Skip to main content

Hi everyone,

 

I have an SMTP server email-smtp.eu-west-3.amazonaws.com with credentials.

It used to be working correctly, but now fails. When I use an older package version, it behaves as if the e-mail was sent correctly (whereas I receive nothing). When I use the latest package it gets stuck for ages.

Did anyone ever face this error ?

 

Due to an unkown reason, it works with the package  2.0.0-20200515-071427

Why is that so ?

And it does not solve the problem, as for example Google Groups do not accept emails sent with this package version.

Hi ​@Augustin,

 

Which Port & SSL option are you currently using?

 

That build likely used basic SSL/TLS negotiation with older defaults (possibly TLS 1.0/1.1 or weaker cipher suites). Amazon SES deprecated TLS 1.0/1.1 and now enforces TLS 1.2 or higher for SMTP connections.
The old package probably didn’t validate the handshake properly, so it “reports success” even if the email never left your machine. Google Groups rejects those emails because they fail SPF/DKIM alignment and possibly because the handshake didn’t meet modern security standards.

 

New AA Email package versions enforce TLS 1.2+ and stricter SSL checks. If your bot runner or network doesn’t support the required cipher suites or STARTTLS upgrade correctly, the connection stalls.
If you’re using port 587 with STARTTLS, but the package expects SMTPS (SSL from start), it can hang.
Amazon SES supports:

  • Port 465 → SMTPS (SSL/TLS immediately)
  • Port 587 → STARTTLS upgrade after EHLO

Mixing these modes incorrectly causes timeouts. 

 

Recent versions added TLS enforcement and removed fallback to older protocols. There’s also a property for TLS1.2 enforcement in Control Room configs for email notifications (email.enforce.tls12=true). This hints that the package now requires TLS 1.2 explicitly. 

 


Use correct SMTP settings for SES:

  • Host: email-smtp.eu-west-3.amazonaws.com
  • Port: 465 (recommended for SMTPS) or 587 (STARTTLS)
  • Security: Enable SSL/TLS in the Email package settings.
  • Auth: SES SMTP username/password (not AWS IAM keys).

 

Match port and security mode:

  • If you select Use SSL/TLS in AA, use port 465.
  • If you select STARTTLS, use port 587.

 

Verify TLS support on your bot runner:

Run:

openssl s_client -connect email-smtp.eu-west-3.amazonaws.com:465

Ensure the TLS 1.2 handshake succeeds.

 

Update DNS and SES settings for deliverability (you may need to involve your admin team for this):

  • Enable Easy DKIM in SES.
  • Configure custom MAIL FROM domain for SPF alignment.
  • Add DMARC record for your domain.
  • These steps are critical for Google Groups acceptance. 


Even if you fix TLS, Groups enforces SPF/DKIM alignment. SES defaults to amazonses.com MAIL FROM, which breaks DMARC when forwarding. Fix by:

  • Setting a custom MAIL FROM domain in SES.
  • Publishing SPF/DKIM/DMARC records for your domain.

Thank you Padmakumar for your answer.

After switching to the most recent 3.30 package, I can send an e-mail to my account using SSL/TLS
 
However, it still fails to be read by my Google Group.

 

Thank you Padmakumar for your answer.

After switching to the most recent 3.30 package, I can send an e-mail to my account using SSL/TLS
 
However, it still fails to be read by my Google Group.

 

 

Your screenshot confirms the AA Email package is now correctly configured for Amazon SES over SMTPS (port 465 + SSL/TLS), which explains why sending to your own mailbox works. The remaining issue—Google Groups not accepting the email—is not about SMTP settings anymore but about email authentication and alignment.

Google Groups rejects your SES emails because they enforce SPF, DKIM, and DMARC alignment for incoming mail. SES by default uses:

  • MAIL FROM: amazonses.com
  • From address: your domain (e.g., you@yourdomain.com)

This creates a mismatch:

  • SPF passes for amazonses.com, not your domain.
  • DKIM may be missing if you haven’t enabled Easy DKIM.
  • DMARC fails because neither SPF nor DKIM aligns with your From: domain.

Groups often silently drop or reject such messages.

 

You can try the below steps:


1. Enable Easy DKIM in SES

  • In AWS SES console → Verified identities → Select your domain → Enable DKIM.
  • Add the 3 CNAME records SES gives you to your DNS.

2. Configure a custom MAIL FROM domain

  • In SES → Verified identities → Edit MAIL FROM → Choose a subdomain like mail.yourdomain.com.
  • Add the MX and TXT (SPF) records SES provides.

3. Publish a DMARC record for your domain:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; aspf=r; adkim=r

(Start with p=none for testing.)


4. Test alignment:

  • Send an email to check-auth@verifier.port25.com or use Gmail headers.
  • Ensure SPF and DKIM both pass and align with your From: domain.

 

Terms & ConditionsCookie settingsAccessibility statement