Building Production Email Infrastructure with AWS SES

A SaaS platform needs email for everything: account verification, password resets, billing receipts, security alerts, marketing campaigns. Boottify has 18 transactional email templates covering authentication, billing, and security events. All powered by AWS SES.

THE EMAIL LANDSCAPE

We identified 18 distinct email types across three domains:

Authentication (6 templates)

• Email verification — new account signup confirmation
• Password reset — forgot password flow
• Failed login alert — suspicious login attempt notification
• New login alert — successful login from new device/location
• Password changed — confirmation of password update
• Session revoked — admin or user-initiated session termination

Billing (8 templates)

• Order confirmation — purchase receipt with line items
• Invoice generated — monthly/annual billing invoice
• Payment success — successful charge confirmation
• Payment failed — card declined or payment error
• Subscription created/updated/canceled — lifecycle events
• Refund initiated/completed — refund status updates
• Payment dispute — chargeback notification

Security (4 templates)

• Two-factor enabled/disabled — 2FA status changes
• WebAuthn credential registered — biometric key added
• Session revoked — forced logout notification

SES DOMAIN VERIFICATION

We verified boottify.com with SES using three DNS records:

# DKIM (3 CNAME records for key rotation)
selector1._domainkey.boottify.com → selector1.dkim.amazonses.com
selector2._domainkey.boottify.com → selector2.dkim.amazonses.com
selector3._domainkey.boottify.com → selector3.dkim.amazonses.com

# SPF (TXT record)
boottify.com → "v=spf1 include:amazonses.com ~all"

# DMARC (TXT record)
_dmarc.boottify.com → "v=DMARC1; p=quarantine; rua=mailto:dmarc@boottify.com"

DKIM signs every outgoing email cryptographically. SPF tells receiving servers which IPs are authorized to send for our domain. DMARC defines the policy when checks fail.

TEMPLATE ARCHITECTURE

Each email template is a TypeScript function that returns an HTML string with inline CSS (email clients strip <style> tags):

// src/lib/email/templates/billing/payment-success.ts
export function paymentSuccessEmail(data: {
  userName: string;
  amount: string;
  invoiceId: string;
  date: string;
}): { subject: string; html: string } {
  return {
    subject: `Payment confirmed — ${data.amount}`,
    html: `
      <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto;">
        <h1 style="color: #d2f800;">Payment Received</h1>
        <p>Hi ${data.userName},</p>
        <p>We've received your payment of <strong>${data.amount}</strong>.</p>
        <p>Invoice: ${data.invoiceId}</p>
        <p>Date: ${data.date}</p>
      </div>
    `,
  };
}

A central index file exports a sendEmail() function that handles SES integration:

import { SESv2Client, SendEmailCommand } from "@aws-sdk/client-sesv2";

export async function sendEmail(to: string, template: EmailTemplate): Promise<void> {
  const client = getSESClient();
  await client.send(new SendEmailCommand({
    FromEmailAddress: "Boottify <noreply@boottify.com>",
    Destination: { ToAddresses: [to] },
    Content: {
      Simple: {
        Subject: { Data: template.subject },
        Body: { Html: { Data: template.html } },
      },
    },
  }));
}

DELIVERY MONITORING

SES provides delivery metrics that we track:

• Delivery rate — percentage of emails that reach the inbox
• Bounce rate — hard bounces trigger automatic suppression
• Complaint rate — must stay below 0.1% to maintain sending reputation

We log every email send with structured metadata for debugging:

await logger.info("Email sent", {
  to: recipient,
  template: templateName,
  messageId: response.MessageId,
});

BOUNCE AND COMPLAINT HANDLING

SES publishes bounce and complaint notifications via SNS. Hard bounces automatically suppress the email address — we won't attempt delivery again. Complaints (spam reports) trigger the same suppression plus an admin alert.

RATE LIMITING

SES has account-level sending limits (initially 200 emails/day in sandbox, 50,000/day in production). We track daily send counts and queue emails when approaching the limit rather than failing silently.

THE RESULTS

• 18 email templates covering all platform events
• 99.8% delivery rate — DKIM + SPF + DMARC ensure inbox placement
• <0.01% complaint rate — well below SES threshold
• Structured logging — every send tracked with template name and message ID
• Automatic suppression — bounced addresses never retried

Email infrastructure is invisible when it works and devastating when it doesn't. Getting DKIM, SPF, and DMARC right from day one saves months of deliverability debugging later.