How to send emails on behalf of someone else’s domain using SES

In every B2B SaaS platform that takes care of users email Outreach for your clients, this question will eventually arise..

I want only my brand advertised, my users must think that your emails are coming from us, can you do that ?

A simple question in fact. Let’s say our domain is a.com, all the emails that we currently send are sent from amazonses.com SMTP servers but are signed using our domain a.com (via DKIM). Since we send them using a example@a.com email address, to the user it will seem that our emails come directly from our servers. However if we try to send the email FROM xxx@b.com the email will still be sent but will trigger every alerts in pretty much every email clients for email spoofing. And nobody wants that because it will damage your reputation and eventually your deliverability.

How DKIM works

There are a lot of different methods that a developer could use to implement that and some Email services or API do the heavy lifting for you (wink Mailgun) but you have to weight the pros and cons. Here I will be focusing on Amazon SES because it’s getting more and more traction due to its reliability and the low prices.

Single email address Verification

SES allows you to verify a single email address, you can do it manually in the console or programmatically via their API. It will send an email at the email address you want to use and ask for the user confirmation to use their email address on their behalf. Once confirmed you will be able to send emails from this email address via SES.

Verification email from SES

PROS

• Only one step, the client receives an email from Amazon and just have to click on a link to verify its email address
• We can send emails using this specific email address
• Low effort, don’t need any action from the client IT
• Easy to automate

CONS

• Emails are not signed with the client domain (will result in a ‘via amazonses.com’ added to every messages that are sent using this email address)
• Lower deliverability in some cases
• Client has to verify every emails he wants to use
• Verification email from SES is very impersonal and can’t be changed

Domain identity and DKIM Verification

SES allows you to verify your domains and implement DKIM really easily, it will automatically sign all your outgoing emails from your verified domains afterwards. Normally you would do it for the domains you own but it works for any domain. Again it can be done manually or automated via their API.

PROS

• Emails can be sent using any email address from the client domain
• The emails really seems to come from the client (no viewable difference with emails coming from their inbox)
• High deliverability unless the client’s domain has a bad reputation
• Easy to automate

CONS

• High effort for the client. They need to ask their IT to add records to their DNS
• Demands a lot of trust because it means that you will be able to send any email using their identity.

Integration with Google mail and Microsoft 365

If none of this SES solution is acceptable the last solution to this problem for some clients (mostly start-up) that use GMail/GSuite or Office 365 is to directly integrate with these solutions. These “emails on the cloud” services allow third parties to integrate with their users mailbox if they have given their consent. This way emails will actually come from your client email providers and will never go through yours or SES.

PROS

• Emails really seems to come from the client mailbox because they do (no difference with personal emails)
• Low effort for clients, no need to ask their IT
• High deliverability unless the client’s domain has a bad reputation

CONS

• Demands a lot of trust because it means that you will be able to send any email using their mailbox.
• Not everybody uses GSuite or Office 365 (especially entreprise clients)
• Client has to verify every emails
• Lots of development needed

Conclusion

No solution is perfect, it’s a matter of Trust VS Deliverability. In my opinion deliverability should always be number one because it’s a tough problem to crack and this is just one of the many aspects of it. At the end of the day if your clients wants you to be able to automate the sending of his emails using their domain it’s probably because they are already entrusting you.
The choice of a full mailbox integration VS a domain impersonation through an email proxy depends a lot on what kind of security and right for privacy are your users ready to sacrifice for your services. Indeed integrating with GMail means that you are potentially able to sift through every emails your clients are receiving, read their list of contacts or their calendar and… well some clients are definitely not ready for that kind of trust!