Keywords: AWS SES | Sandbox Mode | Email Verification | DNS Verification | Email Sending Restrictions
Abstract: This article provides a comprehensive analysis of sending restrictions in AWS Simple Email Service (SES) sandbox mode, focusing on the root causes of the "Email address is not verified" error. Through in-depth exploration of SES identity verification mechanisms and sandbox mode characteristics, it offers complete solutions for migrating from sandbox to production environment, supplemented with common troubleshooting methods for DNS verification and email verification issues.
AWS SES Sandbox Mode Restrictions Analysis
Amazon Simple Email Service (SES), as AWS's email sending service, defaults to "sandbox mode" during initial use. This mode is designed to prevent new users from abusing the service for spam email sending, thus imposing strict sending limitations.
In sandbox mode, SES mandates that all sending and receiving email addresses must be verified. Specific restrictions include:
- Sending identities must be verified domains or email addresses
- Receiving identities must also be verified domains or email addresses
- Unverified third-party email addresses cannot be used as recipients
When users attempt to send test emails to unverified email addresses (such as myemail@outlook.com), SES returns the "Email address is not verified" error, even if the sender's email address admin@mydomain.example has been successfully verified.
Migration from Sandbox to Production Environment
To remove sandbox mode restrictions, users need to submit a request to AWS Support team to upgrade their SES account to production mode. The migration process involves the following steps:
- Access SES service through AWS Management Console
- Navigate to account settings or sandbox mode management page
- Submit production access request, typically requiring:
- Description of email sending use case
- Estimated sending volume
- Explanation of anti-spam measures
- Email content samples (if applicable)
- Wait for AWS Support team review and approval
The review period typically takes 24-48 hours, during which AWS evaluates whether the user's email sending practices comply with their service terms and anti-spam policies.
In-depth Analysis of Identity Verification Mechanisms
SES identity verification system is based on two main methods: DNS record verification and email verification:
Domain Verification Mechanism
Domain verification is implemented through DNS records, supporting both Easy DKIM and BYODKIM methods:
- Easy DKIM: Uses CNAME records for verification, with SES automatically generating three CNAME records for users to add to DNS configuration
- BYODKIM: Uses TXT records for verification, requiring manual configuration of DKIM public keys
The core of the verification process is accurate DNS record publication. Users can verify correct configuration using nslookup command:
nslookup -type=NS example.com
nslookup -type=CNAME random-string._domainkey.example.com nameserverEmail Address Verification Mechanism
Individual email address verification is achieved through verification emails:
- Initiate email verification request in SES console
- SES sends verification email containing verification link to target email address
- User clicks verification link to complete verification process
Common verification issues include: verification emails being classified as spam, misspelled email addresses, or email service providers blocking verification emails.
Common Issue Troubleshooting Guide
DNS Verification Issue Troubleshooting
DNS verification failures can result from various causes:
- Domain Ownership Issues: Cannot verify domains not owned by user (such as public domains like gmail.com)
- Private Domain Restrictions: DNS records of private domains cannot be resolved through public DNS
- DNS Provider Limitations: Some providers do not support underscore characters in DNS record names
- Domain Auto-appending: Some DNS providers automatically append domain names to record names
- Case Conversion: Some providers automatically convert record values to lowercase
Multi-region Verification Strategies
When using the same domain across multiple AWS regions, the following verification strategies can be adopted:
- Use DNS records supporting multiple values (such as Amazon Route 53)
- Or use different record names for multiple verifications
Best Practice Recommendations
To ensure stable operation of SES service, follow these best practices:
- Thoroughly test functionality in sandbox mode during development phase
- Plan production mode migration in advance, allowing sufficient review time
- Regularly check DNS record validity, especially after domain renewal or DNS provider changes
- Establish email sending monitoring mechanisms to promptly detect sending restrictions or verification issues
- Follow AWS SES sending best practices to maintain good sending reputation
By understanding the operational mechanisms and restrictions of SES sandbox mode, developers can more effectively plan and implement email sending solutions, avoiding common verification errors and sending restriction issues.