Kraiter
Getting Started

AWS Setup

Connect your AWS account to Kraiter for SES email sending.

Kraiter sends email through Amazon SES in your AWS account. This means you own your sending reputation, your data never leaves your infrastructure, and you pay AWS directly at their rates (typically $0.10 per 1,000 emails).

Kraiter uses cross-account AssumeRole to access SES on your behalf. You deploy a CloudFormation stack that creates an IAM role with the minimum required permissions, and Kraiter assumes that role whenever it needs to send.

One-click setup with CloudFormation

The simplest way to connect your AWS account is through the dashboard:

  1. Go to the Identities page in the Kraiter dashboard.
  2. Click Connect AWS Account. Kraiter generates a CloudFormation quick-create URL pre-filled with the correct parameters.
  3. Click the link to open your AWS Console. Review the stack and click Create stack.
  4. The stack deploys in about 60 seconds. Once complete, Kraiter automatically detects the new role and activates the connection.

The CloudFormation stack creates:

  • An IAM role with a trust policy scoped to Kraiter's AWS account and a unique external ID (preventing confused deputy attacks)
  • An SES configuration set for delivery tracking
  • An SNS topic for bounce and complaint notifications
  • A webhook subscription that forwards SES events back to Kraiter

Manual IAM role setup

If you prefer to create the role manually or need to customise permissions, follow these steps.

1. Create the IAM role

Create an IAM role with the following trust policy. Replace KRAITER_ACCOUNT_ID with the account ID shown in your dashboard, and YOUR_EXTERNAL_ID with the external ID Kraiter generates for your organisation.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::KRAITER_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}

The external ID is a unique value generated by Kraiter for your organisation. It prevents other AWS accounts from assuming your role, even if they know the role ARN.

2. Attach the SES permissions policy

Attach a policy granting the minimum SES permissions Kraiter needs:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SESSending",
      "Effect": "Allow",
      "Action": [
        "ses:SendEmail",
        "ses:SendRawEmail",
        "ses:GetAccount",
        "ses:GetEmailIdentity",
        "ses:ListEmailIdentities",
        "ses:CreateEmailIdentity",
        "ses:DeleteEmailIdentity",
        "ses:PutEmailIdentityDkimSigningAttributes"
      ],
      "Resource": "*"
    },
    {
      "Sid": "SESConfigurationSets",
      "Effect": "Allow",
      "Action": [
        "ses:CreateConfigurationSet",
        "ses:GetConfigurationSet",
        "ses:ListConfigurationSets",
        "ses:CreateConfigurationSetEventDestination"
      ],
      "Resource": "*"
    }
  ]
}

3. Register the role in Kraiter

Once the role is created, add it in the dashboard under Identities or via the API:

// Using the SDK
await kraiter.awsBinding.create({
  awsAccountId: '123456789012',
  roleArn: 'arn:aws:iam::123456789012:role/KraiterSESRole',
  externalId: 'mxk7-your-external-id',
  stackRegion: 'eu-west-1',
});

SES sandbox limitations

New AWS accounts start in the SES sandbox, which restricts sending:

  • You can only send to verified email addresses or domains
  • There is a daily sending limit of 200 emails
  • The maximum send rate is 1 email per second

For production use, you need to request production access from the AWS Console under SES > Account dashboard > Request production access.

Kraiter works in both sandbox and production mode, but your sending status will show as sandbox until production access is granted.

Supported SES regions

Kraiter supports SES in all regions where Amazon SES v2 is available:

RegionLocation
us-east-1US East (N. Virginia)
us-east-2US East (Ohio)
us-west-1US West (N. California)
us-west-2US West (Oregon)
af-south-1Africa (Cape Town)
ap-south-1Asia Pacific (Mumbai)
ap-northeast-1Asia Pacific (Tokyo)
ap-northeast-2Asia Pacific (Seoul)
ap-northeast-3Asia Pacific (Osaka)
ap-southeast-1Asia Pacific (Singapore)
ap-southeast-2Asia Pacific (Sydney)
ca-central-1Canada (Central)
eu-central-1Europe (Frankfurt)
eu-west-1Europe (Ireland)
eu-west-2Europe (London)
eu-west-3Europe (Paris)
eu-south-1Europe (Milan)
eu-north-1Europe (Stockholm)
il-central-1Israel (Tel Aviv)
me-south-1Middle East (Bahrain)
sa-east-1South America (Sao Paulo)

Choose a region close to your users for lower latency. You can add identities (domains and email addresses) in multiple regions if you send to a global audience.

Verifying the connection

After setup, verify that Kraiter can assume the role:

const status = await kraiter.awsBinding.verify();
console.log(status.verified); // true

Or check the Identities page in the dashboard — you should see a green "Connected" status.

Next steps

Your AWS account is connected. Now you can verify a domain and send your first email:

Quickstart

Get up and running with Kraiter in minutes.

Send Your First Email

Verify a domain, create a template, and send your first email with Kraiter.

On this page

One-click setup with CloudFormationManual IAM role setup1. Create the IAM role2. Attach the SES permissions policy3. Register the role in KraiterSES sandbox limitationsSupported SES regionsVerifying the connectionNext steps