sendmsg.io vs Amazon SESManaged Email Infrastructure
Amazon SES has the lowest per-email cost in the industry at $0.10 per 1,000 sends. The base number is real. What teams underestimate is the surrounding AWS bill, the engineering hours, and the operational responsibility you inherit. We migrated three production stacks off SES in the last nine months. This page is the version of the conversation we wish we had been handed before we started.
Ready Out of the Box
SES makes you build bounce handling, templates, analytics, and warmup. sendmsg.io includes all of it on day one.
Active Protection vs Advisory
SES Virtual Deliverability Manager shows you the data. sendmsg.io Reputation Shield acts on it within 30 seconds.
Total Cost of Ownership
SES is $0.10/1K base. The fully loaded cost with SNS, Lambda, CloudWatch, and engineering hours is 3-10x that.
Feature-by-Feature Comparison
SES is a high-throughput sending engine. sendmsg.io is a complete platform. Here is what that difference looks like in practice.
The Real AWS Bill at 100K, 500K, 2M, and 10M Sends
SES base pricing is $0.10 per 1,000 emails. That is the headline. The fully-loaded bill includes the supporting AWS services nobody mentions on the SES landing page, plus the engineering time to wire it up. Here is the math at four volume tiers.
The supporting AWS line items SES customers always underestimate
SNS topics for bounce/complaint events
$0.50 per million SNS publishes. At 2M sends/month with a 5% combined bounce+complaint signal rate, that is 100K SNS publishes for ~$0.05. Small. But you also need a subscriber: either an HTTPS endpoint your service exposes or an SQS queue feeding a Lambda. The cost grows with retry storms when your endpoint is briefly down.
Lambda for event processing
$5-50/month for moderate volume. The Lambda parses the SNS message, updates your suppression database, and emits a metric to CloudWatch. The code is straightforward but the operational surface is not: cold starts, IAM permissions to write to your database, dead-letter queues for failed invocations, and the monitoring on the Lambda itself.
CloudWatch monitoring
$10-30/month for the dashboards, metrics, and alarms most senders need: bounce rate, complaint rate, send rate, delivery rate, and the Lambda invocation metrics. Custom metrics ($0.30 per metric per month) add up quickly when you want per-domain or per-campaign breakdowns.
S3 for log archive
$5-20/month depending on retention. SES Event Publishing can write delivery records to Kinesis Firehose which lands them in S3. The storage cost is small; the cost is writing the query layer (Athena or a custom indexer) on top to make the logs useful for incident investigation.
VPC endpoints (optional)
$7.30/month per AZ per endpoint if you want SES traffic to stay in private subnets without traversing the public internet. Three AZs = $22/month. Worth it for some compliance postures, overkill for most.
Engineering time
The line item with the widest variance. At 100K/month and a simple setup, expect 5-10 hours per month for ongoing maintenance: tuning suppression logic, responding to bounce-rate climbs, updating CloudWatch alarms. At 2M/month it is more like 0.5 FTE. At 10M+ it is 1-2 FTE dedicated to email infrastructure.
The math we ran on our own migrations
Three migrations in nine months. Two of them were SES customers spending under $500/month on SES itself who were spending another $1,500-2,500/month in engineering hours on the surrounding infrastructure. The third was a larger SES account at ~$3,000/month base cost with a full FTE on email infrastructure. In all three cases the consolidated bill on sendmsg.io was 30-55% lower once we factored the engineering hours back in. The $0.10/1K number is correct. It is not the bill.
Pricing notes verified May 2026 from aws.amazon.com/ses/pricing and aws.amazon.com/sns/pricing. AWS may change rates at any time.
Key Differences That Matter
Two different approaches to email infrastructure.
Managed Platform vs DIY Infrastructure
Amazon SES is raw sending infrastructure. It does one thing extraordinarily well: deliver email at scale for very low cost. Everything else is your responsibility. Bounce handling, complaint processing, template management, contact lists, campaign orchestration, analytics dashboards, warmup schedules, suppression list hygiene — all of it is yours to build.
sendmsg.io is a complete messaging platform. You get all of those capabilities on day one, integrated and ready to use. No SNS topic configuration. No Lambda functions for complaint processing. No CloudWatch dashboard assembly. You verify a domain and start sending.
What you need to build with SES
All included out of the box with sendmsg.io
Protection comparison
Amazon SES VDM
- Shows deliverability metrics in a dashboard
- Provides advisor recommendations
- Alerts on reputation changes after the fact
- You decide what to do and act manually
sendmsg.io Reputation Shield
- Watches all reputation signals every 30 seconds
- Adjusts sending behavior based on live signals
- Five graduated Adaptive Protection levels
- Gradual recovery after issues, no manual intervention needed
Reputation Protection: Active vs Advisory
Amazon SES introduced Virtual Deliverability Manager (VDM) to help users understand their sending reputation. It provides dashboards, metrics, and advisor recommendations. The data is genuinely useful, but VDM is fundamentally an advisory tool. It tells you there is a problem and suggests what to do. You still need to act on it.
sendmsg.io's Reputation Shield does more than monitor. When it detects deteriorating Domain Health Scores, rising bounce rates, or ISP complaints, it adjusts your sending behavior through Adaptive Protection. It throttles, isolates, and recovers without needing a human. Your reputation is protected around the clock, not just when someone is watching the dashboard.
Total Cost of Ownership
At $0.10 per 1,000 emails, Amazon SES has the lowest per-email cost in the industry. For teams with strong engineering resources who just need a sending pipe, this is compelling. No argument from us.
Per-email cost is only one line item. Building and maintaining bounce handling, complaint processing, warmup schedules, reputation monitoring, template management, and analytics dashboards takes real engineering time. For most teams, the total cost of building on SES exceeds the cost of a managed platform once the supporting AWS bill and engineering hours are factored in.
sendmsg.io's per-email cost is higher than SES base. The total cost of ownership is often lower because the engineering time you save goes back into your product instead of into email infrastructure.
Hidden costs of SES
SES-Specific Friction Points Worth Naming
Generic comparison pages list features. This section names the SES-specific issues we hear from teams who migrate — the IAM and Configuration Set sprawl, the sandbox mode at signup, the suppression handoff, and the reputation isolation problems.
1. Configuration Sets vs Identities vs Verified Domains — three overlapping concepts
Every engineer onboarding to SES hits this wall. Verified identities are email addresses or domains that have proven ownership via DNS. Configuration Sets are named bundles of sending behavior covering event publishing, IP pool routing, suppression scope, and dedicated IP assignment. The account itself sits in either sandbox or production state, which is separate from both. A single email send has to combine the right identity, the right configuration set, and the right account state to land in an inbox. When something fails, the error message usually points at one layer but the root cause is often a different one. We spent the first week of our SES adoption building a mental map of which layer owns which behavior, and we still re-derive it every time we add a new sending domain.
sendmsg.io collapses the model. A verified sending domain has its own reputation graph, its own event webhook config, its own per-domain suppression scope. One concept. The send happens.
2. Sandbox mode at signup — the 200/day cap nobody warns you about
Brand new AWS accounts land in SES sandbox mode by default. You can send 200 emails per day, to verified recipients only, at one email per second. Exiting requires a Service Quota Increase request that asks for your use case, expected volume, list acquisition method, bounce/complaint handling plan, and unsubscribe mechanism. Approval typically takes 24-48 hours but we have seen accounts wait a week when AWS asks follow-up questions. After approval you start at a low daily quota — often 50K/day — that expands gradually based on your bounce rate (must stay under 5%) and complaint rate (must stay under 0.1%). The pattern catches teams who assumed they could spin up SES on a Friday for a Monday launch.
sendmsg.io has no sandbox. We do KYC at signup and approve production traffic on day one for accounts with a verified business and a clean sending intent. The onboarding speed bump is real on SES.
3. Bounce and complaint handling — AWS makes it your problem
SES does not automatically suppress addresses that bounce or complain. There is an account-level suppression list you can opt into, but the default posture is that you receive the bounce or complaint event via SNS and you decide what to do with it. The typical pattern: SNS topic publishes the event, a Lambda function consumes it, updates your suppression database, and emits a CloudWatch metric. The Lambda code is short — under 100 lines — but the operational surface is not. You need IAM policies that let Lambda read SNS, write to your database, and publish CloudWatch metrics. You need a dead-letter queue for failed invocations. You need alarms on the DLQ depth. You need to handle the schema variants AWS emits for hard bounces, soft bounces, transient failures, complaints, and delivery delays. We have seen teams ship to production with only hard-bounce handling and discover six months later that their soft-bounce volume has been quietly accumulating on a stale-address subset of their list.
// Typical Lambda handler for SES bounce events via SNS
exports.handler = async (event) => {
for (const record of event.Records) {
const message = JSON.parse(record.Sns.Message);
const notificationType = message.notificationType;
if (notificationType === 'Bounce') {
const bounceType = message.bounce.bounceType; // 'Permanent' or 'Transient'
for (const recipient of message.bounce.bouncedRecipients) {
if (bounceType === 'Permanent') {
await suppressAddress(recipient.emailAddress, 'hard_bounce');
} else {
await trackTransientBounce(recipient.emailAddress);
}
}
} else if (notificationType === 'Complaint') {
for (const recipient of message.complaint.complainedRecipients) {
await suppressAddress(recipient.emailAddress, 'complaint');
}
}
}
};None of this is hard. All of it is your responsibility. sendmsg.io auto-suppresses on every bounce and complaint variant by default, with per-domain scope so a marketing complaint does not poison your transactional list.
4. VPC endpoint setup if you want SES from private subnets
Default SES traffic goes through the public internet. If your application servers live in private subnets and your security posture requires AWS API calls to stay inside the VPC, you need to configure an Interface VPC Endpoint for SES. The endpoint itself costs $7.30 per AZ per month (so $22/month for three-AZ redundancy), plus data processing charges. The IAM and security-group configuration is a separate ticket from the application code change. None of this is unique to SES — every AWS service has the same pattern — but it is one more line item that the SES landing page does not mention.
5. Deliverability tooling gap — no managed warmup, no real reputation dashboard
SES does not have a managed warmup feature. The recommended pattern from the AWS docs is that you start at low volume, monitor CloudWatch, and gradually increase. The mechanism is you, watching dashboards. If you go too fast, ISPs defer or block, your bounce rate spikes, and SES sends you an email titled "Your Amazon SES sending pause has been temporarily increased" which halts your sending entirely. The reputation tooling beyond CloudWatch is limited: VDM is a step up from raw metrics but still primarily a visualization layer, not an actionable system. The first signal of a reputation problem is often the AWS email itself, by which point you are already in remediation mode.
The deeper structural gap: SES applies reputation at the account level by default. Your transactional sends (password resets, OTP, receipts) and your marketing sends share the same account reputation unless you put them on different dedicated IP pools, which costs extra and requires you to manage the segregation in your application code. A complaint on a marketing campaign can degrade your transactional inbox placement. We have watched this happen.
sendmsg.io's Cortex runs warmup automatically with a 30-day default schedule, per-ISP throttling, and engagement-weighted ramp adjustments. Reputation is isolated per domain by default. A complaint on mail.yourdomain.com does not touch tx.yourdomain.com.
6-Step Migration: Amazon SES to sendmsg.io
The whole move takes a focused day or two of engineering plus a 2-week parallel-sending validation window. The SES-specific challenge is the SNS-to-webhook conversion. The rest is straightforward.
DNS records — SPF, DKIM, DMARC
Add three records to your sending domain. SPF gets an include:_spf.sendmsg.io entry. You can keep the SES include during the parallel-sending window — multiple includes are valid up to the 10-lookup limit. DKIM is a CNAME record sendmsg.io provides per domain. Point scope1._domainkey and scope2._domainkey at the values shown in your dashboard. DMARC you probably already have if you were running SES properly; just confirm the policy is at least p=quarantine with alignment set to relaxed. Propagation is usually 10-15 minutes; sendmsg.io verifies all three records and flags misconfiguration before your first live send.
API endpoint swap — sendEmail to /v1/email/send
SES's SendEmail / SendRawEmail via the AWS SDK maps to a single REST call on sendmsg.io. Here is the same send on both:
// SES via AWS SDK v3
import { SESClient, SendEmailCommand } from "@aws-sdk/client-ses";
const client = new SESClient({ region: "us-east-1" });
await client.send(new SendEmailCommand({
Source: "[email protected]",
Destination: { ToAddresses: ["[email protected]"] },
Message: {
Subject: { Data: "Hello" },
Body: { Html: { Data: "<p>hi</p>" } }
},
ConfigurationSetName: "main-events"
}));
// sendmsg.io equivalent
await fetch("https://api.sendmsg.io/v1/email/send", {
method: "POST",
headers: {
"Authorization": "Bearer " + process.env.SENDMSG_API_KEY,
"Content-Type": "application/json"
},
body: JSON.stringify({
from: { email: "[email protected]" },
recipients: [{ email: "[email protected]" }],
subject: "Hello",
html: "<p>hi</p>"
})
});If you would rather avoid touching application code, SMTP relay works on both sides. Swap the host from email-smtp.us-east-1.amazonaws.com to smtp.sendmsg.io and update the credentials. Most teams put a feature flag in front of the call so 5% of traffic flows to sendmsg.io for the first day, ramping to 100% over the parallel window.
SNS topic to webhook migration — the unique SES challenge
This is the step that takes the most thought. Your SES events currently flow through SNS topics into Lambda functions that update your database. sendmsg.io publishes the same event categories — delivery, bounce, complaint, open, click — directly to an HTTPS webhook of your choice. The replacement pattern: keep the database update logic, swap the event source from SNS to the sendmsg.io webhook handler. Most teams end up with a much shorter function.
// BEFORE: Lambda triggered by SNS (SES bounce event)
exports.handler = async (event) => {
for (const record of event.Records) {
const message = JSON.parse(record.Sns.Message);
if (message.notificationType === 'Bounce') {
for (const r of message.bounce.bouncedRecipients) {
if (message.bounce.bounceType === 'Permanent') {
await db.suppressions.insert({
email: r.emailAddress,
reason: 'hard_bounce',
source: 'ses'
});
}
}
}
}
};
// AFTER: HTTPS endpoint receiving sendmsg.io webhooks
app.post('/webhooks/sendmsg', verifySignature, async (req, res) => {
const { event_type, email, reason } = req.body;
if (event_type === 'bounced' && reason === 'hard') {
await db.suppressions.insert({
email,
reason: 'hard_bounce',
source: 'sendmsg'
});
}
res.status(200).send();
});The signature verification is HMAC-SHA256 on the request body with your webhook secret. We publish reference handlers in Node, Python, Go, Ruby, and PHP. Once the webhook endpoint is live and you have verified you can replay test events through it, decommission the SNS topic and the Lambda. That is one less line item on the AWS bill and one less function to operate.
Suppression list export from SES + import to sendmsg.io
Pull your existing suppressions from SES via the AWS CLI:
# Account-level suppression list
aws sesv2 list-suppressed-destinations \
--reasons BOUNCE COMPLAINT \
--output json > ses-suppressions.json
# Flatten to CSV: email,reason,suppressed_at
jq -r '.SuppressedDestinationSummaries[] |
[.EmailAddress, .Reason, .LastUpdateTime] | @csv' \
ses-suppressions.json > suppressions.csv
# Bulk import to sendmsg.io
curl -X POST https://api.sendmsg.io/v1/suppressions/bulk \
-H "Authorization: Bearer $SENDMSG_API_KEY" \
-F "[email protected]"If you used configuration-set-scoped suppression lists, repeat with --configuration-set-name per set. Keep both sides in sync during the parallel-sending window — any new suppression on SES gets carried over and vice versa. The piece teams miss: SES does not auto-suppress soft bounces by default. If you have only been recording hard bounces, run a list-hygiene pass before importing so you start sendmsg.io with a clean baseline.
Warmup strategy on the new domain — 30-day ramp
If you are moving to a fresh sending domain (recommended for the cleanest reputation story), plan for 30 days of graduated volume. The schedule we publish in the 2026 Deliverability Playbook: day 1 starts at 50 emails, day 2 doubles to 100, days 3-7 ramp through 200/500/1000/2000/5000, then days 8-30 follow an engagement-weighted curve toward your target volume. sendmsg.io's Cortex automates the daily ramp and slows specific ISPs that show deferral pressure without halting the whole schedule. Outlook deferring on day 8 does not pause your Gmail ramp.
If you are keeping the same sending domain (reusing the established reputation), the warmup compresses to 7-10 days because the domain's history with major ISPs carries over. Either way, the engagement-driven daily limit is the difference between a warmup that finishes on time and one that quietly stalls because nobody noticed Gmail had been deferring for three days.
Validation period — 2 weeks of parallel sending
Run both platforms in parallel for two weeks. Split traffic 50/50 if you are confident, 90/10 if you are cautious. Compare inbox-placement seed tests on both platforms. A 250-address seed list across Gmail, Outlook, Yahoo, and corporate domains tells you which side is winning the placement battle. The seed tests should agree within 2-3 percentage points; if sendmsg.io comes back materially worse on a specific ISP, that is the signal to investigate before cutting over fully.
Other metrics to watch during validation: open rates by ISP, bounce rates by bounce category (transient vs hard), complaint rates per million sends, and click-through if your campaigns have consistent CTAs. Once two consecutive weeks agree, flip the feature flag to 100% sendmsg.io and decommission the SES account at the end of the next billing cycle. Do not forget to delete the SNS topics, Lambda functions, and CloudWatch alarms you no longer need — they keep costing money until you do.
Making the Right Choice
SES and sendmsg.io serve different needs. Here is how to decide which is right for your team.
Choose sendmsg.io if you...
- Want a complete email platform without building infrastructure from scratch
- Need reputation protection that acts on problems, not just monitoring dashboards
- Prefer spending engineering time on your product, not email plumbing
- Need campaign management, templates, and contact management built in
- Want Smart Inbox for reply management and Campaign Autopilot for hands-off sequences
- Need managed domain warmup that adapts per-ISP
- Want transactional and marketing reputation isolated by default
Amazon SES might be better if you...
- Absolute lowest per-email cost is your top priority and you have engineering resources
- Already have a custom email infrastructure built on AWS and just need the sending pipe
- Your engineering team wants full control over every aspect of the email stack
- You are deep in the AWS ecosystem and prefer consolidated billing
- You send at extreme volumes (billions/month) where per-email cost dominates
- You already have your own bounce handling, warmup, and reputation monitoring in place
Frequently asked questions
Is sendmsg.io really cheaper than Amazon SES at scale?
Honest answer with caveats. SES per-email cost ($0.10/1K) is the lowest in the market and we won't pretend otherwise. The real comparison is fully-loaded TCO. SES gives you a sending pipe. You build the rest: SNS topics for bounce and complaint events ($0.50 per million publishes), Lambda functions to consume those events and update your suppression DB ($5-50/month depending on volume), CloudWatch dashboards and alarms ($10-30/month at moderate volume), S3 log archive ($5-20/month), and the engineering time to build and maintain all of it. At 100K/month, SES base is $10 but the loaded cost with supporting AWS and ~5-10 hrs/month of eng time at $100/hr internal rate lands in the $40-90 range. sendmsg.io Starter at $29 covers the same surface area with the Cortex on top. At 2M/month, SES fully loaded is $700-1,500/month once you account for the 0.5 FTE most teams dedicate to suppression management, warmup orchestration, and reputation triage. The TCO crossover is well below 1M/month for most teams.
What is the SES sandbox and how do I get out of it?
Every new AWS account lands in SES sandbox mode by default. You can send 200 emails per day, only to verified recipient addresses, with a max send rate of 1 email per second. To exit, you file a service quota increase request with AWS Support that asks for your use case, expected volume, list-acquisition method, bounce/complaint handling plan, and unsubscribe mechanism. Approval typically takes 24-48 hours but we have seen accounts wait a week, especially when AWS asks follow-up questions about list hygiene. After approval you start at a low daily quota (often 50K/day) that AWS gradually expands based on your actual sending behavior — bounce rate under 5%, complaint rate under 0.1%. This is a real onboarding speed bump that sendmsg.io doesn't have. We do our own KYC at signup so you can send production traffic on day one.
How does the SES configuration sets vs identities vs verified domains story actually work?
This is the friction point we hear about most from engineers new to SES. Three overlapping concepts: verified identities (email addresses or domains you have proven ownership of via DNS records), configuration sets (named bundles of sending behavior like event publishing destinations, IP pool assignment, suppression list scope, and dedicated IP routing), and the production-vs-sandbox account state (separate from both). A single email send has to combine the right identity, the right configuration set, and the right account state, and the error messages when you get it wrong are not always clear about which layer is failing. The mental model we use internally: identity = who the email comes from, configuration set = how AWS handles the send, account state = whether you are allowed to send at production volumes. sendmsg.io collapses these into one concept: a verified sending domain with its own per-domain reputation graph and event webhook config. You pick the domain and the send happens.
What happens when SES suspends my account?
AWS sends you an email titled something like 'Your Amazon SES sending pause has been temporarily increased' and your sending halts immediately. The email lists the metric that triggered the pause (usually bounce rate above 5% or complaint rate above 0.1%), and gives you 72 hours to respond with a remediation plan. If you do not respond, the pause becomes a longer suspension. If the remediation plan is accepted, sending resumes but at a reduced rate that AWS expands gradually over days or weeks. We have seen this happen to three customers before they moved. The pattern is consistent: the bounce-rate climb was visible in CloudWatch for hours or days before the pause hit, but nobody was watching CloudWatch, so the first signal was the email from AWS. sendmsg.io's Cortex catches the climb at the activity level within 30 seconds and starts throttling or pausing the specific activity before it bleeds into your account-wide reputation.
How do I migrate suppression lists from SES to sendmsg.io?
SES keeps your suppressions in the account-level suppression list and (optionally) per-configuration-set lists. Export via the AWS CLI: `aws sesv2 list-suppressed-destinations --reasons BOUNCE COMPLAINT` gives you the account-level list as paginated JSON. Pipe through jq to flatten into a CSV with email, reason, and last-update-time columns, then bulk-upload to sendmsg.io via the dashboard or POST /v1/suppressions/bulk. For configuration-set lists you repeat the same call with the --configuration-set-name flag. The piece teams miss: SES does NOT auto-suppress on soft bounces or transient failures unless you have explicitly enabled that behavior in your configuration set. If you have been running with only hard-bounce suppression, you may be carrying a contact list with a lot of stale addresses that have been silently bouncing without ever landing in the suppression DB. We recommend running a list-hygiene pass before migrating so you import a clean baseline.
Does SES handle domain warmup or do I have to do it manually?
Manual. SES does not have a managed warmup feature. The recommended pattern from the AWS docs is to start at low daily volumes, monitor your bounce and complaint rates in CloudWatch, and gradually increase volume over 4-8 weeks. The mechanism is you, watching dashboards, manually adjusting how many emails your application sends. If you go too fast, ISPs start deferring or blocking, your bounce rate spikes, and SES sends you the sending-pause email. There are open-source warmup scripts on GitHub that automate the daily ramp but none of them integrate with SES events or adjust based on per-ISP signals. sendmsg.io's Cortex runs warmup automatically: 30-day schedule by default, engagement-weighted ramp, per-ISP throttling when one ISP shows deferral pressure without halting the others. The reason this matters: warmup is the moment your reputation is most fragile and it is also the moment teams have the least bandwidth for manual monitoring.
Can I keep using SES for transactional and add sendmsg.io for marketing?
You can but we do not recommend it long-term. The reason is reputation isolation. If your transactional emails (password resets, receipts) go through SES on a shared account-level reputation and your marketing campaigns go through sendmsg.io on isolated per-domain reputation, you get the worst of both worlds: a transactional pipeline that shares fate with anyone else on your SES IP pool and a marketing pipeline that is properly isolated. The better pattern, if you want to phase the migration, is to move both streams to sendmsg.io but on separate sending domains (tx.yourdomain.com and mail.yourdomain.com). The Cortex will treat them as independent reputation graphs and isolation is real. Teams doing a phased move usually run SES and sendmsg.io in parallel for 2-3 weeks on the same domain pattern, validate inbox placement via seed tests, then cut over fully.
Comparing sendmsg.io to other email platforms?
Everything SES Gives You, Without the Build
Reputation protection, templates, campaigns, Smart Inbox, Campaign Autopilot, and analytics. All managed for you, ready on day one.
Want to see the full platform? Explore all features