Amazon WorkMail FAQs

Amazon WorkMail is a secure, managed business email and calendar service with support for existing desktop and mobile clients. Amazon WorkMail gives users the ability to seamlessly access their email, contacts, and calendars using Microsoft Outlook, their web browser, or their native iOS and Android email applications. You can integrate Amazon WorkMail with your existing corporate directory and control both the keys that encrypt your data and the location in which your data is stored.

To get started with Amazon WorkMail, you will need an AWS account. You can use this account to sign into the AWS Management Console and create an organization, add your domains, and also create users, groups, or resources. Please refer to the Amazon WorkMail documentation for more information on getting started.

You can access Amazon WorkMail from Microsoft Outlook clients on Windows and Mac OS X, and on mobile devices that support the Microsoft Exchange ActiveSync protocol including iPhone, iPad, Kindle Fire, Fire Phone, Android, Windows Phone, and BlackBerry 10. Additionally, you can use the Apple Mail application on Mac OS X or the Amazon WorkMail web application to securely access Amazon WorkMail using your web browser.

Yes, you can use screen readers and keyboard shortcuts with the Amazon WorkMail web application for easier accessibility; you can learn more about these capabilities on the Working with Accessibility Features documentation page here. In addition, the accessibility capabilities offered in supported desktop and mobile clients (see below for a list) can also be used with Amazon WorkMail.

Amazon WorkMail offers a mailbox storage limit of 50 GB per user.

The maximum size of outgoing and incoming email in Amazon WorkMail is 29 MB of unencoded data. Messages are sent and received in a MIME format. The maximum size of outgoing and incoming MIME message is 40 MB.

Yes. Amazon WorkMail offers the ability to share your calendar with your co-workers.

Yes. Amazon WorkMail provides the option to create resource mailboxes such as conference rooms, projectors, and other equipment. The resource mailboxes will allow users to reserve the room or equipment by including the resource in meeting invites.

Email journaling can be enabled to capture and preserve messages in your existing archiving solution.

Yes, you can configure email redirection rules for Amazon WorkMail mailboxes. You can setup email redirection rules on your desktop email application, such as Microsoft Outlook, or using the Amazon WorkMail web application. You will need to ensure that the Amazon Simple Email Service (Amazon SES) identity policies for your domains are up-to-date to take advantage of email redirection rules. Please visit this page for more information on how to update the Amazon SES identity policy for your domain.

No, there are no limits on the number of organizations and users you can create.

There are limits only on sending external messages. For example, the number of messages sent to recipients outside your organization. Each user in your organization can send messages to a maximum of 10,000 external recipients per day, and the total external recipients for an AWS account is limited to 100,000 per day. New Amazon WorkMail accounts may start with limits that are lower than the limits described here; please see AWS Service Limits for more information.

Amazon WorkMail is a business e-mail service and not intended to be used for bulk e-mail services. For bulk e-mail services, please see Amazon Simple Email Service.

Yes. To learn more about SMTP limits, please see AWS Service Limits.

There are no limits on the number of messages each user can receive. However, we may queue or reject messages (and send a bounce to the sender) if there is a large volume of incoming email in a short period of time. Please see AWS Service Limits for more information.

All messages that are sent to another user are considered when evaluating these limits. These include e-mails, meeting requests, meeting responses, task requests, as well as all messages that are forwarded or redirected automatically as a result of a rule.

No, WorkMail does not offer public folders.

The Amazon WorkMail web application provides users anywhere with access to email, calendar, contacts, and tasks. Users can also access shared calendars, access the global address book, manage their out-of-office replies, and book resources.

The Amazon WorkMail web application supports the following browsers: Firefox, Chrome, Safari and Edge. For more information, please see Log On to the Amazon WorkMail Web Application.

The Amazon WorkMail web application is currently available in English, French, and Russian.

Yes. Amazon WorkMail is compatible with most major mobile devices supporting the Microsoft Exchange ActiveSync protocol, including iPad, iPhone, Kindle Fire, Fire Phone, Android, Windows Phone, and BlackBerry 10.

Amazon WorkMail gives you the ability to require a PIN or password on your devices, configure the password strength, require a device lock after a number of failed login attempts, require a screen lock for idle timeouts, and require device and storage card encryption.

Yes. Amazon WorkMail offers a remote wipe feature. A remote wipe can be performed by the IT administrator using the AWS Management Console.

Yes. Amazon WorkMail offers native support for Microsoft Outlook 2007, 2010, 2013, and 2016 on Microsoft Windows.

No. Amazon WorkMail offers native support for the most recent versions of Microsoft Outlook and does not require any additional software to connect Microsoft Outlook.

Yes. Amazon WorkMail offers native support for Microsoft Outlook 2011 and Microsoft Outlook 2016 on Mac OS X.

Yes. Amazon WorkMail offers native support for the Apple Mail and Calendar applications on Mac OS X (10.6 and above).

Amazon WorkMail does not include a license for Microsoft Outlook. To use Microsoft Outlook with Amazon WorkMail, you must have a valid license from Microsoft.

Yes. Amazon WorkMail supports the Click-to-run versions of Microsoft Outlook 2010, 2013, and 2016.

You can access your Amazon WorkMail mailbox with client applications that support the IMAP protocol. Amazon WorkMail currently does not offer support for POP3 email access.

The IMAP protocol provides access to email, but not to calendar items, contacts, notes, or tasks.

Yes, any folder which contains email will be visible and accessible using an IMAP client application.

You can send email by configuring your IMAP email client to use the Amazon WorkMail SMTP gateway. Amazon WorkMail SMTP addresses can be found at AWS Regions and Endpoints.

The Simple Mail Transfer Protocol (SMTP) gateway is an Amazon WorkMail service which allows you to submit email messages for delivery to both internal and external recipients. To learn more, please see Connect your Client IMAP Application.

You can use the Amazon WorkMail SMTP gateway to send email using any email client that supports the SMTP protocol. This includes popular email clients like Microsoft Outlook, Apple Mail or Mozilla Thunderbird.

Each user you add to your Amazon WorkMail organization needs to exist in a directory, but you do not have to provision a directory yourself. You can integrate your existing Microsoft Active Directory with Amazon WorkMail using AWS Directory Service AD Connector or run AWS Directory Service for Microsoft Active Directory Enterprise Edition ("Microsoft AD") so you don’t have to manage users in two places and users can continue to use their existing Microsoft Active Directory credentials. Alternatively, you can have Amazon WorkMail create and manage a Simple AD directory for you and have users in that directory created when you add them to your Amazon WorkMail organization.

You can integrate with an existing Microsoft Active Directory by setting up an AWS Directory Service AD Connector or Microsoft AD and enabling Amazon WorkMail for this directory. After you've configured this integration, you can choose which users you would like to enable for Amazon WorkMail from a list of users in your existing directory, and users can log in to Amazon WorkMail using their existing Active Directory credentials.

Yes. You can add your existing domain name to Amazon WorkMail using the AWS Management Console. Before the domain name can be used, you must verify the ownership of the domain name. You can verify the ownership by adding a DNS record to your DNS server.

Yes. You can assign multiple email addresses to a user account using the AWS Management Console.

Yes. You can create new distribution group or enable an existing group from your Microsoft Active Directory using the AWS Management Console. These distribution groups are available in the Global Address Book. Users can also create personal distribution groups using Microsoft Outlook or the Amazon WorkMail web application.

If Amazon WorkMail is integrated with an existing Active Directory domain, then the user would follow the existing lost password process for your existing domain, such as contacting an internal helpdesk. If the account is integrated with a Simple AD directory and a user forgets their password, then the account’s IT administrator can reset the password from the AWS Management Console.

The account’s IT administrator can remove a user’s access to Amazon WorkMail using the AWS Management Console.

No. Amazon WorkMail does not currently provide a management API.

Yes. Amazon WorkMail provides an administrative SDK so you can natively integrate WorkMail with your existing services. The SDK enables programmatic user, email group, and meeting room or equipment resource management through API calls. This means your existing IT service management tools, workflows, and third party applications can automate WorkMail migration and management. To learn more, please visit our our API reference.

Additionally, Amazon WorkMail offers an SDK for accessing the content of email messages that are in the process of being sent from or delivered to your organization. You can use this SDK in combination with Email Flow Rules to trigger Lambdas on mail sending or delivery and access the full message for analysis or integration with other systems. To learn more, see the API Reference.

Email journaling can be setup from the Amazon WorkMail Management Console under Organization Settings. You can enable email journaling, specify the email address to which journaled emails are sent, and specify the email address to which reports are sent.

No. Today email journaling is a global setting that is applied to all inbound and outbound email, and all users.

Yes. Email sent using BCC recipients is recorded using email journaling.

For outbound email, journaling reports will contain the details of recipients in the BCC field. For inbound email, the journaling report will only contain of details of recipients in the BCC field if those recipients are in your Amazon WorkMail organization.

Yes, they will.

No. Emails that contain viruses will be dropped and will not be journaled.

Amazon WorkMail will continue to try to deliver the journaled messages to the journaling destination mailbox for 12 hours. In case of continuous failure, the failure reports will be delivered to the address you specify in the Amazon WorkMail Management Console.

Whenever journaled email fails to be delivered to the primary journaling address, a report is sent to the failed delivery report email address you specify in the Amazon WorkMail Management Console. This report contains information about each journaled message that failed to be delivered, but does not show the contents of the original message.

Journaled emails are be sent from amazonjournaling@<alias>.awsapps.com where <alias> is your Amazon WorkMail organization name.

No, there is no additional cost to using email journaling.

“X-WM-Journal-Report” will be used as the header to identify journaled messages. This header will be signed so that it cannot be mimicked.

No, journaling messages are always sent as long as the user is allowed to send a message. They are not counted against that user’s sending limit. On receiving a message, the journaling message is always sent as long as it can be delivered to a user.

You can migrate your existing mailboxes to Amazon WorkMail using solutions from a preferred Amazon WorkMail migration provider. To see a list of providers, please visit this webpage. If you’re migrating from Microsoft Exchange Server 2013 or 2010, you can set up interoperability to minimize disruption for your end users.

Yes, Amazon WorkMail supports interoperability with Microsoft Exchange Server 2013 and 2010. You can learn about how to set up interoperability here.

Interoperability allows you to use the same corporate domain for all mailboxes on both Microsoft Exchange and Amazon WorkMail. Your users can seamlessly schedule meetings with bi-directional sharing of calendar free-busy information between the two environments, and access user and resource information through a unified global address book.

Amazon WorkMail offers interoperability support with Microsoft Exchange Server 2013 and 2010.

No. Interoperability features are included in Amazon WorkMail per mailbox pricing.

Yes, users can connect to Amazon WorkMail using their existing Microsoft Active Directory credentials.

Yes. To make this possible, you need to enable email routing between Microsoft Exchange and Amazon WorkMail so that mailboxes on both environments use the same corporate domain. To set up email routing, you can follow the steps outlined here.

Your on-premises Microsoft Exchange Server handles and processes all incoming email. If you’re using interoperability for migration, you can switch your MX record to point to Amazon WorkMail when your migration is complete.

No, you can’t restrict access to the Exchange Server to your VPC. As of now, the EWS endpoint of your on-premises Microsoft Exchange environment needs to be publicly available.

Yes, interoperability provides you bi-directional sharing of calendar free-busy information between your Amazon WorkMail and Microsoft Exchange environments. Please follow the steps here.

You will need to configure availability settings on Amazon WorkMail and Microsoft Exchange to share calendar free-busy information. Amazon WorkMail uses the EWS URL for your Microsoft Exchange server to perform free-busy lookups. Amazon WorkMail uses an Exchange service account to login to Exchange and read free-busy data of the users in the Microsoft Exchange organization.

For free-busy lookups of Amazon WorkMail users from your Microsoft Exchange Server, Exchange performs an Autodiscover request and connects to the Amazon WorkMail EWS endpoint using an Amazon WorkMail service account. You can find more information on this here.

No, for interoperability support with Amazon WorkMail, you don’t need to set up federation on your Microsoft Exchange server.

Yes, to view subject and location information, the service account user needs to have access to this information.

No, for calendar delegation or accessing shared folders, both users need to be on the same email platform. We recommend migrating users who use calendar and mailbox delegation in the same batch.

Once interoperability support is enabled, Amazon WorkMail performs a synchronization of the address book with your on-premises Active Directory every four hours, using AD Connector. All Microsoft Exchange users, groups, and resources are automatically added to your Amazon WorkMail address book.

Amazon WorkMail will synchronize users, groups, resources, and contacts that reside in Microsoft Exchange Server. Amazon WorkMail will not synchronize dynamic groups or address lists. When your Microsoft Exchange global address book contains these objects, they won't be available in Amazon WorkMail.

Yes, Amazon WorkMail will still synchronize with your Active Directory when interoperability support is disabled. In this scenario only changes to Amazon WorkMail users and groups are synchronized.

Yes, the Microsoft Outlook offline address book will contain both Amazon WorkMail Microsoft Exchange users, groups, and resources.

Yes, you can have both Amazon WorkMail and Microsoft Exchange users as members of distribution groups.

No. To create new resources in Amazon WorkMail, you first need to disable interoperability support. Once your new resources have been created, you can then turn interoperability support back on. This is done to ensure resources are synchronized back to your Microsoft Exchange Server.

Amazon WorkMail allows you to use email flow rules to filter, update, or route email traffic for your Amazon WorkMail organizations. On inbound emails, this can help you reduce email from unwanted senders, route suspicious mail to junk folders, and trigger AWS Lambda functions. On outbound, you can block sending to certain domains, route mail through custom SMTP endpoints, or trigger Lambda functions. Email flow rules can be applied based on specific email addresses, or entire email domains.

For inbound mail, mail flow rules can be created to filter email based on specific email addresses, or entire email domains. Examples include:

• Reject all incoming mail from example.com and its subdomains, generating a bounce message to the sender.
• Reject all incoming mail from example.com, except when from myemail@example.com.
• Reject all incoming mail from user@example.com.
• Bypass the spam check for all incoming email from example.com, delivering the messages instead to users' inbox.
• Deliver all messages from example.com to users' junk folders.
• Trigger AWS Lambda function that you define on receiving mail.

For outbound mail, mail flow rules can be created to filter email or route to an SMTP endpoint or AWS Lambda function. Examples include:

• Reject all outgoing mail from example.com to example2.com, generating a non-deliverable report (NDR) to the sender.
• Reject all outgoing mail to example.com silently.
• Route all mail from example.com that is going to a domain other than example.com through a custom SMTP endpoint that you define.
• Trigger AWS Lambda function that you define on all outgoing mail.

The Lambda function will receive the message id, sender, recipient, and subject of an email.

Yes, you can retrieve the full content of the email message using WorkMailMessageFlow’s SDKs. See the Admin Guide for more information.

The WorkMailMessageFlow SDK will return the raw MIME content of the message that is being processed. You can use common MIME-processing libraries, such as JavaMail for Java or email.parser for Python to convert this to a structured format for easier parsing.

Yes, you can update the content of an email message, before it is sent out or delivered in, using WorkMailMessageFlow’s SDKs in your Lambda function. For the changes to take effect, the Lambda action of your mail flow rules should be configured to run your Lambda synchronously. See Updating message content with AWS Lambda for more information.

Yes, you can configure a Lambda action to run your Lambda synchronously and return response from your Lambda to control flow of an email to stop. See synchronous Lambda action for more information about Configuring Synchronous Run Lambda Action.

Rules can be set up from the Amazon WorkMail management console by navigating to Organization Settings. You can create, modify, and delete flow rules under the Email Flow Rules tab.

IP based filtering is already supported by Amazon Simple Email Service. Please see Creating IP Address Filters for Amazon SES Email Receiving to learn more about IP-based filtering.

Amazon WorkMail scans all incoming and outgoing email for spam, malware, and viruses. All email containing viruses is dropped and not delivered, regardless of the configured flow rules.

If you have email for which multiple email flow rules match, the action of the most specific rule will be applied. For example, a rule for a specific email address will take precedence over a rule for an entire domain. If multiple rules have the same specificity, the most restrictive action will be applied (for example, Drop will take precedence over Bounce). Please see Managing Email Flows for more information.

You can create a rule with a single email address as Sender domains or addresses condition, and choose the action you want to use. You can then send test emails to or from the single address you chose to confirm that the rule is behaving as you expect. Once satisfied with the result, you can extend the rule for other Sender domains or addresses.

When using Lambda rules, you can also test your Lambda with a dummy request event in AWS Lambda console. See Lambda event data for an example of event data. See invoke the Lambda fuction for more information about invoking Lambda from Lambda console.

Yes. To learn more about limits related to email flow rules, please see AWS Service Limits.

Rules take effect immediately after creation.

No, there is no additional charge for using email flow rules. Though, if you are using Lambda action, then Lambda execution charges will be billed separately.

All data in transit is encrypted using industry-standard SSL. Our web application, and mobile and desktop clients transmit data to Amazon WorkMail using SSL.

Yes. You choose the AWS region where your organization’s data is stored. Please refer to the Regional Products and Services page for details of Amazon WorkMail availability by region.

There are several factors to consider, based on your needs, including whether using a specific AWS region enables you to meet regulatory and compliance requirements. We generally recommend that you set up your Amazon WorkMail organization in the region nearest to where most of your users are located, to reduce data access latencies.

Amazon WorkMail scans all incoming and outgoing email for spam, malware, and viruses to help protect customers from malicious email.

Yes. Amazon WorkMail gives you the ability to require a PIN or password on your users’ devices, configure the password strength, require a device lock after a number of failed login attempts, require a screen lock for idle timeouts, and require device and storage card encryption.

Amazon WorkMail is integrated with Amazon Key Management Service for the encryption of your data. Key management can be performed from the Amazon IAM console. For more information about AWS Key Management Service, please see Amazon AWS Key Management developer guide.

All email content, attachments, and metadata for a mailbox is encrypted using the customer-managed keys of that user’s organization.

Yes. All email communication is encrypted in transit by the secure connections made between the client and the server, and all email stored in Amazon WorkMail is encrypted at rest.

Yes. Amazon WorkMail supports S/MIME signing and encryption in the Microsoft Outlook client and certain mobile devices like Apple iPhone and iPad. The Amazon WorkMail web application currently does not support S/MIME signing and encryption.

Amazon Web Services has achieved the ISO 27001, ISO 27017 and ISO 27018 certifications. Amazon WorkMail regions in US East (N.Virginia), US West (Oregon) and EU (Ireland) are within the scope of the certifications. You can learn more about these certifications on the AWS Cloud Compliance section of the website. You can also request a copy of the Service Organization Controls (SOC) report available from AWS Compliance to learn more about the security controls AWS uses to protect your data.

You own your content in Amazon WorkMail, and you retain full ownership and control of your Amazon WorkMail email. We will not view, use, or move the contents of your Amazon WorkMail account unless authorized by you.

Amazon WorkDocs integration offers users the ability to distribute large documents easily from the Amazon WorkMail web application, keep control of sensitive documents distributed by email, and securely save email attachments in Amazon WorkDocs.

To use the integration with Amazon WorkDocs, your organization first needs to be activated for Amazon WorkDocs. You can activate Amazon WorkDocs for your organization in the AWS Management Console. After this is done, you can enable Amazon WorkDocs for your users using the Amazon WorkDocs admin panel. After your users are enabled for Amazon WorkDocs, they can start using the Amazon WorkDocs integration in the Amazon WorkMail web application. If your organization and users are already using Amazon WorkDocs, your users can start using the integration right after they are enabled for Amazon WorkMail.

Yes, however you will not be able to use the Amazon WorkDocs integration in the Amazon WorkMail web application.

Amazon WorkMail uses Amazon Simple Email Service to send all outgoing email. The test mail domain and your production domains are available for management in the Amazon Simple Email Service console.

No. You won’t be charged for outgoing email sent from Amazon WorkMail.

No. This is not needed to use with Amazon WorkMail. The SES limits only apply when you are using Amazon SES using the Amazon SES API for sending bulk email from your AWS account.

Yes. CloudTrail captures API calls from the WorkMail console or from WorkMail or WorkMailMessageFlow API operations. Using the information collected by CloudTrail, you can track requests made to WorkMail, the source IP address from which the requests were made, who made the requests, when they were made, and so on. To learn more about CloudTrail, including how to configure and enable it, see the AWS CloudTrail User Guide. To learn more about logging WorkMail API calls, see Logging Amazon WorkMail API Calls with AWS CloudTrail.

There is no additional WorkMail charge to use WorkMail with CloudTrail. There may be charges associated with delivering events using CloudTrail. For details, please see the CloudTrail Pricing.

Yes, WorkMail logs metrics for emails sent, received, and bounced free of charge in CloudWatch metrics

Yes, WorkMail offers the option to enable WorkMail Monitoring in CloudWatch logs. When activating logging, you can define the CloudWatch log group to log into, as well as the log retention period. WorkMail will then log detailed information for messages received and sent, when rules are applied, when message journaling is initiated, and for bounce messages.

If logging is activated, WorkMail logs envelope data such as sender and recipients. Message bodies are not logged.

CloudWatch offers insights which allows for fast and easy querying on CloudWatch logs.

There are no upfront fees or commitments to begin using Amazon WorkMail. At the end of the month, you are billed for that month's usage. You can view estimated charges for the current billing period by logging into the AWS Management Console and clicking on "Account Activity." You can get started with a free trial of Amazon WorkMail and activate up to 25 user accounts at no charge for the first 30 days. You can use the WorkMail console to get started today.

You are charged for the number of user accounts per month. The number of users billed in a month is based on the average number of active user accounts throughout the month. For every user account, your business is charged a monthly subscription fee. If a user account is activated after the first day of the month, the monthly subscription fee for that account will be prorated based on the number of active days. However if a user is deactivated, no credit is applied for remaining days in the month. Pro-rating calculates the number of actual service hours, not just days, and is a real number for the number of calendar days in a given month. For more information on how pricing works, see the pricing page.

Yes. You can activate up to 25 users at no charge for the first 30 days after you sign up for Amazon WorkMail. After this period ends, you are charged for all active users unless you remove them or deregister your Amazon WorkMail account.

No. Creating or using of resources within Amazon WorkMail is available free of charge.

No. IMAP access is included in the Amazon WorkMail mailbox pricing.

Amazon WorkMail will not charge for Groups separately and customers can create multiple groups. Only Enabled Users are charged.