Migrate from Amazon SES to managed deliverability, without losing the cost discipline that brought you to AWS in the first place
Amazon SES is the cheapest transactional email infrastructure on the public internet at $0.10 per 1,000 emails. We are not going to pretend otherwise. What SES does not ship is the managed deliverability practice that turned into a baseline requirement in 2025-2026 — Gmail's Postmaster Tools v2 binary Pass/Fail status went live in October 2025, Microsoft enforced 550 5.7.15 rejections on May 5, 2025, and Gmail's enforcement moved from temporary deferrals to permanent rejections in November 2025. SES also did not make the initial service list when AWS launched its European Sovereign Cloud in Brandenburg on January 15, 2026, which puts every SES sender back into the CLOUD Act conversation Schrems II flagged five years ago. This page is the operator-level explanation of when SES is genuinely the right answer, when it is not, and what a 60-day migration to a managed European alternative actually involves.
The cheap-on-paper headline rate hides a billing surface that touches five separate line items, and a sovereignty story that AWS itself does not yet sell to SES customers
Let us start with what is true. SES base sending is $0.10 per 1,000 outbound emails in every AWS region as of May 2026. There is no monthly minimum, no per-feature gate to unlock that rate, and no surcharge if you pull traffic to Tokyo instead of Frankfurt. AWS launched the Tenants feature in August 2025 with a 10K/day default and 300K available on request — that closed one of the more visible operational gaps SES had against the named-IP-pool model SendGrid and Mailgun ship by default. New accounts get 3,000 message charges free per month for the first 12 months (the old 62K/month EC2-linked free tier was retired with the rollover to the $200 AWS Free Tier credit model on July 15, 2025). At a million emails per month with shared IPs and no add-ons, the bill is roughly $107: $100 in sending fees and around $7 in data transfer on 60 KB messages. That is genuinely difficult to beat anywhere else in the market.
What is also true is that the dedicated-IP economics get more complex than the headline. Standard dedicated IPs are $24.95 per IP per month, billed regardless of volume — fine if you are running three or four IPs to segment streams, painful if you are running 25. Managed dedicated IPs cost $15 per account per month plus a tiered per-email charge: $0.08 per 1,000 emails for 0-10M, $0.04 for 10M-50M, and $0.02 for 50M-100M. That sliding scale crosses over standard fixed-fee IPs somewhere around 10M emails per month, and managed becomes the cheaper option above that threshold. Bring-Your-Own-IP exists at $24.95 per IP with a 256-IP minimum, which works out to $6,387.20 per month before you send a single message — a credible option only for telcos and existing IP holders. Virtual Deliverability Manager adds $0.07 per 1,000 emails on top of the base, raising effective send cost from $0.10 to $0.17 per 1,000 (a 70% surcharge) and the VDM Deliverability Dashboard runs $1,250 per month for the advanced analytics tier. Data transfer is $0.12 per GB. Mail Manager ingress endpoints, archive add-ons, Trend Micro scanning, and SNS notifications for event tracking all carry per-message or per-endpoint fees that vary with your configuration.
The five-billing-component reality means the operating SES bill at 1M emails per month with dedicated IPs and VDM lands closer to $185 than $100 — still excellent value, but not the headline rate. At 100,000 emails per month, the all-in cost with VDM is roughly $17.70 versus $10.70 without. AWS deserves credit for being transparent on the pricing page; we have seen plenty of SES bills where the sticker shock came from teams not understanding that one email to 100 recipients counts as 100 billable messages, or that attachments at $0.12/GB can outweigh the email charges entirely on document-heavy workloads. None of that is hidden — it is documented — but the cumulative effect routinely surprises teams that have only modeled the $0.10/1K line.
Then there is the sovereignty question, which changed materially in 2026. AWS turned on the European Sovereign Cloud on January 15, 2026 in Brandenburg, Germany — a separate partition (aws-eusc, region eusc-de-east-1), four dedicated German GmbH entities, an EU-resident-only operational workforce, and a roadmap to expand into Belgium, the Netherlands, and Portugal through 2026-2027. The launch service list includes approximately 70-90 services covering compute (EC2, Lambda, EKS, ECS), storage (S3, EBS), database (Aurora, DynamoDB, RDS), networking (VPC), security (KMS, ACM, Private CA), and a meaningful slice of the AI portfolio (Bedrock, SageMaker, Amazon Q). Amazon SES is not on that list. If your sovereignty story for email infrastructure depended on a future AWS sovereign offering, the launch went GA without you. That decision could change in any future roadmap update, but as of May 2026 every SES email goes through the standard AWS regions, which means the CLOUD Act discussion that Schrems II framed in 2020 and that Microsoft's French subsidiary admitted under oath at a Senate hearing in June 2025 still applies in full.
The teams we see moving off SES in 2025-2026 fall into three groups. The first is teams who picked SES on the cost story but never built the deliverability practice around it, and started losing inbox placement once Microsoft and Gmail tightened enforcement. The second is EU- or DACH-based teams whose procurement or DPO function flagged the sovereignty exposure after watching Microsoft's French Senate testimony and reading the GDPR Article 48 versus CLOUD Act analyses that proliferated through 2025. The third — smaller but growing — is teams who ran the operational math on building an in-house deliverability function (a senior engineer at €90-130K plus tooling) versus paying for it as a service, and found the managed-service number wins for everything below roughly 10-15M emails per month. For all three groups, the question is not "Is SES wrong?" but "Is SES wrong for our specific shape of email program?" We work through that openly.
Amazon SES versus Authorize Hosting on the dimensions that shape both the bill and the deliverability ceiling
| Dimension | Amazon SES | Authorize Hosting |
|---|---|---|
| Headline rate | $0.10/1K emails — lowest in market | Tier-based EUR pricing from €399/mo |
| All-in cost at 1M/mo | ~$107 shared / ~$185 with dedicated IPs + VDM | €859 (Email API Pro, 20 dedicated IPs included) |
| Dedicated IP economics | $24.95/IP standard, or $15 + $0.02-0.08/1K managed; BYOIP 256-IP min ($6,387/mo floor) | 5-30 dedicated IPs included by plan tier — no per-IP gating |
| Deliverability operations | Self-service: warming, monitoring, complaint-rate, list hygiene all yours; VDM at +$0.07/1K adds analytics, not staff | Named operator at the Stockholm desk — warming curve, complaint triage, Postmaster Tools review |
| Blocklist remediation | Forum and AWS Support — Basic free, Developer $29/mo, Business $100+/mo for technical responses | Operator handles Spamhaus, SpamCop, Cloudmark, Microsoft delist requests directly |
| EU Sovereign Cloud inclusion | Not in initial ESC service list (Jan 15, 2026 GA — ~70-90 services); CLOUD Act applies to standard regions | EU-incorporated (Sweden), Stockholm + Frankfurt routing, no US parent |
| Campaign/marketing UI | None — pair with Customer.io, Mailchimp, Klaviyo, or build in-house | Lightweight campaign builder; we also pair cleanly with Customer.io / Brevo for richer UI |
| Suppression management | Account-level + configuration-set lists; no built-in UI for bounce-by-bounce triage | Per-stream suppression + dashboard UI + API hooks to your CRM |
| Per-recipient billing | Yes — 1 email to 100 recipients = 100 charges | Per-message billing in tiered plans (no per-recipient multiplication on group sends) |
| Pricing predictability | Pay-as-you-go across 5 billing components — bills can spike | Fixed monthly tier; overage discussed before billing, never automatic |
| Free tier (2026) | 3,000 msgs/mo for 12 months (new accounts since Jul 15, 2025 get $200 AWS credits instead) | No free tier — pilot conversation instead |
The table reflects SES pricing on the AWS public pricing page as of May 2026. Where SES wins the column, it wins it cleanly — we say so. The dimensions where receivers in 2025-2026 are punishing senders hardest (managed deliverability, blocklist remediation, named operator availability) are where we expect to earn the migration.
How a typical SES migration runs — week by week, with SES staying live the whole time
SES migrations look slightly different from SendGrid or Mailgun migrations because the SES integration pattern is itself different. Most SES customers send via the AWS SDK from an EC2 instance or Lambda function, with IAM roles handling authentication rather than SMTP credentials. That coupling between your application code and AWS-specific authentication needs to be unwound during the migration, which is what week 1 is mostly about. The single architectural commitment we make is the same as every other migration we run: SES stays live during the whole transition. Your existing AWS SES subscription continues to flow traffic, and we move volume incrementally rather than cutting over.
DNS records, integration code, and dual-credential setup
We provision your dedicated IPs at our Stockholm and Frankfurt data centers and generate fresh DKIM keys per sending domain. You add the new DKIM selectors alongside your existing SES DKIM records (these can coexist indefinitely — most domains run 2-4 DKIM selectors simultaneously across providers). SPF gets updated with our include: directive added to your existing amazonses.com include. DMARC stays at whatever policy you have today; we never change DMARC during the migration period itself. On the integration side, your application gets a new SMTP or REST API credential set alongside the existing AWS SDK calls — most teams use environment variables to switch between providers, which is also what the parallel-run phase needs.
14-day warm with engaged-first segmentation while SES carries the rest
The warmup itself is conservative on purpose. Day 1 sends 50 messages on each new dedicated IP, day 3 reaches 100, day 5 reaches 200, doubling roughly every 2-3 days through the 14-day curve toward steady-state daily volume. Warmup traffic is your highest-engagement segment — opened-in-last-30-days subscribers, transactional confirmations to active accounts, password resets — never promotional broadcasts to dormant lists. Receivers including Gmail (via the v2 Postmaster Tools Compliance Status, which moved to binary Pass/Fail in October 2025) treat that engaged-first ramp as the legitimate signal it is. SES continues to handle 80-90% of your volume during this period, which means your overall sender reputation never depends on whether the new IPs warmed perfectly on day one.
10-30% shift, real-time deliverability comparison across both providers
A measurable percentage of your transactional traffic starts routing through us — typically 10-20% via a feature flag in your application or environment variable on the SMTP transport. CloudWatch metrics on the SES side and our own dashboards on the new side run side-by-side; bounce rates, complaint rates, and seed-list inbox placement get compared for the same campaign waves. The first thing we look for is divergence at Microsoft Outlook specifically — Microsoft's 550 5.7.15 enforcement that came into force on May 5, 2025 disproportionately punishes shared-pool senders, and the move to dedicated IPs typically shows up as a 5-15 point inbox-placement improvement at Microsoft within 7-10 days. If the data looks clean, we push to 30-50% by end of week 3.
100% on Authorize Hosting; SES throttled down to standby
By end of week 4 the new IPs are at steady-state volume and matching or beating SES baselines on inbox placement. We shift 100% of traffic and keep SES configured as a hot standby for another 2-4 weeks. The SES bill drops to whatever your minimum activity costs (often nothing, since SES has no monthly minimums) but the account stays active. The feature flag still allows routing back if anything misbehaves. Most teams formally close their SES configuration sets 6-8 weeks after the cutover, once they have seen at least one full marketing cycle and one peak-volume event on the new infrastructure without incident.
Decommissioning the SES-specific integration glue without breaking adjacent AWS services
The last phase is about cleaning up the SES-shaped integration code. SNS topics that pushed bounce and complaint events to your application get retired or repointed at our webhook endpoint, configuration sets get archived rather than deleted (in case of audit), and the IAM roles that scoped SES permissions get tightened or removed. We do this carefully because most teams that ran SES also run other AWS services from the same IAM policies, and we have seen too many "we revoked the SES policy and broke S3 access" stories. Done well, this phase is invisible to the application; done poorly, it surfaces six weeks after migration as a confusing Lambda failure. We work through it with your DevOps team rather than alone.
Mapping the SES API surface to what we ship — and where the two products are deliberately different
- REST API + SMTP relayBoth endpoints; SES
SendEmailandSendRawEmailcalls map to our REST API; SMTP with STARTTLS, TLS 1.3, and OAuth 2.0 authentication options for teams replacing the AWS SDK with standard SMTP libraries - Bounce and complaint webhooksThe SES SNS-driven event model maps to direct webhooks for bounces, complaints, deliveries, opens, clicks, and rendering failures — same payload structure as the SES JSON
- DKIM, SPF, DMARC, BIMIFull authentication stack including BIMI with VMC or CMC certificate support; per-domain DKIM keys; SPF macros supported
- Configuration setsSES configuration-set semantics map to our sending profiles — per-stream IP pool assignment, event destination overrides, and dedicated reputation tracking per stream
- Suppression listsAccount-level and per-domain suppression with API access; SES suppression-list exports import directly during week 1 of migration
- RFC 8058 one-click unsubscribeHeader injection at the relay layer for any non-transactional mail; satisfies Gmail/Yahoo/Microsoft 2024-2026 mandate without application-side changes
- Per-stream IP poolsEquivalent to the SES dedicated IP pool feature; transactional and marketing streams get their own IP pools without sharing reputation
- Deep AWS service integrationSES integrates natively with IAM, CloudWatch, SNS, Lambda, S3, and the rest of the AWS catalog. We integrate via webhooks, REST APIs, and SMTP — no native AWS IAM role assumption. If your sending logic is heavily Lambda-driven with IAM-scoped permissions, that pattern needs to be ported to credential-based authentication.
- Pricing modelTier-based monthly pricing in EUR rather than per-recipient metering. The "1 email to 100 recipients = 100 charges" SES pattern does not apply on our side — group sends and individual sends are both counted as messages.
- Pay-as-you-go elasticitySES has no monthly minimum and scales to zero. We have a monthly tier; if your volume is genuinely zero in some months, SES's elasticity is a feature we cannot match. Most teams considering us already have steady volume, so this rarely matters in practice, but the difference is real for genuinely bursty workloads.
- Self-service operational modelSES assumes you will own warming, monitoring, list hygiene, and complaint-rate management. We assume the opposite — that you would rather hand those to a named operator. If you have a senior deliverability engineer in-house and prefer that model, SES is honestly the better fit on cost.
- Mail Manager / inboundSES Mail Manager (ingress endpoints, archive, virus scanning) is unusually deep for an email-sending service. Our inbound parsing is more limited; we typically pair with a dedicated inbound service or Postfix-direct for teams that need full Mail-Manager-style ingress.
- Account onboardingNamed operator engagement rather than self-service signup. We do a 30-60 minute conversation about your shape of email program, the receiver mix in your recipient base, the geographic distribution, and any deliverability incidents in your history — then size the proposal and the migration timeline. No sandbox, no production-request form, no "open a support case to get out of the test pool."
How SES migrations typically size on the new infrastructure, with honest cost comparisons
SMTP Relay Starter · €399/mo
5 dedicated IPs included (vs SES at $24.95 × 5 = $124.75 standalone IPs alone), up to 200K messages/month, managed warmup, named operator, EU routing. The cost gap versus SES base is real: SES at 200K shared is about $20, dedicated $145, with VDM $159. Our €399 is roughly 2.5x at that volume — what you buy is the managed practice, not the bytes.
See SMTP RelayEmail API Pro · €859/mo
20 dedicated IPs included, up to 2M messages/month, Postmaster Tools integration with weekly operator review, complaint-rate triage, dedicated deliverability engineer. SES at 1M with 5 dedicated IPs and VDM lands around $230-300; our €859 is roughly 3x. That delta is the managed deliverability service — and the place this comparison turns in our favor is when SES senders need a deliverability lead to make sense of declining placement, which costs €90-130K/year inclusive plus tooling.
See Email APIPowerMTA Enterprise · from €2,799/mo
PowerMTA-based architecture for teams above 10M/month, 30+ dedicated IPs, custom IP pool segmentation, EU-only routing Stockholm + Frankfurt. Honest note: at 10M+ on SES with managed IPs, the AWS bill might be in the $400-800 range. Our €2,799 floor is a meaningful premium. We earn it on managed deliverability and EU jurisdiction, not on cost; AWS-heavy teams with senior deliverability staff sometimes choose SES at this volume and we say so directly.
Open the conversationWhat teams ask before kicking off the SES migration
Is SES genuinely cheaper than you, and by how much?
+
Yes, SES is cheaper at every volume tier on a bytes basis. At 100K emails per month, SES base is $10 versus our €399; at 1M it is around $107 versus €859; at 10M with managed IPs and VDM it is around $400-700 versus our €2,799 floor. We are not within 2-3x of SES on raw cost at any volume below the very-high-volume tier, and we never will be — pay-as-you-go infrastructure at hyperscaler scale wins that argument.
What changes the picture is what is bundled. SES does not bundle managed warmup, complaint-rate triage, blocklist remediation, named operator review of Postmaster Tools compliance status, or weekly deliverability reporting. To get those at the same level on SES, you either build them in-house (one senior deliverability engineer at €90-130K plus tooling and time) or you pair SES with a deliverability consultancy (typically €2,000-5,000/month retainers). Once you add that to the SES line item, the comparison narrows substantially, and at sub-10M volumes it usually flips. We work through the math with prospects honestly — there are real shapes of email program where SES wins on total cost, and we say so on the calls.
How does the AWS European Sovereign Cloud launch affect this calculation?
+
The European Sovereign Cloud went GA on January 15, 2026 in Brandenburg, Germany with about 70-90 services in scope. SES was not on that list. AWS may add SES to the ESC roadmap at some point — they have not announced a date — but as of May 2026, every SES email continues to route through the standard AWS regions, which means the CLOUD Act applies to your customer data regardless of whether you have your account in eu-west-1 (Ireland) or eu-central-1 (Frankfurt). For most teams, this is not a deal-breaker. For teams in regulated industries (financial services, healthcare, public sector) or for teams whose DPO has flagged the issue post-Schrems II, it is becoming one.
The underlying issue is structural rather than technical. Multiple independent analyses through 2025-2026 have argued that even the ESC itself remains exposed to CLOUD Act compellation because the controlling ownership is still American — Microsoft's French subsidiary admitted exactly that under oath at the French Senate in June 2025. For teams whose sovereignty story needs to survive a procurement-level audit (BSI C5 registration deadline was March 6, 2026, with penalties up to €10M or 2% of global revenue), we are a clean answer because we are EU-incorporated in Sweden with no US parent.
Will we lose the sender reputation we built on SES?
+
Domain reputation transfers. IP reputation does not. Your sender reputation at Gmail, Yahoo, and Microsoft is tied to the combination of sending IP and From: domain — when your traffic starts flowing through our IPs but the same From: domain, receivers see "this domain has historical engagement, but the IP is new." That is exactly the warmup signal Gmail's Postmaster Tools v2 expects, and the 14-day warmup curve we run is calibrated to it.
What does not transfer is any IP reputation you may have built on SES dedicated IPs. If you were on SES dedicated IPs and you decide to keep those IPs via BYOIP into our infrastructure, that is technically possible but rarely the right answer (the 256-IP BYOIP minimum makes the math difficult, and dedicated-IP reputation does not move cleanly between providers in any case). Most teams accept the 14-day warmup and emerge with better placement than they had on SES dedicated, mostly because the new IPs are warmed against engagement-first traffic rather than mixed pool history.
What happens to our SNS/Lambda/CloudWatch event handling?
+
SES customers typically use SNS topics to fan out bounce, complaint, and delivery events to Lambda functions, SQS queues, or downstream applications. Our webhook model replaces SNS with direct HTTPS POSTs to the endpoint of your choice, with retry and exponential backoff handled on our side. The payload format is close to but not identical to the SES SNS message structure — we publish the schema mapping during week 1 of the migration so your Lambda functions can be updated alongside the parallel-run phase.
For teams who want to keep the SNS-based event flow even after migration (some have downstream consumers that are tightly coupled to that pattern), the workaround is to point our webhooks at an API Gateway endpoint that fans out to SNS internally. This works but adds latency and an extra cost line. Most teams use the migration as an opportunity to simplify by going webhook-direct.
What about Mail Manager — we use SES for inbound parsing too
+
Mail Manager is one of the SES features that is genuinely strong, and we are not going to pretend our inbound parsing matches it. Ingress endpoints, the rule engine, archive add-ons, and virus scanning via Trend Micro are a deeper stack than we ship. If inbound is core to your application, three paths work: keep SES for inbound only (it has no monthly minimum, so the running cost stays small), pair us with a dedicated inbound service (CloudMailin and Postmark Inbound both work cleanly alongside our outbound), or build directly on Postfix at the application layer.
We typically recommend option one for the first 6-12 months post-migration. Outbound traffic moves to us, inbound continues to run on SES while the team observes outbound performance. After steady state, the team decides whether to keep the split or consolidate. There is no operational reason to force inbound migration on the same timeline as outbound.
We have other AWS workloads on the same account. Does migrating SES break anything?
+
No, if the SES-specific glue is unwound carefully. Most teams that ran SES also run S3, Lambda, RDS, or other AWS services from IAM policies that may or may not include SES-scoped permissions. We have seen migrations where a junior engineer "cleaned up the SES IAM policy" by deleting too much and broke an unrelated service for two days. Our week 5-8 cleanup phase is specifically about avoiding that pattern.
The migration itself only touches the application-level email integration, the DNS records, and the SES configuration sets on AWS. Nothing in your S3, EC2, RDS, Lambda, or VPC layer changes. The AWS account stays open, the SES service stays enabled (it costs nothing to leave it enabled when traffic is at zero), and the migration is fully reversible up to the point you delete configuration sets and revoke API keys. Most teams take 60-90 days after full cutover before doing the cleanup, which is conservative on purpose.
Is there a contract lock-in or minimum commitment?
+
Month-to-month on standard plans with 30-day notice for cancellation. Annual contracts get a 10-15% discount for teams that want pricing certainty, but the annual is always optional and we never lead with it. The SES no-contract pay-as-you-go elasticity is something we cannot fully replicate — we have a monthly tier — but the practical difference is small for any team with steady volume.
During the migration project specifically, the first 60 days are structured so you can route back to SES at any time. We do not lock anyone in during the validation period. If the new infrastructure does not meet your standards, the application-level feature flag puts you back on SES in minutes and you owe us only the pro-rated month-to-month cost.
Open the migration conversation
Tell us about your current SES setup: monthly volume, dedicated IP count, whether you use Mail Manager, your AWS region(s), VDM usage, and what specifically prompted you to evaluate alternatives — receiver enforcement, sovereignty after the ESC launch, deliverability incidents, or a combination. We come back with a sized proposal, a migration timeline, and the technical Q&A for your DevOps team.