nudgel.ai
Sign up

Sending

Connect AWS SES

AWS Simple Email Service is the lowest-cost option at scale. You bring your AWS credentials; Nudgel handles the API calls.

Overview

SES is great for high-volume sending at low per-message cost. The main gotcha is the sandbox: new SES accounts start in sandbox mode, which means you can only send to verified email addresses. You must request production access before sending to real users. This is an AWS process, not a Nudgel one.

SANDBOX MODE

If you are in SES sandbox, your sends will fail for any unverified recipient address. Request production access in the AWS console: SES → Account dashboard → Request production access. Approval usually takes 24 hours.

Get your credentials

Nudgel needs an IAM user or role with ses:SendEmail permission. The simplest setup:

  1. Open IAM → Users → Create user in the AWS console
  2. Attach the managed policy AmazonSESFullAccess (or a custom policy with just ses:SendEmail)
  3. Go to Security credentials → Create access key — choose "Application running outside AWS"
  4. Download or copy the Access key ID and Secret access key
  5. Verify a from address or domain in SES → Verified identities

LEAST PRIVILEGE

In production, scope the IAM policy to just ses:SendEmail and optionallyses:SendRawEmail. Do not use your root AWS credentials or any key that has broad permissions.

Add the provider in Nudgel

  1. Go to Settings → Providers
  2. Click Add a provider
  3. Pick AWS SES
  4. Fill in the fields:
FieldRequiredNotes
regionYesAWS region where your SES is configured, e.g. eu-west-1, us-east-1, ap-south-1. Use the region closest to your recipients for lowest latency.
from_emailYesA verified from address or address within a verified domain
from_nameYesDisplay name shown to recipients
configuration_setNoSES configuration set name if you use one for tracking. Required if you want SES to forward events to your SNS topic for webhooks.
access_key_idYesIAM access key ID. Encrypted at rest.
secret_access_keyYesIAM secret access key. Encrypted at rest; never displayed again after saving.

Test the connection

curl
curl -X POST https://api-raven-cloud.autotribes.app/v1/messages \
  -H "X-Raven-Key: rk_live_a3f7b2c1_..." \
  -H "Content-Type: application/json" \
  -d '{
    "channel": "email",
    "to": "you@example.com",
    "from": "noreply@mail.acme.co.ke",
    "subject": "Nudgel test — AWS SES",
    "bodyHtml": "<p>If you can read this, SES is wired up.</p>",
    "bodyText": "If you can read this, SES is wired up."
  }'

Check SES → Sending statistics in the AWS console to confirm the message was sent.

Set up webhooks

SES delivers events via SNS + HTTP subscription. The setup has more steps than other providers but gives you reliable delivery event tracking.

  1. Create an SNS topic in the same region as your SES
  2. Create an HTTPS subscription on the topic pointing to:
    https://api-raven-cloud.autotribes.app/v1/webhooks/email/ses/{YOUR_TENANT_ID}
  3. AWS will send a subscription confirmation request — Nudgel auto-confirms it
  4. In SES, go to Configuration sets → [your set] → Event destinations
  5. Add an event destination: type SNS, select your topic, check Delivery, Bounce, Complaint
  6. Make sure your Nudgel provider has the configuration_set field set to match

See the webhooks guide for full details.

Verify your sending domain at AWS SES

To send from your own domain (e.g. mail.example.co.ke) through SES, publish DKIM records SES generates for you. Nudgel orchestrates this from one dashboard.

  1. In Nudgel dashboard, go to Settings → Sending domains → Add domain, enter your domain.
  2. On the next screen, select AWS SES. Nudgel calls SES's domain registration API using your credentials and shows you the DNS records to publish.
  3. Publish the records at your DNS host (Cloudflare, Route 53, etc.).
  4. Nudgel polls every 30 seconds for the first 10 minutes, then hourly. Verification surfaces in the dashboard automatically.

Add this to your SPF record

Append include:amazonses.com to your existing SPF record (or create a new v=spf1 include:amazonses.com -allif you don't have one).

SES-specific notes

  • SES uses Easy DKIM — three CNAMEs, no key rotation needed. Publish all three for full coverage.
  • Your SES account must NOT be in sandbox mode for production sends. Request production access via the SES console (SES → Account dashboard → Request production access) before verifying your domain.

Full setup walkthrough: Sending domains setup

Troubleshooting

SymptomMost likely cause
failed — "Email address is not verified"SES sandbox is active. Verify the recipient, or request production access.
failed — "InvalidClientTokenId"Access key ID is wrong. Double-check it in IAM.
failed — "SignatureDoesNotMatch"Secret access key is wrong. Delete and recreate the IAM access key.
failed — "Sending paused"Your SES account is in sending pause — check the AWS console for the reason.
failed — "Daily sending quota exceeded"You hit the SES daily quota. Request a quota increase in AWS Service Quotas.
Emails land in spamVerify your sending domain (DKIM + SPF + DMARC). See sending domains. Also check your SES reputation dashboard.