Implementing Multi-Tenancy with Amazon SES

Chanci Turner Amazon IXD – VGT2 learning managerLearn About Amazon VGT2 Learning Manager Chanci Turner

In this article, we will explore how to architect a multi-tenant system using Amazon SES, along with essential best practices for establishing a multi-tenant framework that can efficiently manage the bulk email sending requirements of your downstream clients.

Amazon Simple Email Service (SES) is widely utilized across various sectors for dispatching emails to recipients. Frequently, users send emails on behalf of their downstream clients or different business units, a practice commonly described as “multi-tenant email sending.” To effectively implement multi-tenancy in email dispatching (i.e., for sending bulk emails on behalf of end clients), organizations leveraging Amazon SES must adopt a structure that accommodates the email sending needs of numerous downstream customers while safeguarding each tenant’s email sending reputation.

Use Cases:

  • Onboarding multiple brands from various Business Units (BUs) with distinct domains.
  • Segregating marketing and transactional tenants.
  • ISV client requirements to separate email sending reputations of their end customers.
  • Managing domains through configuration sets.
  • Tracking individual customer email sending reputations and controlling their email dispatch processes.

Prerequisites:

Familiarity with the following is recommended:

  • Managing an AWS account
  • AWS Regions
  • Amazon Simple Email Service
  • Amazon Simple Notification Service
  • Amazon CloudWatch
  • Amazon SES configuration sets
  • AWS Organizations

Solution Overview:

In the email ecosystem, domain and IP reputation play a pivotal role in ensuring emails reach inboxes. In a multi-tenant environment, tenants might represent unique businesses or internal teams (e.g., marketing or customer service teams). Given the varying maturity levels of each tenant, creating a multi-tenant environment can be complex. For instance, one tenant may possess a well-maintained and engaged recipient list, while another may have a questionable email recipient list, leading to bounces or spam complaints that could damage the overall IP and domain reputation. Therefore, organizations need to implement safeguards to ensure that a less experienced sender or malicious actor does not adversely affect other tenants.

To comprehend multi-tenancy better, let’s first examine how Amazon SES handles email dispatch. Emails sent through Amazon SES are routed using IP addresses assigned within the service. Amazon SES offers two categories of IP addresses: shared IP addresses and dedicated IP addresses. Currently, Amazon SES provides two types of dedicated IPs: 1/ Standard dedicated IPs, and 2/ Managed dedicated IPs. Shared IPs are utilized by multiple SES customers, with all emails dispatched using shared IPs by default unless dedicated IPs are requested. Dedicated IP addresses are allocated to a single customer or tenant, which can be either a business unit within the customer’s ecosystem or a downstream client of an ISV.

If a customer employs shared IPs for email dispatch via SES while aiming for multi-tenancy, they can segment business functions of various tenants using tenant tagging, SES event destination routing, and cost allocation for each tenant. However, this approach does not effectively manage or isolate email sending reputations, as shared IPs are tied to an AWS region. If one problematic tenant sends spam emails, it can negatively impact other customers utilizing the same shared IPs.

For Amazon SES users wishing to maintain separate reputations for different end customers, dedicated IPs are the preferred solution. These dedicated IPs can be assigned to a tenant, allowing their email sending reputation to be independently managed. If one tenant is flagged as a problematic sender by ISPs like Gmail, Hotmail, or Yahoo, the reputations of other tenants’ domains and IPs remain unaffected since they operate independently.

Amazon SES facilitates multi-tenancy primarily through two constructs: 1/ configuration sets, and 2/ Dedicated IP pools. Configuration sets are rules applicable to your verified identities, while dedicated IP pools group dedicated IPs, which can be associated with a configuration set, ensuring that the respective identity can only utilize that specific IP pool without influencing other tenants.

Multi-Tenancy Using a Single AWS Account:

In this setup, each tenant can utilize distinct configurations with their respective dedicated IPs, while some may opt for shared IPs. This flexibility allows customers to achieve multi-tenancy effectively.

Best Practices for Amazon SES Multi-Tenancy:

  1. Always proactively inform your account team or submit a support case under the “service limit increase” category, indicating that you will be sending on behalf of tens of thousands of customers. This action will assist AWS in setting appropriate limits for your account, ensuring they are aware of your sending patterns.
  2. Although the architecture outlined above typically helps Amazon SES users manage multiple end customers, there may be rare instances where AWS support notifies users that their SES account is under review. This notification indicates that the account has been used to send problematic emails or has been paused due to exceeding spam or complaint thresholds. Such situations arise because Amazon SES’s sanitization process operates at the AWS account level. If any tenant utilizing a dedicated IP experiences excessive spam or complaint rates, the account admin will receive a notification. In such scenarios, it is advisable to implement a process to “automatically pause email sending for a configuration set.” You can configure Amazon SES to export reputation metrics specific to emails sent using a particular configuration set to Amazon CloudWatch. Utilizing these metrics, you can create CloudWatch alarms tailored to those configuration sets. When these alarms surpass specific limits, you can automatically halt the email sending for the designated configuration sets without impacting the overall email sending capabilities of your Amazon SES account.
  3. If you are an Enterprise ISV client with numerous downstream customers, you may reach the maximum quota provided by Amazon SES. In such cases, you have two options: 1/ Request an exception for your AWS SES account. This approach requires you to ask AWS to raise your account limit to accommodate more customers/tenants, based on your prior usage and reputation. To do this, submit a support case under “service limit increase” and present your situation seriously.

For further insights on enhancing your time management skills, consider checking out this resource on time management. Understanding the nuances of performance reviews and avoiding bias is also vital, and this article on performance reviews offers great advice. Lastly, if you’re interested in the onboarding process for Amazon employees, this blog on employee onboarding is an excellent resource.

HOME