Complete AWS SES walkthrough from account creation to first campaign.
Amazon SES for cold email is one of the most cost effective ways to send outreach at scale. SES stands for Simple Email Service and is part of Amazon Web Services. The primary advantage is pricing. AWS charges $0.10 per 1,000 emails with no monthly minimums and no per contact fees. For teams sending tens of thousands of emails per month, this is dramatically cheaper than per email pricing from other providers.
Beyond cost, Amazon SES gives you dedicated sending infrastructure. Your emails are not routed through shared pools where another sender's bad behavior can damage your deliverability. You control the domains, the DNS authentication, and the sending reputation. This is the AWS SES cold email setup guide that covers everything from creating your AWS account to sending your first campaign.
One important note before you begin: SES is a sending infrastructure, not an outreach tool. You still need a campaign tool that connects to SES for managing sequences, follow ups, and replies. This guide covers the SES setup. Connecting it to your outreach tool is the final step.
If you do not already have an AWS account, go to aws.amazon.com and create one. You will need a credit card for billing, but SES costs are minimal for cold email volumes. After account creation, navigate to the IAM section and create a dedicated user with only SES permissions. This follows AWS security best practices by limiting access to only the services you need. Do not use your root account credentials for SES.
Amazon SES is available in multiple AWS regions. Choose a region close to your recipients for the best latency, or use us east 1 (N. Virginia) which is the most commonly used SES region with the widest feature support. Remember that your SES configuration, verified domains, and SMTP credentials are all region specific. Everything you configure must be in the same region where your application connects.
In the SES console, go to "Verified identities" and click "Create identity." Select "Domain" and enter the domain you want to send from. SES will generate DNS records you need to add: a TXT record for domain verification and three CNAME records for DKIM (Easy DKIM). Add all of these to your domain's DNS through your registrar or DNS hosting provider. The TXT record proves you own the domain. The CNAME records enable DKIM signing. Verification usually completes within an hour but can take up to 72 hours.
Add Amazon SES to your domain's SPF record by including their servers. If this is your only sending service, your SPF record should look like:
v=spf1 include:amazonses.com ~all
If you also send through Gmail or another provider, add their include as well within the same single SPF record. Your domain should only have one SPF TXT record total.
Complete your authentication stack by adding a DMARC record. Create a TXT record at _dmarc.yourdomain.com with a value like v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com. This tells receiving servers to quarantine any email that fails both SPF and DKIM checks and to send you aggregate reports about authentication results.
New SES accounts start in sandbox mode, which limits you to sending only to verified email addresses. To send to anyone, you need to request production access. In the SES console, go to "Account dashboard" and find the "Request production access" button. AWS asks you to describe your use case, expected sending volume, how you handle bounces and complaints, and what type of content you send. Be honest and specific. Mention that you send business to business outreach, that you verify email addresses before sending, and that you honor unsubscribes. AWS reviews requests manually, and approval typically takes one to three business days.
To connect SES to your outreach tool via SMTP, you need dedicated SMTP credentials. In the SES console, go to "SMTP settings." Note the SMTP endpoint for your region, which looks like email-smtp.us-east-1.amazonaws.com. The port is 587 for STARTTLS connections. Click "Create SMTP credentials" to generate a username and password. These are different from your AWS IAM credentials. Save them securely because the password is shown only once.
With your domain verified, DNS records configured, production access granted, and SMTP credentials in hand, you can now connect SES to your cold email platform. In your outreach tool, add a new sending account using SMTP connection type. Enter the SES SMTP endpoint, port 587, and the SMTP username and password you generated. Send a test email to confirm everything is connected and that SPF, DKIM, and DMARC all pass authentication checks.
The most common mistake is trying to send from sandbox mode without realizing your account has not been approved for production. All emails to unverified addresses will bounce silently. If your test emails work but real campaign emails do not, check whether your account is still in sandbox mode.
Skipping warmup is another frequent error. Even though SES provides dedicated infrastructure, you still need to warm up new domains and IP addresses gradually. Email providers track sending patterns, and a new domain suddenly sending thousands of emails per day will trigger spam filters regardless of how clean your infrastructure is.
Ignoring bounce and complaint notifications from SES is dangerous. AWS monitors your bounce and complaint rates and will suspend your sending privileges if they exceed their thresholds (currently 5 percent for bounces and 0.1 percent for complaints). Set up SNS notifications for bounces and complaints so you can respond quickly to list quality issues before AWS takes action.
EmailQo connects natively to Amazon SES as a sending provider. You enter your SMTP credentials in EmailQo, and the platform handles campaign management, sequences, follow ups, and reply detection while SES handles the actual sending. AWS bills you directly at $0.10 per 1,000 emails. EmailQo does not add any markup to the sending cost. Every plan includes built in warmup for your SES connected accounts and pre send inbox health checks that validate your DNS records, scan for spam triggers, and check blacklists before each campaign goes out.