What Is a Smarthost or Relayhost in Plesk?

A smarthost (also called a relayhost) is an external mail server that your Plesk server uses to send outgoing email on behalf of your domains. Instead of sending mail directly from your server (which can lead to deliverability issues or blocks), the smarthost receives your mail and forwards it to its final destination. This is particularly useful if your hosting provider restricts direct email delivery or if you want to improve your email deliverability and reputation123.

Do You Have to Pay for a Smarthost?

Plesk itself does not charge you for enabling or configuring a smarthost. However, most reputable SMTP relay services (like SendGrid, Mailgun, Mailjet, SMTP2GO, etc.) do charge for their services, especially if you are sending bulk emails. Some offer limited free tiers (e.g., SendGrid, SMTP2GO), but for bulk mailers, you will almost certainly need a paid plan. Pricing varies by provider and by the volume of emails you send41.

How to Configure a Smarthost in Plesk (Step-by-Step)

Requirements:

• Plesk Obsidian 18.0.64 or newer.
• An account with a reputable SMTP relay service (e.g., SendGrid, Mailgun, Mailjet).

Instructions:

1. Choose and Set Up Your SMTP Relay Service
   • Register with a reputable SMTP relay provider.
   • Obtain the server hostname (e.g., smtp.sendgrid.net) and your authentication credentials (username/password or API key)1.
2. Log in to Plesk
   • Access your Plesk admin panel.
3. Navigate to Smarthost Settings
   • Go to Tools & Settings > Smarthost (under the “Mail” section)23.
4. Enable Smarthost
   • Check the box labeled “Send users’ mail via a smarthost”.
5. Enter Smarthost Details
   • In the provided field, enter the hostname or IP address of your SMTP relay (e.g., smtp.sendgrid.net).
   • If you want to disable MX or SRV lookups (Linux only), enclose the address in square brackets (e.g., [smtp.sendgrid.net])1.
6. Authentication
   • Enter the required authentication details (username, password, port, etc.), as provided by your SMTP relay service.
7. Test the Connection (Optional but Recommended)
   • Use the Check Connection feature to verify that Plesk can connect to your smarthost23.
8. Save Changes
9. Update DNS Records
   • Update your domain’s SPF record to include the smarthost’s sending IPs or domains. This is necessary to authorize the smarthost to send mail on your behalf and avoid spam issues2.

How Can This Help a Bulk Mailer Domain?

Benefits for Bulk Mailing:

• Improved Deliverability: Using a reputable SMTP relay with a good IP reputation increases the likelihood that your emails land in inboxes rather than spam folders1.
• Avoids Hosting Provider Restrictions: Many hosts limit or block direct outgoing mail. A smarthost bypasses these restrictions.
• Scalability: SMTP relay services are designed to handle large volumes of email, which is essential for bulk mailers4.
• Monitoring & Analytics: Most SMTP relays provide dashboards for tracking delivery, bounces, complaints, and engagement.
• Compliance & Security: Many services offer built-in compliance features (DKIM, SPF, DMARC) and security (TLS encryption).

Cautions for Bulk Mailers:

• Costs: Bulk sending usually requires a paid plan with your SMTP relay provider. Free tiers are generally insufficient for high volumes4.
• Reputation Management: Even with a smarthost, sending unsolicited or low-quality bulk mail can get your account suspended or blacklisted.
• Configuration Overwrites: Enabling the smarthost feature in Plesk will overwrite any previous manual relayhost configurations213.
• Mail Forwarding Limitation: Some SMTP relays (e.g., SendGrid) may disable mail forwarding if a smarthost is configured23.

Summary Table: Smarthost vs. Direct Sending in Plesk

Feature	Direct Sending (Local SMTP)	Smarthost/Relayhost (SMTP Relay)
Deliverability	Often poor (spam risk)	High (if relay has good reputation)
Hosting Provider Restrictions	May be blocked/limited	Usually allowed
Bulk Sending Capability	Limited	Designed for high volume
Cost	Free (except bandwidth)	Usually paid (free tiers limited)
Setup Complexity	Simple	Requires external account
Analytics/Monitoring	Minimal	Advanced (with relay service)

---

How Smarthost Works With Amazon SES

Amazon SES vs. Plesk Smarthost: How They Work Together and Key Differences

How You Used Amazon SES Without Smarthost

When you previously used Amazon SES, you likely configured your applications or scripts to connect directly to SES’s SMTP endpoint (or used its API). In this setup:

• Each sender (mailbox, script, or web app) authenticates to SES individually.
• You manage SES credentials and sender verification per mailbox or domain.
• Outgoing mail bypasses the local Plesk mail server entirely and is sent straight through SES.

What Changes When You Use Smarthost in Plesk?

With Plesk’s smarthost (relayhost) configuration:

• All outgoing mail from your Plesk server, regardless of which domain or mailbox originates it, is routed through the external SMTP relay (in this case, Amazon SES)25.
• You only need to configure the relay once at the server level, not per application or mailbox.
• Plesk’s mail server (Postfix) handles the relay, so all server-generated and user-generated mail uses SES as the outbound path.

---

Detailed Comparison Table

Feature	Direct Amazon SES SMTP (Per App/Mailbox)	Plesk Smarthost with Amazon SES
Configuration Location	Each script/app/mailbox	One-time setup in Plesk admin
Who Authenticates to SES	Each sender separately	Plesk server authenticates on behalf of all
Mail Routing	Direct from app to SES	All mail routed via Plesk → SES
Sender Verification	Each sender/domain must be verified in SES	Each sender/domain must be verified in SES
Centralized Management	No	Yes
Bulk Mailing Support	Yes (with SES limits)	Yes (with SES limits)
Ease of Adding New Apps/Mailboxes	Must configure SES for each	No extra config; uses existing relay
Troubleshooting	Per app	Centralized in Plesk
Deliverability	High (if SES is properly set up)	High (if SES is properly set up)
Host SMTP Restrictions	Bypassed	Bypassed

---

Key Considerations and Limitations with Amazon SES as Smarthost

• Sender/Domain Verification Required: Amazon SES requires every sender address or domain to be verified before it will relay mail for it. This is a core SES anti-abuse measure. If a domain or address isn’t verified, SES will reject the message with an error134.
  • This can be a pain for shared hosting or bulk mailers with many domains, as every domain must be verified in SES14.
• Bulk Mailing: SES is designed for high-volume sending, but you must stay within your SES sending limits and comply with their anti-spam policies5.
• Centralized Outbound Control: Using smarthost means all outgoing mail (notifications, web app mail, user mailboxes) uses the same SES account and configuration, simplifying management and monitoring25.
• Consistent Deliverability: All mail benefits from SES’s deliverability, IP reputation, and compliance features5.
• Setup in Plesk: You configure the smarthost under Plesk’s mail settings, entering SES’s SMTP endpoint, port (587), and credentials, and enabling encrypted connections35.

---

Summary: When to Use Each Approach

• Direct SES SMTP (Per App/Mailbox):
  • Best if you only have a few apps or mailboxes, or want granular control.
  • Each sender must be configured and verified in SES.
  • Good for single-domain or single-app scenarios.
• Plesk Smarthost with SES:
  • Best for centralized management, especially if you have many apps, scripts, or mailboxes on your server.
  • Still requires SES sender/domain verification, but simplifies Plesk-wide mail routing and monitoring.
  • Ideal for bulk mailers who want all server mail to benefit from SES’s deliverability and compliance features.

---

Practical Tips for Bulk Mailers

• Verify All Sending Domains in SES: Before enabling smarthost, ensure every domain you plan to send mail from is verified in SES, or SES will reject those messages14.
• Monitor SES Sending Limits: Bulk mailers must watch their SES quotas and reputation.
• Update SPF/DKIM/DMARC Records: Align your DNS records for each domain to authorize SES as a sender for best deliverability.

---

In summary:
Using Plesk’s smarthost with Amazon SES centralizes and simplifies outbound mail management for all domains and mailboxes, but you must still verify each sender domain in SES. This approach is especially helpful for bulk mailers who want consistent deliverability and easier server-wide mail management, provided you handle SES’s sender verification requirement

---

Step-by-Step: Setting Up Amazon SES with Multiple IPs and Plesk Smarthost

You have five IP addresses on your dedicated server and want to route outgoing mail through Amazon SES using Plesk’s smarthost feature. Here’s how to proceed, including the SES documentation links for each step.

---

1. Decide on Your SES IP Strategy

Amazon SES offers three main outbound IP models:

• Shared IP Pool: Default; shared with other SES users (no extra cost).
• Dedicated IPs (Standard or Managed): Reserved for your use only (additional cost)18.
• IP Pools: Group dedicated IPs for specific sending purposes (e.g., marketing vs. transactional)24.

If you want SES to use your own dedicated IPs (not your server’s IPs), you must lease them from AWS. Your server’s public IPs are not used for outbound mail when using SES; SES’s infrastructure is.

Read more:

• [Dedicated IP addresses for Amazon SES]1
• [Assigning IP pools in Amazon SES]2
• [Creating standard dedicated IP pools]4

---

2. (Optional) Purchase and Assign Dedicated IPs in SES

If you want to use dedicated SES IPs:

• Go to the SES Console > Dedicated IPs.
• Request dedicated IPs (standard or managed)134.
• Create IP pools if you want to group them (e.g., by purpose)4.
• Assign pools to configuration sets as needed24.

If you use the shared pool, skip this step.

---

3. Verify Sending Domains in SES

• In the SES Console, go to “Verified identities.”
• Add and verify each domain you’ll send mail from (follow SES instructions for DNS verification).
• Set up DKIM and SPF records as instructed by SES for each domain.

---

4. Obtain SES SMTP Credentials

• In SES Console, go to “SMTP Settings.”
• Create SMTP credentials (username/password) for your region.
• Note the SMTP endpoint for your region (e.g., email-smtp.us-east-1.amazonaws.com).

Reference: Amazon SES SMTP Settings

---

5. Configure Plesk Smarthost

1. Log in to Plesk as admin.
2. Go to Tools & Settings > Mail Server Settings.
3. Find the Smarthost or Outgoing Mail Control section.
4. Enter the SES SMTP endpoint (e.g., email-smtp.us-east-1.amazonaws.com).
   • Use port 587 (STARTTLS) or 465 (SSL).
   • If you want to avoid DNS lookups, use brackets: [email-smtp.us-east-1.amazonaws.com].
5. Enter the SMTP username and password you generated in SES.
6. Save changes.

---

6. (Optional) Assign Outbound Server IPs in Plesk

• In Plesk, you can assign which local IP address is used for outbound connections for each domain or mailbox, but with SES, the source IP is not visible to recipients—SES’s IPs are used for delivery.
• If you want to control which server IP is used to connect to SES (for firewall or routing purposes), you may need to adjust your server’s network or Postfix configuration9.

---

7. Update DNS Records for Each Domain

• Ensure SPF records include SES (include:amazonses.com).
• Publish DKIM and DMARC records as provided by SES for each domain.

---

8. Test and Monitor

• Send test emails from each domain and verify delivery.
• Use SES’s dashboard to monitor bounces, complaints, and deliverability.

---

Key Points About Your Server IPs

• When using SES as a smarthost, your server’s IP addresses are not used to deliver mail to recipients—SES’s IPs (shared or dedicated) are.
• Your server’s IPs only matter for the connection to SES, not for the final delivery.

---

Relevant SES Documentation Links

• Dedicated IP addresses for Amazon SES1
• Assigning IP pools in Amazon SES2
• Creating standard dedicated IP pools4
• Amazon SES SMTP Settings

---

If you need to assign different SES configuration sets (and thus IP pools) per domain or per type of mail, you’ll need to customize your mail server’s configuration or use SES’s API for advanced routing. Otherwise, all mail routed via the smarthost will use the same SES configuration.

---

Amazon SES Dedicated IP – Costs and Advantages

Amazon SES Dedicated IP Pricing

Standard Dedicated IPs:

• $24.95 per IP per month1258.
• You can lease as many as you need, and assign them to IP pools for different sending purposes.

Managed Dedicated IPs:

• $15.00 per month per account base fee2456.
• Plus a usage-based fee:
  • $0.08 per 1,000 emails for up to 10 million emails/month
  • $0.04 per 1,000 emails for 10–50 million emails/month
  • $0.02 per 1,000 emails for 50–100 million emails/month245.
• AWS manages warm-up, scaling, and assignment for you.

Bring Your Own IP (BYOIP):

• $24.95 per IP per month, but requires a minimum of 256 IPs (totaling $6,387.20/month)245.

Shared IPs:

• No additional cost; included in standard SES pricing235.

---

Pros and Cons of Using Dedicated IPs with Amazon SES

Pros	Cons
Full control over sender reputation (not affected by other SES users)	Additional monthly cost per IP ($24.95 standard, $15+usage managed)
Improved deliverability for high-volume or sensitive senders	Requires manual warm-up for standard IPs (unless using managed IPs)
Ability to segment sending (e.g., marketing vs. transactional) via pools	Need to maintain good sending practices to avoid IP reputation issues
Managed IPs handle warm-up and scaling automatically	Managed IPs add per-email charges in addition to the base fee
Can be required by some ISPs for high-volume mailers	BYOIP option is expensive and only practical for very large senders
Avoids being blacklisted due to other users’ behavior	If reputation suffers, all mail from that IP may be affected until remediated

---

Summary

• Dedicated IPs are best for high-volume senders, those needing strict reputation control, or organizations wanting to separate different types of mail streams.
• Standard Dedicated IPs offer manual control and require you to manage warm-up and scaling.
• Managed Dedicated IPs are easier for most users, as AWS handles warm-up and scaling, but they add a per-email fee.
• Shared IPs are suitable for low-volume or less reputation-sensitive senders and have no extra cost.

Official SES Pricing:

• Amazon SES Pricing Page

---

Amazon SES Dedicated IP Pricing Categories

Amazon SES offers several options for dedicated IP addresses, each with distinct pricing and management features. Here’s a detailed breakdown:

---

1. Shared IPs

• Cost: $0 (included with SES; no extra charge)
• Description: Your emails are sent from a pool of IP addresses shared with other SES customers.
• Use Case: Suitable for low-to-moderate volume senders who do not require strict control over sending reputation.

---

2. Standard Dedicated IPs

• Cost: $24.95 per IP per month134.
• Description:
  • You lease dedicated IP addresses exclusively for your use.
  • You manually manage these IPs, including setup, warm-up, scaling, and assignment to IP pools.
  • You have full control over your sending reputation.
• Use Case: Best for high-volume senders or those needing strict control over deliverability and reputation25.

---

3. Managed Dedicated IPs

• Base Cost: $15.00 per account per month34.
• Usage-Based Cost:
  • $0.08 per 1,000 emails for the first 10 million emails/month
  • $0.04 per 1,000 emails for 10–50 million emails/month
  • $0.02 per 1,000 emails for 50–100 million emails/month34
• Description:
  • AWS automatically manages the provisioning, warm-up, scaling, and assignment of dedicated IPs for you.
  • The number of IPs scales with your sending volume and ISP requirements.
  • Designed for users who want dedicated IP benefits without manual management6.
• Use Case: Ideal for senders who want the advantages of dedicated IPs but prefer AWS to handle technical details and scaling.

---

4. Bring Your Own IP (BYOIP)

• Cost: $24.95 per IP per month, with a minimum of 256 IPs (minimum $6,387.20/month)3.
• Description:
  • You bring your own IP addresses (must meet AWS requirements) and use them with SES.
  • Suitable for very large senders with existing IP infrastructure.
• Use Case: Large enterprises or ESPs with their own IP blocks.

---

Summary Table

IP Type	Monthly Cost	Description & Use Case
Shared IPs	$0	Default; shared with others; no control over reputation
Standard Dedicated IPs	$24.95 per IP	Full control; manual management; ideal for high-volume or reputation-sensitive senders
Managed Dedicated IPs	$15/account + usage fees	AWS-managed scaling & warm-up; usage-based fees; less manual work
BYOIP	$24.95 per IP (min 256 IPs)	Bring your own IPs; for very large senders with their own IP blocks

---

References:

• [Amazon SES Pricing Page]1
• [Amazon SES Documentation: Dedicated IP addresses]256
• [Mailbluster SES Pricing Guide]3
• [CampaignHQ SES Pricing]

---

---

Amazon SES Dedicated IP Pricing Categories (All Costs Included)

Below is a comprehensive breakdown of Amazon SES dedicated IP options, including every cost involved—monthly fees, per-email charges, data/attachment fees, and other relevant add-ons.

---

IP Type	Monthly IP Fee	Email Sending Fee	Data/Attachment Fee	Other Fees	Details & Use Case
Shared IPs	$0	$0.10 per 1,000 emails1258	$0.12 per GB of attachments125	None	Default. No IP control, shared reputation. Good for low/moderate senders.
Standard Dedicated	$24.95 per IP per month125	$0.10 per 1,000 emails1258	$0.12 per GB of attachments125	None	Full control over IP reputation. Manual warm-up. Best for high-volume or reputation-sensitive senders.
Managed Dedicated	$15 per account per month base1235	$0.08 per 1,000 emails (0–10M)1235 $0.04 per 1,000 (10–50M) $0.02 per 1,000 (50–100M)	$0.12 per GB of attachments125	None	AWS manages warm-up, scaling. Tiered email rates. Good for those wanting less manual management.
BYOIP	$24.95 per IP per month (min 256 IPs)1235	$0.10 per 1,000 emails1258	$0.12 per GB of attachments125	Minimum monthly: $6,387.20 (256 IPs)13	Bring your own IPs. For large senders with their own IP blocks.

---

Additional SES Charges (Apply to All IP Types)

• First 3,000 emails/month are free for the first 12 months (AWS Free Tier)125
• Inbound email: $0.10 per 1,000 messages125
• Mail chunks (for large inbound emails): $0.09 per 1,000 chunks (each chunk is 256 KB)12
• Virtual Deliverability Manager (optional): $0.07 per 1,000 emails, with volume discounts13
• Deliverability Dashboard (optional): $1,250/month3
• Multi-region endpoint surcharge: $0.03 per 1,000 emails13
• Extra add-ons: Varies (e.g., archiving, advanced analytics)12

---

Key Points

• Standard Dedicated IPs:
  • $24.95 per IP per month is just for the IP lease.
  • You always pay the standard SES sending fee ($0.10/1,000 emails) and data fees, even with dedicated IPs1258.
  • Example: Sending 1,000,000 emails with 3 dedicated IPs in a month:
    • IP cost: $24.95 × 3 = $74.85
    • Email sending: $0.10 × (1,000,000 / 1,000) = $100
    • Data/attachments: $0.12 per GB (if applicable)
    • Total: $174.85 + data fees
• Managed Dedicated IPs:
  • $15/month base fee per account, plus tiered per-email rates (from $0.08 to $0.02 per 1,000 emails as volume increases)1235.
  • No manual warm-up; AWS manages everything.
• BYOIP:
  • Minimum 256 IPs, $24.95 each per month ($6,387.20 minimum monthly IP fee), plus standard sending and data fees

---

What Does “Per Account” Mean for Managed Dedicated IPs?

In Amazon SES, “per account” refers to your AWS account. The $15/month base fee for managed dedicated IPs is charged once per AWS account, regardless of how many managed dedicated IPs SES assigns to you based on your sending volume127. You do not pay $15 per IP; you pay $15 per AWS account using the managed dedicated IP feature, plus the usage-based per-email charges.

---

Why Are Per-Email Charges Lower for Managed Dedicated IPs Than Standard Dedicated IPs?

Managed dedicated IPs have lower per-email charges because AWS automates the management, warm-up, scaling, and optimal assignment of IPs using machine learning and adaptive strategies1247. This efficiency allows AWS to offer a lower per-email rate compared to standard dedicated IPs, where you manually manage the IPs, pools, and warm-up process.

Key differences:

• Standard Dedicated IPs:
  • You pay $24.95 per IP per month, plus $0.10 per 1,000 emails sent.
  • You are responsible for manually warming up, scaling, and managing the IPs234.
  • Designed for senders who want full control over their IP reputation and configuration.
• Managed Dedicated IPs:
  • You pay $15 per AWS account per month (not per IP), plus a tiered per-email fee:
    • $0.08 per 1,000 emails for the first 10 million emails/month
    • $0.04 per 1,000 for 10–50 million/month
    • $0.02 per 1,000 for 50–100 million/month
  • AWS automatically handles IP warm-up, scaling, and optimal assignment for you1247.
  • Designed for ease of use, scalability, and efficiency, which lets AWS pass on cost savings as lower per-email rates.

---

Summary Table: SES Dedicated IP Pricing (with All Costs)

Type	Monthly Fee	Per-Email Fee	Who Manages IPs?	Who Pays the Fee?	Best For
Standard Dedicated IPs	$24.95 per IP	$0.10 per 1,000 emails	You (manual)	Per IP	Full control, manual management
Managed Dedicated IPs	$15 per AWS account	$0.08/$0.04/$0.02 per 1,000 emails (tiered)	AWS (automatic)	Per AWS account	Ease of use, auto-scaling, efficiency
Shared IPs	$0	$0.10 per 1,000 emails	AWS (shared pool)	N/A	Low/moderate senders, no IP control

---

There are clear reasons why some organizations still choose Standard Dedicated IPs with Amazon SES, even though Managed Dedicated IPs appear simpler and often cheaper for many use cases.

---

Why Choose Standard Dedicated IPs?

1. Full Manual Control

• With Standard Dedicated IPs, you have complete control over which IPs are used, how they are warmed up, and how they are assigned to different pools or mail streams123.
• You can segment traffic (e.g., marketing vs. transactional) exactly as you wish and keep certain IPs reserved for specific purposes.

2. Static, Known IP Addresses

• Standard Dedicated IPs are assigned to you and do not change unless you release them. This is important for organizations that need to provide a fixed IP list to partners, customers, or whitelists2.
• Managed Dedicated IPs may change as SES scales and reallocates IPs automatically.

3. Predictable Costs

• You pay a flat monthly fee per IP, regardless of how much you send (plus standard SES per-email charges). This can be more predictable for organizations with steady, high-volume traffic.

4. Advanced Use Cases

• Some compliance, security, or integration scenarios require granular control over IP management, warmup schedules, and pool assignments—features only available with Standard Dedicated IPs123.

---

Why Managed Dedicated IPs Are Often Preferred

• Automatic Scaling and Warmup: SES manages the number of IPs, warmup process, and scaling based on your sending patterns, reducing management overhead and risk of mistakes453.
• Adaptive Reputation Management: SES uses machine learning to optimize deliverability and IP reputation, even across different ISPs and changing volumes43.
• Lower Per-Email Cost: Managed Dedicated IPs have a lower per-email charge because AWS can optimize resource use and reputation management at scale3.
• No Manual Requests: You don’t need to open support tickets to add or remove IPs; SES handles allocation and deallocation automatically43.

---

What Happens If You Get a Bad Sender Score with Standard Dedicated IPs?

Even with Standard Dedicated IPs, AWS does not ignore your sender reputation. SES actively monitors bounce rates, complaint rates, and other reputation metrics for all accounts and IPs—regardless of whether they are standard or managed6. If your sender score drops due to high bounces, spam complaints, or sending to spam traps:

• SES may throttle, pause, or even suspend your ability to send email from those IPs6.
• Your sender reputation directly affects deliverability, and poor practices will result in degraded service, regardless of your management model.

In summary:

• Standard Dedicated IPs are for organizations needing fixed IPs, granular manual control, or predictable costs, and who are confident in managing warmup and reputation themselves.
• Managed Dedicated IPs are better for most senders, offering automation, lower per-email costs, and less risk of mismanagement.
• Regardless of type, SES always monitors your sender reputation and can take action if you violate best practices or your reputation drops

---

 with Managed Dedicated IPs in Amazon SES, the fixed subscription fee is $15 per AWS account per month, regardless of how many managed dedicated IPs AWS allocates to your account as your sending volume increases345. You do not pay $15 per IP; you pay $15 total per account for the managed dedicated IP feature.

How it works:

• AWS automatically assigns and manages the appropriate number of dedicated IPs for your account based on your sending patterns and volume.
• You only pay the $15/month base fee per account, plus the tiered per-email sending charges:
  • $0.08 per 1,000 emails for the first 10 million emails/month
  • $0.04 per 1,000 emails for 10–50 million/month
  • $0.02 per 1,000 emails for 50–100 million/month345

Example:
If your sending volume grows and AWS allocates more managed dedicated IPs to maintain deliverability, your monthly base fee remains $15 for the account. Your only variable cost is the per-email charge, which gets cheaper as your volume increases.

References:

• [Mailbluster SES Pricing]3
• [CampaignHQ SES Pricing]4
• [AWS Email Service Pricing]

---

Cleaning your lists by sending initial email blasts through your own servers to filter out undeliverables and unsubscribes is considered good practice—especially before moving to a high-reputation service like Amazon SES.

Here’s why this approach is recommended:

• Removes Invalid and Outdated Addresses: Sending through your own server allows you to identify and suppress hard bounces (permanently undeliverable emails) before they can harm your sender reputation on SES or any other major ESP167.
• Reduces Spam Complaints: You can also identify subscribers who mark your emails as spam and remove them, which protects your sender score37.
• Improves List Engagement: By filtering out unengaged or inactive subscribers, you ensure that your future campaigns (especially on SES) are sent to a more responsive audience, improving open and click rates134.
• Protects Your Sender Reputation: High bounce rates and spam complaints are major factors in sender reputation. Cleaning your list first helps ensure that when you switch to SES, you start with a healthy list, which is critical for inbox placement and deliverability467.
• Compliance and Deliverability: Many ESPs, including SES, may suspend or throttle your account if you generate too many bounces or complaints early on. Pre-cleaning helps you avoid these issues46.

Best Practices:

• Immediately remove hard bounces from your list16.
• Segment and re-engage inactive users, then remove those who remain unresponsive37.
• Use email verification tools to catch invalid addresses before sending56.
• Regularly repeat this cleaning process, not just once5.

---

How Do You Identify Subscribers Marking Your Emails as Spam?

How Spam Complaints Work

When a recipient marks your email as spam (for example, by clicking “Report Spam” or “Move to Spam” in their email client), this action is registered as a spam complaint. However, not all mailbox providers share this information with senders.

Feedback Loops (FBLs)

• Many major email providers (like Yahoo, Outlook.com, Comcast, AOL, and others) offer feedback loops. When a user marks your email as spam, these providers send a report (FBL) to the sender’s registered address, allowing you to see which subscribers complained and remove them from your list758.
• To use FBLs, you must register your sending domain or IP with the provider’s feedback loop service.

Limitations with Gmail and Apple

• Gmail and Apple do NOT provide individual spam complaint data to senders4. When a recipient marks your email as spam in Gmail, you do not receive the specific address or complaint notification.
• Instead, Gmail provides aggregate spam complaint rates through [Google Postmaster Tools]4. You can see your overall spam rate but not which subscribers complained.

How to Monitor and Reduce Spam Complaints

• Set Up Feedback Loops: Register for FBLs with all providers that offer them. This allows you to receive and process complaint reports automatically75.
• Monitor Aggregate Data: Use tools like Google Postmaster Tools (for Gmail) to monitor your spam complaint rates in aggregate41.
• Use Deliverability Platforms: Some platforms (e.g., MxToolbox, Braze, ESP dashboards) aggregate complaint data and provide reports, including for providers with FBLs546.
• Automatic List Management: Many ESPs will automatically remove or suppress addresses that generate spam complaints, even if you don’t see the specific addresses368.

What You Can and Cannot See

Provider	Individual Complaint Data?	Aggregate Spam Rate?	How to Access
Yahoo, Outlook	Yes (via FBL)	Sometimes	Register for FBL, ESP reports
Gmail, Apple	No	Yes	Google Postmaster Tools
Other ESPs	Varies	Varies	ESP dashboard, FBLs

Summary

• You cannot see individual Gmail or Apple users who mark your emails as spam—only your overall spam rate.
• For other providers (Yahoo, Outlook, etc.), you can receive individual complaint reports if you set up feedback loops758.
• Use these reports to promptly remove complainers from your list to protect your sender reputation.

“The most notable providers that do not share spam complaint data are Gmail and Apple… Gmail allows you to see an aggregate of your spam rate directly in Google Postmaster Tools…”

---

DMARC reports (using rua and ruf addresses in your DNS record) do not provide the same type of feedback as a traditional feedback loop (FBL) for spam complaints.

What DMARC Reports Provide

• Aggregate Reports (rua): These are daily XML summaries sent by participating receivers. They show how many emails from your domain passed or failed DMARC, SPF, and DKIM checks, and from which IPs, but they do not identify individual recipients who marked your message as spam. They are mainly for authentication monitoring and identifying unauthorized use of your domain257.
• Forensic Reports (ruf): These are per-message reports about individual emails that failed DMARC. However, few providers send these, and they are primarily for authentication failures, not spam complaints58.

What Traditional Feedback Loops (FBLs) Provide

• FBLs are set up directly with mailbox providers (like Yahoo, AOL, Outlook) and notify you when a recipient marks your email as spam. These reports typically include the recipient’s address (sometimes anonymized), allowing you to suppress that user from future mailings.
• Gmail and Apple do not offer FBLs; you only get aggregate complaint rates through Google Postmaster Tools.

Your DMARC Record

Your DMARC record:

textv=DMARC1; p=reject; rua=mailto:abuse@coupon-delivery.com; ruf=mailto:abuse@coupon-delivery.com; sp=quarantine; aspf=s; adkim=s; fo=0;

• This will send you aggregate and (if supported) forensic authentication failure reports, not spam complaint notifications57.

Summary Table

Report Type	How to Enable	What You Get	Includes Spam Complaints?
DMARC Aggregate	rua=mailto:... in DMARC DNS	Daily XML, pass/fail stats for SPF/DKIM/DMARC	No
DMARC Forensic	ruf=mailto:... in DMARC DNS	Per-message auth failure reports (rarely sent)	No
FBL (traditional)	Register with mailbox provider	Individual spam complaint notifications	Yes (for some providers)

Conclusion

• DMARC reports do not notify you when a user marks your message as spam.
• To get spam complaint data, you must register for FBLs with each provider that offers them.
• For Gmail and Apple, you can only monitor aggregate complaint rates, not individual complaints.

---

Even if your DNS records are set up perfectly, DMARC failures can still occur for several reasons that are unrelated to your direct DNS configuration. Here’s why:

---

How Can You Fail DMARC Even with “Perfect” DNS Records?

1. Misalignment Between “From” Address and Authentication Domains

• DMARC requires that the domain in the “From” header aligns with the domain authenticated by SPF and/or DKIM.
• If you use third-party services (like marketing platforms, CRMs, or help desks) to send mail on your behalf, and they are not configured to use your domain in their SPF or DKIM, those emails can fail DMARC—even if your DNS entries are correct1357.

2. DKIM or SPF Misconfiguration

• Even small errors in your SPF or DKIM records, such as a missing or incorrect value, can cause failures.
• If a DKIM signature is missing, invalid, or not aligned with your domain, DMARC will fail for that message138.

3. Email Forwarding

• When an email is forwarded, the forwarding server’s IP may not be in your SPF record, causing SPF to fail.
• Some forwarding systems also break DKIM signatures by altering the message, leading to DMARC failures—even for legitimate emails135.

4. Domain Spoofing or Unauthorized Senders

• If someone tries to spoof your domain, DMARC will correctly block those emails, which is expected behavior135.

5. Strict Alignment Settings

• Your DMARC policy uses strict alignment (aspf=s; adkim=s;), which means the domains must match exactly.
• If a legitimate sender uses a subdomain or a slightly different domain for SPF or DKIM, strict alignment will cause DMARC to fail34.

6. Missing or Incorrect DNS Records

• If you add a new service or server and forget to update your SPF or DKIM records to include it, emails from that source will fail DMARC346.

---

Example Scenario

Suppose you use a newsletter service to send emails as info@coupon-delivery.com. If that service sends with its own DKIM signature (e.g., d=mailprovider.com) or its own envelope sender (not your domain), and you have strict alignment, those emails will fail DMARC—even if your DNS records are otherwise correct134.

---

How to Diagnose DMARC Failures

• Check DMARC Aggregate Reports: These will show which sources are failing DMARC and why (SPF fail, DKIM fail, alignment fail).
• Review Message Headers: Look for Authentication-Results in the email header to see which checks failed.
• Use Tools: Services like Google Admin Toolbox, MXToolbox, or DMARC report analyzers can help pinpoint the issue46.

---

Summary Table: Common DMARC Failure Causes

Cause	Example	Solution
Third-party sender misaligned	Marketing tool not using your DKIM/SPF	Configure tool to use your domain’s DKIM/SPF
DKIM signature missing/invalid	DNS typo, expired key, or not enabled	Fix DKIM record, enable DKIM on all senders
Email forwarding	Forwarder’s IP not in SPF, DKIM broken	Use DKIM for better resilience, monitor reports
Strict alignment	Subdomain or different domain used in SPF/DKIM	Adjust alignment or update sender configuration
Unauthorized sender	Spoofing attempt	No action needed (DMARC is protecting you)

---

Here are direct links and instructions for registering for feedback loops (FBLs) with major mailbox providers:

---

Major Feedback Loop Registration Links

Yahoo/AOL

• Yahoo Complaint Feedback Loop (CFL):
  • Yahoo Complaint Feedback Loop Registration
  • Requirements: DKIM signing, abuse@ or postmaster@ address, and domain ownership13.

Microsoft (Outlook.com, Hotmail, Live, MSN)

• Microsoft Smart Network Data Services (SNDS) & Junk Email Reporting Program (JMRP):
  • Microsoft JMRP Registration
  • Requirements: Sending IP ownership, abuse@ or postmaster@ address, and valid reverse DNS.

Comcast

• Comcast Feedback Loop:
  • Comcast Feedback Loop Registration
  • Requirements: Sending IP ownership and abuse@ or postmaster@ address.

Mail.ru

• Mail.ru Feedback Loop:
  • Mail.ru Feedback Loop Registration
  • Requirements: Sending IP/domain ownership.

Gmail

• Gmail Feedback Loop (FBL):
  • Gmail does not provide traditional ARF FBLs. Instead, use Google Postmaster Tools to monitor aggregate spam rates and reputation.
  • For more on Gmail’s FBL-like system, see Mailtrap’s explanation1.

Other Providers

• Full List and Instructions:
  • Mailtrap: How to Apply for a Feedback Loop (with links and details)1
  • EmailFeedbackLoops.com: How to Apply for Feedback Loops6

---

General Requirements for FBL Registration

• You must own/control the sending IP or domain.
• You need an active abuse@ or postmaster@ email address to receive reports.
• Proper DNS and authentication (SPF, DKIM) are usually required5.

---

Summary Table

Provider	Registration Link	Notes
Yahoo/AOL	Yahoo CFL	DKIM required
Microsoft	JMRP	IP ownership required
Comcast	Comcast FBL	IP ownership required
Mail.ru	Mail.ru FBL	Russian provider
Gmail	Google Postmaster Tools	Aggregate data only, not individual

---

For a step-by-step guide and more provider links, see:

• Mailtrap FBL Guide1
• EmailFeedbackLoops.com6

Registering for FBLs is a best practice for any sender who wants to minimize spam complaints and protect their sending reputation.

---

With a current DMARC settings (aspf=s; adkim=s for strict alignment), using Amazon SES can lead to DMARC failures and impact deliverability if not configured carefully.

How Alignment Works with Amazon SES

• DKIM Alignment:
  Amazon SES can sign your emails with DKIM using your domain (Easy DKIM). If set up correctly, SES will use your domain for the DKIM signature, and strict alignment (adkim=s) will pass135.
• SPF Alignment:
  SES uses a custom MAIL FROM domain for SPF. By default, this is a subdomain of your domain (e.g., bounces.coupon-delivery.com). However, with strict SPF alignment (aspf=s), the domain in the Return-Path (MAIL FROM) must exactly match the domain in the “From” address—not just be a subdomain157. SES, by design, uses a subdomain for the MAIL FROM, so strict SPF alignment will fail57.

“Amazon SES supports DMARC compliance via both SPF and DKIM, with strict alignment on DKIM but only relaxed alignment on SPF. The SPF domain is a subdomain of your sender domain, so you cannot use the strict SPF alignment mode.”5

What This Means for You

• Strict DKIM alignment (adkim=s) is fine with SES if you use Easy DKIM and sign with your domain.
• Strict SPF alignment (aspf=s) will cause DMARC to fail for SPF, because SES’s MAIL FROM domain is a subdomain, not an exact match. Only relaxed alignment (aspf=r) will work for SPF with SES57.
• If DKIM passes and is aligned, DMARC will still pass (since only one of SPF or DKIM must pass and align). But if DKIM is misconfigured or fails for any reason, your emails will fail DMARC under your current strict settings, leading to rejections or deliverability issues.

Best Practice for SES and DMARC Alignment

• Set aspf=r (relaxed) for SPF alignment in your DMARC record when using SES.
• You can keep adkim=s (strict) for DKIM if you’re confident all SES-sent mail is DKIM-signed with your domain.

Example DMARC Record for SES

textv=DMARC1; p=reject; rua=mailto:abuse@yourdomain; ruf=mailto:abuse@yourdomain; aspf=r; adkim=s; fo=0;

Summary Table

Alignment Setting	SES Compatibility	Impact with Current Settings
aspf=s (strict)	Not compatible	SPF fails DMARC alignment
aspf=r (relaxed)	Compatible	SPF passes DMARC alignment
adkim=s (strict)	Compatible	DKIM passes if signed by your domain

---

In summary:
With SES, keep strict DKIM alignment if desired, but switch SPF alignment to relaxed (aspf=r) for reliable DMARC compliance and deliverability157. If you keep strict SPF alignment, expect DMARC failures unless you only rely on DKIM for alignment.

---

When you set up Easy DKIM in Amazon SES, Amazon will provide you with the necessary DKIM DNS records (typically three CNAME records) to add to your domain’s DNS settings. Here’s how it works:

• Amazon SES generates a public/private DKIM key pair for your domain.
• You are provided with three CNAME records, which you must add to your DNS zone for your domain (e.g., coupon-delivery.com).
• These CNAME records point to Amazon’s DKIM key servers and allow SES to sign your outgoing emails with DKIM using your domain.
• Once the CNAMEs are published and verified, SES will automatically DKIM-sign all emails you send from that domain identity15678.

You do not need to generate or manage the DKIM keys yourself—SES handles this for you. If you use Route 53 as your DNS provider, SES can even create the records automatically15. For other DNS providers, you copy and paste the CNAMEs manually.

Summary of Steps:

1. In the SES Console, add or select your domain under “Verified identities.”
2. Enable Easy DKIM for the domain.
3. SES will display three CNAME records.
4. Add these CNAME records to your DNS provider.
5. Wait for DNS propagation and verification (can take up to 72 hours).
6. Once verified, all mail sent via SES from your domain will be DKIM-signed and aligned for DMARC15678.

References:

• [Amazon SES Easy DKIM documentation]15678

This approach ensures your emails pass DKIM checks and, with strict alignment (adkim=s), are fully DMARC compliant when using Amazon SE