How to send email with AWS SES
Knock integrates with AWS Simple Email Service (SES) to send email notifications to your users.
In this guide you'll learn how to get started sending transactional email notifications with SES through Knock. We also cover provider configuration and additional data you can pass through to SES.
- Attachments support
- Link and open tracking
- Per environment configuration
- Sandbox mode
You'll need to take the following steps in AWS before you can configure your SES channel within Knock.
- Verify a "From" address within AWS. You'll need to do this before sending emails via SES through Knock.
- Choose and configure an AWS Authentication Scheme. To integrate with SES from the Knock dashboard, you can use cess Management (IAM) User Access Keys, or to improve security delegate a role to Knock using External ID-based authentication.
Once you've completed both of those steps, you'll be able to configure an AWS SES channel in the Knock dashboard under the "Channels" page.
You'll need to verify the "From" email address you plan on using to send emails with AWS if you haven't already. To do so, follow the steps outlined in AWS's guide to creating and verifying an email address identity.
Knock supports two authentication schemes with AWS SES:
- AWS User Access Key and Secret Access Key authentication
- Delegate a role in your AWS account to Knock, secured with an External ID
To send notifications via AWS SES using an IAM User, Knock requires the access key ID and a secret access key of an AWS user with SES send permissions. (Specifically, the
If you don't already have a user with send permissions, you can create an IAM user in AWS to use with the Knock API. You can learn more about creating IAM users in AWS here.
Once you've created your new IAM user, you'll need to provision them with the policy below.
Now that you have an AWS user created and provisioned with SES send access, grab the access key ID and a secret access key of the user—we'll use these later when configuring the SES channel within Knock.
To send notifications via AWS SES using an IAM Role:
Create a new AWS Role:
- For "Trusted Entity Type" choose "AWS Account"
- Select "Another AWS account" and put "496685847699" in the Account ID
- Check "Require external ID" and enter the ID of the channel you created
Attach the following permission policy to that role
Use that role's ARN when configuring your AWS SES channel in Knock
Now that you have a verified "From" address and either an AWS User's credentials or an AWS IAM Role to delegate to Knock, you're ready to configure your SES channel within Knock.
Here are a few other things to keep in mind once you have your SES channel configured in Knock:
- SES sandbox mode. By default, AWS places all new accounts in the SES sandbox. While your account is in the sandbox, you can only send emails to verified email address—keep this in mind if you're testing in development before you've moved your account out of the SES sandbox. For more information on the SES sandbox and how to move your account out of it, see the SES sandbox documentation.
- Deliverability tracking. We cannot currently track deliverability through SES channels. This means that all notifications sent through SES will show up as "Sent" in the Knock messages log, but not "Delivered".
The following fields are optional and if set, will be applied to all email messages sent via this channel within the environment:
Knock sends the following attributes along with your emails (all as
Sender: always set to
knock_message_id: the ID of the message this email is associated with
knock_workflow: the key of the workflow this message was generated from
knock_recipient_id: the ID of your recipient
You can learn about the role of these SES attributes in the AWS Simple Email Service (SES) API documentation.
Check out the AWS Docs for more information.
In order to send an email notification you'll need a valid