your sending IPs or domains are on any public blocklists.

Content and recipient-side filtering

The content of your email itself plays a significant role. Emails containing spammy keywords, suspicious links, excessive images, or poor HTML formatting are more likely to be flagged by spam filters. Sending emails with a high spam score can cause them to be diverted to the junk folder or rejected outright, even if your sender reputation is otherwise good. Always ensure your email content is clean, relevant, and well-structured to pass through these filters.

Recipient-side factors are often overlooked when troubleshooting delivery issues. A recipient's mailbox might be full, their personal spam settings might be too strict, or their ISP might have exceptionally aggressive filtering rules. For example, Microsoft Outlook and Hotmail, as well as Yahoo and AOL, are known for their robust spam protection, which can sometimes incorrectly flag legitimate emails. This is especially true for transactional emails, which can also be affected by recipient-side filtering without generating bounces.

Finally, be aware of the Amazon SES account-level suppression list (not to be confused with a global suppression list). If an email address has previously hard bounced or generated a complaint from your account, SES automatically adds it to your account's suppression list. Subsequent attempts to send to this address will be blocked by SES before they even leave the platform, ensuring you don't damage your reputation further. While this is a protective measure, it can lead to confusion if you're unaware an address is on this internal blocklist.

Recipient domain	Common issues
Outlook/Hotmail	Aggressive junk folder filtering, hidden SPF DNS timeout, content-based blocking.
Gmail	Strict sender guidelines, strong spam algorithms, tabbed inbox filtering.
Yahoo/AOL	Rigorous DMARC enforcement, potential delays, content sensitivity.

Digging deeper into delivery failures

When facing persistent delivery issues, you need to go beyond surface-level metrics. Utilize Amazon SES's logging and monitoring capabilities through CloudWatch. Configure event publishing to track deliveries, bounces, complaints, and rejections. This data provides granular insights into what's happening to each email, allowing you to identify specific error codes or patterns for affected recipients or domains.

Sometimes, emails are silently dropped, meaning they don't generate a bounce notification but never reach the recipient's inbox or even their spam folder. This can happen due to extremely strict recipient server policies or issues with DMARC enforcement. Reviewing DMARC reports can reveal aggregate data on emails that are failing authentication and being quarantined or rejected by various mail servers. This offers visibility into problems that don't produce immediate bounce messages from SES.

Finally, consider reaching out to the recipient's ISP or postmaster if a significant number of emails are failing to specific domains without clear reasons. They may be able to provide specific insights into their filtering policies or if your sending IP or domain is flagged internally. This level of investigation is often necessary for resolving persistent, mysterious delivery problems.

Ensuring your emails reach the inbox

Solving email delivery issues with Amazon SES requires a methodical approach, combining diligent configuration, proactive monitoring, and a keen understanding of how ISPs evaluate incoming mail. It's rarely a single issue, but rather a combination of factors related to authentication, reputation, and content. By systematically addressing these areas, you can significantly improve your email deliverability through SES.

Remember that consistent list hygiene, engaging content, and robust authentication practices are the cornerstones of successful email delivery. Continuously monitor your SES metrics and DMARC reports to catch problems early. Staying on top of these elements will help ensure your emails consistently reach their intended inboxes, maximizing the effectiveness of your communications.

Views from the trenches

Best practices

Implement proper email authentication (SPF, DKIM, DMARC) for all sending domains.

Regularly monitor your Amazon SES reputation metrics for bounces, complaints, and rejections.

Clean your email lists frequently to remove inactive or invalid addresses and reduce hard bounces.

Segment your audience and personalize content to improve recipient engagement.

Common pitfalls

Sending from an unverified identity while in Amazon SES sandbox mode, leading to silent drops.

Not configuring a custom Return-Path or DKIM, which can hurt authentication alignment.

Ignoring DMARC reports, missing authentication failures that don't produce direct SES bounces.

Sending to old, unengaged, or purchased lists, increasing spam complaint rates and blocklist hits.

Expert tips

Check for private blocklists: Many ISPs maintain their own internal blocklists that aren't public, so a clean public reputation doesn't guarantee delivery. Look for patterns in affected domains.

Content analysis: Use email testing tools to score your email content for spam triggers. Poorly structured HTML or suspicious links can trigger filters.

Recipient engagement: ISPs prioritize delivery based on user engagement. Low open rates can lead to emails landing in spam, even with good technical setup.

Gradual sending: When increasing sending volume, do it gradually to build reputation with ISPs. Sudden spikes can trigger throttling or rejections.

Expert view

Expert from Email Geeks says to verify if a custom Return-Path and DKIM signing are being used with your domain because not customizing SES can cause problems. Also, check the SES reputation dashboard for bounce and complaint rates.

2023-02-03 - Email Geeks

Marketer view

Marketer from Email Geeks says to be aware that Amazon SES has a suppression list that could affect deliverability.

2023-02-03 - Email Geeks