Why AWS SES for cold email in 2026
Cold email tools like Instantly, Smartlead, and Apollo charge $97-$299/month for volumes most small B2B teams use. AWS SES charges $0.10 per 1,000 emails. For 50,000 emails/month: $5. For 250,000 emails/month: $25.
The price difference is not marginal. It is structural. Outreach platforms are built to extract recurring revenue from senders. SES is infrastructure — you pay for what you use, nothing more.
The trade-off is real: SES is not a campaign manager. It is a sending API. You need a separate tool to manage your lists, write sequences, handle replies, and track engagement. That is what this guide addresses — both the SES technical setup and running campaigns from a desktop tool that does not come with cloud platform ToS restrictions on cold email.
What SES is not
AWS SES does not prevent spam. It is responsible infrastructure — if your bounce rate climbs above threshold, your account gets reviewed and potentially suspended. This guide covers exactly what triggers suspension and how to stay clear of it.
Domain strategy before you touch AWS
The most expensive mistake cold email senders make is using their primary business domain. If deliverability degrades or SES reviews your account, the suspension affects every email that domain sends — including transactional email (order confirmations, password resets, customer support).
Register a dedicated sending domain for cold email. If your company is acme.com, register acmemails.com, meet-acme.com, or outreach.acme.com as a subdomain. Keep this domain separate from your primary business infrastructure.
Considerations for choosing your sending domain:
- Make it look professional — not spammy (acme-sales-blast.com will get flagged faster than meet-acme.com)
- It should be associated with an active website — AWS's production access review expects a real domain
- Age matters: a brand new domain has zero reputation. Plan for a 2-4 week warm-up period before any real volume
- Use a .com where possible — .biz, .info, and .click have higher spam association
Your primary domain handles all business email. A deliverability issue on your cold email sending domain is recoverable. The same issue on your primary domain damages your entire email infrastructure, potentially for months.
AWS account and SES console setup
If you do not have an AWS account, create one at aws.amazon.com. You will need a credit card and a phone number for verification. AWS offers a free tier that includes some SES credits for new accounts.
Navigate to AWS SES in the console (search "SES" or find it under the Messaging category). You will see a "Get set up" walkthrough in the console. All new SES accounts start in the sandbox.
Add and verify your sending domain
In the SES console, go to Verified identities → Create identity → Domain. Enter your sending domain. SES will provide DNS records to add to your domain's DNS zone. This includes the DKIM CNAME records (see next section) and the DMARC check. Verification typically completes within a few hours of adding the records, sometimes faster.
DKIM, SPF, and DMARC — the 2026 requirements
Gmail, Yahoo, and Microsoft enforced mandatory authentication requirements in 2024 that are now the operative standard for all bulk senders. Missing any of these will result in delivery failures on the major inbox providers. This is not optional in 2026.
DKIM — DomainKeys Identified Mail
SES uses Easy DKIM — it generates three CNAME records for your domain and signs all outgoing mail with a 2048-bit RSA key. In the SES console, when you verify your domain, you will see the three CNAME records to add to your DNS:
Name: [token1]._domainkey.yourdomain.com
Value: [token1].dkim.amazonses.com
Name: [token2]._domainkey.yourdomain.com
Value: [token2].dkim.amazonses.com
Name: [token3]._domainkey.yourdomain.com
Value: [token3].dkim.amazonses.comAdd all three. Verification typically takes 15 minutes to 72 hours. Do not proceed until all three show "Verified" in the SES console.
SPF — Sender Policy Framework
Add a TXT record at your root domain:
Name: yourdomain.com (or @)
Type: TXT
Value: v=spf1 include:amazonses.com ~allIf you already have an SPF record, add include:amazonses.com to the existing record rather than creating a second one. Multiple SPF records on the same domain cause SPF to fail.
Custom MAIL FROM domain
Configure a custom MAIL FROM subdomain in the SES console (e.g., mail.yourdomain.com). This aligns the envelope sender with your domain, which improves DMARC alignment. SES will provide two records to add:
Name: mail.yourdomain.com
Type: MX
Value: 10 feedback-smtp.[region].amazonses.com
Name: mail.yourdomain.com
Type: TXT
Value: v=spf1 include:amazonses.com ~allDMARC — Domain-based Message Authentication
Add a TXT record at _dmarc.yourdomain.com:
Name: _dmarc.yourdomain.com
Type: TXT
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.comp=quarantine tells receiving servers to quarantine (junk folder) messages that fail DMARC, rather than rejecting them outright. Start with p=quarantine and move to p=reject once you have confirmed your authentication is set up correctly via the DMARC aggregate reports (rua).
DMARC policies of p=none (monitor mode) pass the technical requirement but do not signal sender accountability. As of 2026, Gmail and Yahoo apply additional scrutiny to cold senders with p=none. Use p=quarantine or p=reject for cold email domains. Verify alignment works correctly in DMARC reports before moving to p=reject.
Validate your full authentication setup using MXToolbox or mail-tester.com — both free.
Getting out of the sandbox
All new SES accounts are in the sandbox. Sandbox limitations:
- Maximum 200 emails per 24 hours
- Can only send to verified email addresses — you cannot send to arbitrary recipients
To send cold email, you need production access. In the SES console, go to Get set up → Request production access.
How to write the request for B2B outbound prospecting
AWS reviews these requests manually. The single most common mistake is being too vague or using the term "cold email" — which AWS associates with spam. Here is how to frame the request accurately and effectively:
- Use case type: Select "Marketing" — this covers outbound prospecting
- Website URL: Provide your active business website. If you registered a new sending domain, point to your main business site
- Description: Write a detailed paragraph explaining: your industry, how you identify prospects (LinkedIn, industry databases, company websites), why your outreach is relevant to their professional role, how you handle bounces (SNS → suppression list), how you handle unsubscribes (immediate removal, suppression list), your daily volume targets, and your list verification process
- Avoid: The phrase "cold email," "bulk email to purchased lists," "mass prospecting"
- Use instead: "Targeted B2B outreach to professionally relevant contacts," "permission-aware prospecting with documented opt-out handling"
A complete, detailed request is typically approved within 24 hours. Post-approval default limits: 50,000 emails/day at 14 emails/second.
AWS denials typically include a reason. Respond to the denial email with additional detail: attach your bounce handling policy, your opt-out process, and examples of the types of contacts you will email. A follow-up with more specific detail is usually approved.
Bounce and complaint handling — the critical step most guides skip
AWS SES monitors your bounce and complaint rates in real time. Exceed the thresholds and your account enters review or gets suspended. Here are the exact numbers:
In practice, maintain under 2.5% bounce and 0.05% complaint to stay comfortably clear of both thresholds. At those rates, you have meaningful headroom before hitting any review trigger.
Setting up automatic bounce and complaint handling
Manual monitoring of the SES console is too slow. By the time you notice a bounce spike, you may already be at 7-8% and AWS is reviewing your account. Automate this:
- In the SES console, go to Configuration sets → Create configuration set. Create one for your cold email sending.
- Add an SNS event destination to the configuration set. Select bounce, complaint, and delivery events. Point to an SNS topic you create.
- In SNS, subscribe an SQS queue to the topic.
- Configure a Lambda function (or your application) to read from the SQS queue and process bounce and complaint notifications.
- For every hard bounce notification, add the address to your SES account-level suppression list.
- For every complaint notification, add the address to the suppression list immediately.
If you are using Vexifa EMP, the application handles suppression list synchronisation for you — see the Vexifa EMP section below.
Enable the account-level suppression list
In SES console → Account dashboard → Suppression list settings — enable automatic suppression for both bounces and complaints. This means SES will automatically refuse to deliver to any address that has bounced or complained, without requiring Lambda code. Enable this before sending your first email.
List hygiene — verify before you send
A cold list acquired from any external source — LinkedIn exports, data brokers, industry databases — will contain invalid addresses. Industry estimates range from 5-20% invalid on typical B2B cold lists. Sending to these addresses generates hard bounces that quickly push you above threshold.
Verify your list with an email validation service before importing into any sending tool:
- ZeroBounce — approximately $16 per 1,000 verifications
- NeverBounce — approximately $8 per 1,000
- Millionverifier — approximately $3 per 1,000 (bulk pricing)
Remove all "invalid," "disposable," "catch-all" (with caution), and "role-based" addresses (info@, contact@, support@) before sending. Catch-all addresses accept any email but many never reach a real person — they generate low engagement that damages your domain reputation without producing bounces.
Shared IP vs. dedicated IP for cold email
| Option | Monthly cost | Warm-up required | Best for |
|---|---|---|---|
| Shared IP pool | Free (included) | No — pre-warmed by AWS | Under 5,000 emails/day |
| Managed dedicated IP pool | $15/month | Auto (45-day managed) | 5,000–50,000 emails/day |
| Standard dedicated IP | $24.95/IP/month | Yes — manual 45-day ramp | 50,000+/day, reputation control |
For most cold email senders starting out, the shared IP pool is appropriate. AWS's shared pool is large and carefully managed — your sending is protected from other users' reputation problems by the pool's overall volume.
The managed dedicated IP pool at $15/month becomes worth it once you are consistently sending above 5,000 emails/day. At that scale, isolating your reputation from other senders provides meaningful deliverability control. The managed pool handles warm-up automatically over 45 days — you do not need to manually ramp volume.
Dedicated IP reputation requires consistent sending volume to be maintained. ISPs expect daily sending to build reputation scores. If you send 10,000 emails one week and nothing for two weeks, the IP's reputation degrades. Only move to dedicated IPs when you have consistent, predictable volume.
Running campaigns with Vexifa EMP
AWS SES is infrastructure, not a campaign manager. You need a separate tool to write email sequences, import contacts, personalise messages, schedule sends, track replies, and manage unsubscribes.
Most campaign managers fall into two categories with a critical limitation for cold email:
- Cloud SaaS platforms (Instantly, Smartlead, Apollo, MailBluster, EmailOctopus) — explicitly prohibit cold email in their terms of service. Your data sits on their servers. When they see cold email sending patterns, your account gets suspended — separate from AWS.
- Self-hosted web apps (Sendy, Listmonk, Mautic) — require a Linux server, database administration, and ongoing maintenance. Not practical for solo operators or small teams without a developer.
Vexifa EMP is a Windows desktop application. It connects to AWS SES via SMTP and manages the campaign layer locally — your contact data never leaves your machine, there is no cloud platform whose terms restrict cold email, and there is no separate server to maintain.
Connecting Vexifa EMP to AWS SES
In the AWS SES console, go to SMTP settings and create SMTP credentials (a username and password separate from your AWS IAM credentials). Note the SMTP endpoint for your region (e.g., email-smtp.us-east-1.amazonaws.com, port 587 with STARTTLS).
In Vexifa EMP, enter these credentials in the SMTP configuration. The application validates the connection before you can proceed to campaign setup.
Campaign workflow in Vexifa EMP
- Import your verified list — CSV import with column mapping for personalisation tokens (first name, company, title, custom fields)
- Build your sequence — initial email plus follow-ups, with configurable delays (days between each step) and reply detection (automatic stop on reply)
- Configure send scheduling — business hours only, daily volume cap, send rate (emails per hour) to stay well under the 14/second SES default limit
- Review and launch — send a test to yourself, review the full rendered email, then schedule the campaign
- Monitor replies — Vexifa EMP connects to your reply inbox via IMAP to track responses and automatically pause follow-up sequences for contacts who reply
Unsubscribe handling: Vexifa EMP includes an unsubscribe link in every email footer. When a contact clicks unsubscribe, the address is removed from the local campaign and optionally added to the SES account-level suppression list — satisfying both CAN-SPAM's 10-business-day requirement and GDPR's fast opt-out expectation.
Vexifa EMP is currently in development. Core sending, sequencing, and unsubscribe handling are functional internally. Some analytics features are still being finalised before the 1.0 release. Get notified at launch →
Compliance checklist for every send
Cold email is legal in the US and EU under specific conditions. Missing any of these makes every email a potential violation:
CAN-SPAM (US)
- ✓ Physical mailing address in every email footer
- ✓ Accurate "From" name and email address
- ✓ Non-deceptive subject line (no "Re:" tricks)
- ✓ Working unsubscribe link or reply-to mechanism
- ✓ Honour unsubscribes within 10 business days
GDPR (for recipients in EU/UK)
- ✓ B2B cold email is permitted under legitimate interest — message must be professionally relevant to the recipient's role
- ✓ Include an easy opt-out mechanism in every email
- ✓ Honour opt-outs within 24-48 hours (faster than CAN-SPAM requires)
- ✓ Do not use personal data beyond the stated purpose
- ✓ Maintain a record of who opted out and when
AWS acceptable use
- ✓ No deceptive subject lines or headers
- ✓ No lists acquired through means that violate websites' terms
- ✓ No spam trap addresses (keep bounce rate under 2.5%)
- ✓ Documented bounce and complaint handling processes
Monitoring your account health
AWS SES has no excuse for not knowing your sending metrics — they are all in the console. Check these regularly:
| Metric | Where to find it | Check frequency | Action threshold |
|---|---|---|---|
| Bounce rate | SES console → Account dashboard | After every send batch | Act if above 2.5% |
| Complaint rate | SES console → Account dashboard | After every send batch | Act if above 0.05% |
| Sending quota usage | SES console → Account dashboard | Daily | Request quota increase before hitting cap |
| Suppression list additions | SES console → Suppression list | Weekly | Export monthly for compliance records |
For higher-volume senders, set up CloudWatch Alarms on your SES bounce and complaint metrics. Configure the alarm to send an SNS notification when bounce rate exceeds 3% or complaint rate exceeds 0.08% — this gives you automated early warning before the AWS review threshold.
Frequently asked questions
Is cold email against AWS SES terms of service?
AWS SES's acceptable use policy prohibits spam and deceptive sending but does not explicitly prohibit B2B cold email. Targeted outreach to professionally relevant contacts is accepted if you maintain low bounce and complaint rates, use proper authentication, include required CAN-SPAM elements, and honour unsubscribes. Frame your production access request around "B2B outreach with documented bounce handling" — not "cold email."
How many cold emails can I safely send per day with AWS SES?
After production access approval, the default limit is 50,000/day at 14/second. For cold email, start at 100-200/day and ramp by 30-50% per week. A safe cadence: 200/day in week 1, 500/day in week 3, 2,000/day by week 6. Rapid volume ramps damage domain reputation regardless of AWS's sending limit.
What is the AWS SES bounce rate limit?
Hard bounce rate triggers review above 5% and suspension risk above 10%. Complaint rate triggers review above 0.1% and suspension above 0.2%. Maintain under 2.5% bounce and 0.05% complaint. Verify every cold list before sending using NeverBounce, ZeroBounce, or Millionverifier.
Do I need a dedicated IP for cold email with AWS SES?
Not at low volumes. The shared IP pool is appropriate under 5,000 emails/day. The managed dedicated IP pool at $15/month makes sense between 5,000 and 50,000/day. Standard dedicated IPs ($24.95/IP/month) are for high-volume senders who need full reputation control and can maintain consistent daily volume.
Can I use Gmail or Outlook as a sender address with AWS SES?
No. SES only sends from domains you own and have verified. You cannot send as @gmail.com or @outlook.com. Gmail's and Outlook's DMARC policies (p=reject) would reject messages using their domain from external servers anyway.
Bottom line
AWS SES is the most cost-effective sending infrastructure for cold email at any volume. At $0.10/1,000 emails, it costs 15-30x less than outreach platforms that provide campaign management on top of the sending layer.
The setup requires work that those platforms abstract away — domain authentication, sandbox exit, bounce automation, compliance implementation. But each step is well-documented and one-time. Once the infrastructure is in place, you are paying commodity infrastructure rates forever.
The missing piece — a campaign manager that connects to SES without cloud platform ToS restrictions — is what Vexifa EMP fills. Local Windows desktop application, your data stays on your machine, no third-party platform restrictions on your use case.
The full stack: SES ($5-25/month for most volumes) + Vexifa EMP (currently in beta) = a cold email infrastructure that costs a fraction of purpose-built outreach platforms and gives you full control of every component.