Why aren't my inbound emails on Amazon SES arriving or saving to my Amazon S3 bucket?

Last updated: 2020-06-11

I set up an Amazon Simple Email Service (Amazon SES) receipt rule that sends inbound emails to an Amazon Simple Storage Service (Amazon S3) bucket. However, the inbound emails aren't arriving or saving to the S3 bucket. How can I fix this?

Resolution

To identify and resolve what's preventing your inbound emails from saving to the S3 bucket, check the following:

Amazon SES domain verification

To receive inbound emails on Amazon SES, you must complete the verification process for your email domain.

Mail exchanger record (MX record)

To receive inbound emails on Amazon SES, you must either set up an MX record on your domain's DNS settings, or set up your receiving mail server to forward emails to the Amazon SES inbound mail sever. The MX record refers to the endpoint for the AWS Region where you use Amazon SES.

To check if the record exists using macOS or a Linux operating system, run the dig command:

Note: Replace example.com with your domain.  

dig MX example.com +short

If the MX record exists, the command returns the MX record:

example.com.           60      IN      MX      10 inbound-smtp.eu-west-1.amazonaws.com

To check if the record exists using a Windows operating system, run the nslookup command:

  1. At the command prompt, type NSLOOKUP. Then, press Enter.
  2. At the > prompt, type set type=MX. Then, press Enter.
  3. At the next > prompt, type your domain. For example, type example.com. Then, press Enter.

If the MX record exists, the command returns the MX record:

Non-authoritative answer:
example.com    MX preference = 10, mail exchanger = inbound-smtp.eu-west-1.amazonaws.com

Receipt rule settings

Confirm that the receipt rule that you're using to send inbound emails to Amazon S3 is in an active rule set. The rule must be in an active rule set to apply to your emails.

Additionally, view the receipt rule in the Amazon SES console and review the following settings:

  • Enabled: Confirm that this option is selected. The receipt rule must be enabled for it to apply to your emails.
  • Require TLS: If this option is selected, then Amazon SES rejects inbound emails if they aren't encrypted by TLS.
  • Recipient: You can enter a single email identity or an email domain. Or, you can leave the field blank so that the rule applies to all your verified domains. If you set a single email identity as the recipient, then confirm that the identity receives the emails that you want to store on Amazon S3—emails received by any other identity aren't sent to Amazon S3. Additionally, if you set the recipient as an email domain or all of your verified domains, then review your other active receipt rules to confirm that your rules don't overlap.
    Note: Amazon SES runs receipt rules based on the order that you configured on the rule set.
  • Object key prefix: If you set an object key prefix, be sure to check this prefix within your S3 bucket to find the inbound emails.

S3 bucket permissions

To send inbound emails to the S3 bucket, you must grant Amazon SES the necessary permissions on the bucket policy.

Review the bucket policy to confirm that Amazon SES has permissions for s3:PutObject. Additionally, modify any "Effect": "Deny" statements in the bucket policy that explicitly deny Amazon SES permissions for s3:PutObject.

Encryption

To encrypt your inbound emails with AWS Key Management Service (AWS KMS), you can select your encryption key in the steps to create the Amazon SES receipt rule. You must grant Amazon SES the necessary permissions on the key policy.

IP address filter for Amazon SES email receiving

If you set an IP address filter for inbound emails to Amazon SES, then confirm that your inbound emails are from IP addresses that are allowed by your filter.

Email file size

To store an inbound email in an S3 bucket, the file size of the email (including headers) must be 30 MB or smaller.