Setup guide

Connect your SES in about five minutes

Two modes: let TrackSES wire everything automatically with a scoped IAM key, or provision the AWS resources yourself and share nothing.

Least-privilege , no ses:Send*, no existing config touched

SES events

SNS topic

TrackSES

Paste a scoped AWS IAM access key and TrackSES does the rest: it creates a dedicated SNS topic, a SES configuration set, and attaches it to your sending domains , all in seconds.

Create a scoped IAM user

In the AWS IAM console, create a new user (not a role) and attach the least-privilege policy below. It is scoped exclusively to resources prefixed trackses-* , it never touches your existing configuration or identities.

trackses-iam-policy.jsonleast-privilege

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "sns:CreateTopic", "sns:Subscribe",
        "sns:SetTopicAttributes", "sns:GetTopicAttributes",
        "sns:ListSubscriptionsByTopic", "sns:DeleteTopic"
      ],
      "Resource": "arn:aws:sns:*:*:trackses-*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ses:ListEmailIdentities", "ses:GetEmailIdentity",
        "ses:CreateConfigurationSet",
        "ses:CreateConfigurationSetEventDestination",
        "ses:PutEmailIdentityConfigurationSetAttributes",
        "ses:DeleteConfigurationSet"
      ],
      "Resource": "*" /* scoped by action — no Send* */
    }
  ]
}

Paste the access key into TrackSES

Copy the access key ID and secret. In the TrackSES project settings, paste them under AWS credentials. Keys are stored AES-256-GCM encrypted and never logged.

AES-256-GCM encrypted at rest

TrackSES wires everything

TrackSES automatically creates the SNS topic, the SES configuration set, subscribes the webhook, and attaches the config set to each of your sending domains , one click per domain.

SNS topic created Config set created Webhook subscribed Domains attached

Live events start flowing

Once wired, deliveries, bounces, complaints, opens and clicks stream into your dashboard in real time. Done.

TrackSES stores no credentials. Provision the AWS resources yourself via CloudFormation (one click) or manually, then share only a webhook URL.

CloudFormation

Option A , CloudFormation (one click)

Launch the pre-filled CloudFormation stack. It provisions the SNS topic and SES configuration set in your account with your TrackSES webhook URL already embedded.

Launch CloudFormation stack

The template is read-only in CloudFormation; review it before launching.

Option B , Manual steps

Create an SNS topic

In the AWS console (or CLI), create a standard SNS topic named trackses-ses-events or any name of your choice.

terminal , aws-cli

$ aws sns create-topic --name trackses-ses-events

Subscribe TrackSES as HTTPS endpoint

Add an HTTPS subscription pointing to your TrackSES project webhook URL. AWS will send a confirmation request , TrackSES confirms it automatically.

terminal , aws-cli

$ aws sns subscribe \
    --topic-arn arn:aws:sns:us-east-1:123456789012:trackses-ses-events \
    --protocol https \
    --notification-endpoint https://app.trackses.com/webhooks/sns/YOUR_PROJECT_ID

Create a configuration set and attach it

Create an SES configuration set with an SNS event destination pointing at your topic, then set it as the default for each of your sending domains.

terminal , aws-cli

$ aws sesv2 create-configuration-set-event-destination \
    --configuration-set-name trackses-acme-io \
    --event-destination-name trackses-events \
    --event-destination SnsDestination={TopicArn=arn:aws:sns:…},Enabled=true

Events start arriving

TrackSES detects the first event, pins the topic ARN automatically, and your live stream is ready. No credentials ever shared.

IAM permission scope

Exactly what the key can access

In Automatic mode the IAM user receives a single least-privilege inline policy. Every action is scoped to trackses-* resources only. Your existing SES configuration, identities, and other AWS resources are untouched.

SNS , scoped to

arn:aws:sns:*:*:trackses-*

allowed · scoped

sns:CreateTopic

sns:Subscribe

sns:SetTopicAttributes

sns:GetTopicAttributes

sns:ListSubscriptionsByTopic

sns:DeleteTopic

SES , scoped to

trackses-* config sets

allowed · scoped

ses:ListEmailIdentities

ses:GetEmailIdentity

ses:CreateConfigurationSet

ses:CreateConfigurationSetEventDestination

ses:PutEmailIdentityConfigurationSetAttributes

ses:DeleteConfigurationSet

Never granted

in either mode

never

ses:Send*

ses:SendEmail

ses:SendRawEmail

ses:SendBulkEmail

ses:UpdateAccountSendingEnabled

ses:DeleteIdentity

Security model

What TrackSES can , and cannot , do

Can do

Read your sending identities list to let you attach the config set with one click

Create and manage dedicated trackses-* SNS topics and SES configuration sets in your account

Capture SES event notifications (delivered, bounced, complaint, opened, clicked) via the SNS topic

Cannot do

Send email on your behalf , ses:Send* is never requested or granted, in either mode

Read message bodies, contact lists, or any content of the emails you send

Touch any resource outside the trackses-* prefix , existing identities, config sets, or your AWS account settings are never modified

Ready to see your SES events live?

Start 14-day free trial View pricing