Amazon SES IP addresses
One of the questions we get from time to time here at Amazon SES is “What IP address is my email going out through?” In this blog post we will see how to find the outgoing IP addresses that SES is using by querying the Amazon SES SPF records in DNS.
What is an outgoing IP address and why should I care?
When SES connects to an ISP to deliver an email using the standard email sending protocol (SMTP), a connection is established between the SES mail transfer agent (MTA) that sends out the email and the ISP’s MTA that will receive it. Each MTA has an IP address associated with it. What we are interested in is the SES MTA’s IP address (outgoing IP address). Knowing this information could be useful in a number of situations. For example, you might want to whitelist SES IP addresses with your company’s receiving email servers to let emails sent through SES go through your firewall while still protecting yourself from attacks coming from the rest of the Internet.
How do I figure out the addresses Amazon SES uses for sending my emails?
SES maintains a number of IP addresses from which your email can be sent, and you can figure out those addresses by querying SES’s SPF record (in the amazonses.com domain).
Here’s how to do the query in a Linux terminal window (including a filter to include only the SPF record):
$ dig TXT amazonses.com +short| grep 'v=spf1'
At the time of this post’s writing, this is the DNS response returned for that query:
"v=spf1 ip4:126.96.36.199/22 ip4:188.8.131.52/22 ip4:184.108.40.206/18 ~all"
Here’s the equivalent query (and result) using the Windows command prompt:
C:>nslookup -type=TXT amazonses.com | find "v=spf1" "v=spf1 ip4:220.127.116.11/22 ip4:18.104.22.168/22 ip4:22.214.171.124/18 ~all"
You can also use a number of online tools to perform a similar DNS query for you, but it’s up to you to determine how reliable and trustworthy they are.
Any email sent through SES will be sent through one of the IP addresses listed in the record. In this example, which is valid at the time of the writing of this blog post, we can see that SES is using three blocks of IPV4 (32-bit) addresses: 126.96.36.199/22, 188.8.131.52/22 and 184.108.40.206/18. The blocks are defined using CIDR notation: each block is specified as an IP address followed by the ‘/’ sign and then the number of bits in the prefix. The 220.127.116.11/22 block, for instance, designates all IP addresses that have the first 22 bits equal to the first 22 bits of 18.104.22.168, with the remaining bits taking all possible value combinations. Therefore, that block designates all addresses in the interval 22.214.171.124 – 126.96.36.199. The block 188.8.131.52/22 designates all IP addresses in the interval 184.108.40.206 – 220.127.116.11 and, finally, the 18.104.22.168/18 block designates all IP addresses in the interval 22.214.171.124 – 126.96.36.199.
Keep in mind that those IP addresses are subject to change. If SES adds or removes any outgoing IP address, we will update the SPF record, so you need to check back from time to time, if you want to make sure you have the latest list of IP address ranges. Another thing to note is that there is no guarantee with regard to which particular SES IP address of the list of IP addresses, your email will be sent through. If you need to perform a whitelisting process for the emails you’re sending through SES you will have to whitelist all SES IP address blocks.
SES is regional service, as many other AWS services, and Amazon does not make guarantees to which region the IP addresses are assigned. SES documentation provides information on the region support. When receiving an email from Amazon SES, you can use dig to verify the region. This is useful when you need to verify the region being used because IP geolocation services might give inaccurate information on these addresses.
$ dig -x 188.8.131.52 +short e240-50.smtp-out.eu-north-1.amazonses.com.
I hope the information in this blog post is helpful to you. If you have any questions, feel free to browse or post in the SES forum.