Why is Amazon SES not no-KYC?

Amazon SES is an AWS service requiring AWS account. AWS account signup requires credit card with billing address match, phone verification, and identity verification for certain account types. The verification produces a customer identity database AWS maintains. For users whose threat model includes processor-level surveillance or identity database exposure under legal process, AWS account requirement defeats the privacy premise of using offshore SMTP infrastructure.

Does Amazon SES have a sandbox/production split?

Yes. New AWS accounts using SES start in sandbox mode: can only send to verified email addresses, limited to 200 emails per day, limited to 1 message per second. To access production sending, customers must submit production access request explaining their use case, which Amazon reviews. Production access can be denied or delayed. Self-hosted alternatives have no sandbox phase; full production capability is available immediately upon infrastructure provisioning.

How does Amazon SES pricing compare?

Amazon SES pricing is among the lowest in the segment: $0.10 per 1000 messages plus data transfer costs. Dedicated IPs are $24.95/month each. The pricing is hard to beat per-message at smaller volumes. Self-hosted infrastructure costs more per-message at low volume but does not have the AWS account verification requirement and produces no AWS-side identity database.

Can ASH match Amazon SES on raw delivery cost?

No, not on per-message basis at low volume. Amazon SES at $0.10 per 1000 messages and dedicated IPs at $24.95/month is genuinely the lowest-cost option in the segment. Self-hosted infrastructure on ASH costs more in raw dollar terms at low volume. The value proposition is different: no AWS account requirement, no identity verification, no production access review, no AWS-side identity database, content latitude beyond SES terms. Customers choose between price (SES) and privacy posture (self-hosted offshore).

What are Amazon SES content restrictions?

AWS Acceptable Use Policy applies to SES. Prohibits cold email, spam, certain content categories. Account suspension follows AUP violations. AWS may suspend SES account based on complaint rates or content review. The terms restrictions parallel mainstream ESP restrictions despite SES being raw infrastructure rather than managed ESP. AWS account suspension affects all AWS services on the account simultaneously.

Does ASH have a Sendy-style platform like SES integration?

Sendy is designed specifically for Amazon SES integration. Sendy can also work with other SMTP backends including Postal and PowerMTA with configuration adjustment. Customers wanting Sendy with non-SES backend can run Sendy on our infrastructure configured for our SMTP rather than SES. Other marketing platforms (MailWizz, Acelle Mail, Listmonk) support any SMTP backend natively without SES-specific adaptation.

What is the migration path from Amazon SES?

Standard migration timeline 30-90 days. Week 1: infrastructure provisioning at ASH. Week 1-2: application integration changes from SES API to standard SMTP. Week 2-6: IP warmup on new dedicated infrastructure. Week 6-10: gradual cutover with split testing. Week 10-12: AWS SES discontinuation. AWS account may remain open for other services but SES usage terminates.

Email-only signup · Crypto payment · No AWS account

Amazon SES Alternative No-KYC
infrastructure where AWS account verification is the dealbreaker.

Amazon SES has compelling per-message pricing. The compelling pricing comes with an AWS account, identity verification, production access review, content audit risk, and US jurisdictional exposure. For operators where any of these is a dealbreaker, the offshore self-hosted alternative trades higher per-message cost for structural privacy properties.

Quick answer

Amazon SES no-KYC alternative means self-hosted email infrastructure on offshore providers that do not require identity verification. Amazon SES requires AWS account with credit card matching billing address, phone verification, and sandbox-to-production approval. Self-hosted on ASH or similar offshore providers uses email-only signup, crypto payment via self-hosted BTCPay or Monero, no government ID, immediate production capability. Trade-off: SES offers genuinely lower per-message pricing ($0.10/1000 messages) but with AWS-side identity database and US jurisdictional exposure. Self-hosted alternatives cost more per-message but produce no third-party identity database. Customer profiles choosing self-hosted: operators with threat models including processor-level surveillance, operators wanting jurisdictional separation from US, operators in content categories AWS terms prohibit.

Key facts about Amazon SES alternatives

Amazon SES pricing: $0.10 per 1000 messages standard. $24.95/month per dedicated IP. Data transfer costs additional. Attachments billed by size.
AWS account requirements: Credit card with billing address match, phone verification, email verification. Some account types require additional KYC documentation. Account suspension if billing or identity issues arise.
SES sandbox limitations: New SES accounts start in sandbox: 200 emails/day maximum, 1 message/sec rate limit, send only to verified addresses. Production access requires use case review by Amazon.
Production approval timeline: Typically 1-7 days. Can be longer for complex cases or denied for content category concerns.
SES content restrictions: AWS AUP prohibits cold email, spam, certain content categories. Account suspension or termination on AUP violations or complaint rate thresholds.
Self-hosted alternative pricing: ASH SMTP Scale €149/mo plus dedicated IPs €8/IP/month. More expensive per-message than SES at low volume; comparable or cheaper at 2M+ monthly.
Self-hosted signup: ASH email-only signup. No name, address, phone, or government ID. Cryptocurrency payment via self-hosted BTCPay Server or Monero acceptance.
Self-hosted production: Full sending capability available immediately upon infrastructure provisioning. No sandbox phase, no approval review, no use case justification required.

What Amazon SES is and is not

Amazon SES occupies a specific position in the email infrastructure market that distinguishes it from both mainstream ESPs and offshore alternatives.

SES is raw infrastructure rather than managed ESP. Compared to SendGrid or Mailgun, SES provides fewer convenience features: no UI for managing campaigns, no built-in template editor, no analytics dashboard beyond CloudWatch metrics, no marketing-specific functionality. The trade-off is significantly lower per-message pricing and AWS infrastructure integration for customers already on AWS.

SES integration patterns assume AWS ecosystem use. Lambda triggers send via SES. SDK libraries integrate with AWS authentication (IAM credentials). CloudWatch monitors SES metrics. SNS provides webhook-equivalent event delivery. The whole ecosystem works smoothly together for AWS-native applications.

For non-AWS workloads, SES is less convenient. The service is usable from any infrastructure via SMTP or HTTP API, but the integration friction is higher than for AWS-native applications. AWS account setup, IAM credential management, SES domain verification, sandbox-to-production approval all add operational steps that AWS-native deployments handle more smoothly.

The AWS account requirement in detail

The AWS account requirement is the structural property that disqualifies SES for specific use cases.

What AWS account signup actually requires

Credit card matching the billing address you provide. Phone number for verification. Email address verification. For higher account tiers or specific services, additional KYC including business documentation. The account links to a specific identity that AWS maintains in their billing and operational databases.

What the identity database means operationally

AWS has a database linking the customer billing identity (name from credit card, address, phone, business documentation if provided), payment history, IP addresses used to access the account, and service usage patterns. This database is subject to US legal process: subpoenas, National Security Letters (often with gag orders), civil discovery in US courts, government data requests under various statutes.

For operators whose threat model includes the identity database being produced under legal pressure, the AWS account requirement is structurally incompatible with their privacy posture. The compelling per-message pricing does not compensate for the structural identity exposure.

Account suspension risk

AWS may suspend accounts for various reasons: billing issues, identity verification problems, AUP violations, SES-specific complaint rate issues, fraud detection algorithms. Suspension affects all AWS services on the account simultaneously. Operators with significant AWS infrastructure (compute, storage, networking) face suspension affecting their entire operation if SES triggers account-level issues.

The sandbox approval process

New SES accounts start in sandbox mode. Production access requires submitting a use case to AWS for review. The review evaluates business legitimacy, content category, sending practices. AWS may approve, deny, or request additional information. The review process takes 1-7 days typically and can be longer for complex cases.

For operators needing immediate production capability, the sandbox period is operationally meaningful. For operators in content categories AWS scrutinizes (cold email, certain verticals), the review may take longer or result in denial.

Side-by-side comparison: Amazon SES vs self-hosted offshore

Dimension	Amazon SES	Self-hosted on ASH
Pricing per 1000 messages	$0.10 standard	Fixed infrastructure, no per-message
Dedicated IP cost	$24.95/IP/month	€8/IP/month
Account signup	AWS account required	Email-only
Payment method	Credit card mandatory	Cryptocurrency, no card needed
Identity verification	Required at signup	None ever
Phone verification	Required	None
Production access	Sandbox + approval review	Immediate after provisioning
Initial sending limits	200/day in sandbox, 1/sec	Per-IP capacity from start
Jurisdiction	US (AWS)	7 non-US options
Identity database	AWS maintains	No database maintained
Account suspension impact	All AWS services affected	Service-specific only
Content restrictions	AWS AUP	Legal content only
Authentication setup	SES domain verification	Standard SPF/DKIM/DMARC
SDK availability	AWS SDK in many languages	Standard SMTP libraries
API quality	Mature AWS API	Postal API or PMTA API
Webhooks	SNS + Lambda	Native or via log parsing
AWS ecosystem integration	Full	None (deliberate)
Operational overhead	Lower (managed)	Higher (customer-managed)

The cost analysis at different volumes

Low volume (10K-100K monthly messages)

Amazon SES cost: $1-$10/month for messages plus $24.95/IP if dedicated. Total $25-$35/month at low volume with one dedicated IP. Self-hosted on ASH: €150-€200/month minimum. SES significantly cheaper. Self-hosted not justified by cost alone at this volume; jurisdictional or no-KYC concerns must dominate.

Mid volume (500K-2M monthly messages)

Amazon SES cost: $50-$200/month for messages plus dedicated IP costs ($25-$100 for 1-4 IPs). Total $75-$300/month. Self-hosted on ASH: €220-€350/month total. SES still cheaper but the gap narrows. Self-hosted decision driven by factors beyond cost.

Higher volume (5M-20M monthly messages)

Amazon SES cost: $500-$2000/month plus dedicated IPs. Self-hosted on ASH: €500-€900/month. Self-hosted comparable or cheaper. Economic case for migration strengthens.

Very high volume (50M+ monthly messages)

Amazon SES cost: $5K+/month plus IPs. Self-hosted on ASH with PowerMTA: €1500-€3000/month. Self-hosted meaningfully cheaper. AWS volume discounts may apply but the gap remains.

Why operators choose self-hosted despite SES pricing

Threat model including processor-level surveillance

For operators whose threat model includes the AWS identity database being produced under legal pressure, the price difference is acceptable cost for the privacy property. The customer profiles: privacy-focused SaaS, journalism handling source material, opposition political operations, legal services representing parties adverse to US interests, security research under adversarial scrutiny.

Cold email or restricted content categories

AWS AUP restrictions are similar to mainstream ESP restrictions. Cold email at scale is not permitted. Specific content categories face scrutiny. Operators in these categories either operate in violation (with termination risk) or migrate to infrastructure without category restrictions.

Operational independence from AWS

Some operators want infrastructure not dependent on AWS. AWS pricing changes, AWS feature deprecations, AWS account issues all create dependencies that operators may want to avoid. Self-hosted on offshore providers eliminates the AWS dependency.

Jurisdictional separation from US

AWS infrastructure is US-based and subject to US legal process. For operators wanting non-US jurisdictional placement, AWS is structurally unsuitable. Offshore providers in EU, non-EU European, Latin America, or Asia provide jurisdictional alternatives.

No-KYC requirement is structural

For operators requiring genuine no-KYC, the AWS account verification is incompatible. The credit card requirement specifically (linking the AWS account to a verifiable financial instrument with billing address) defeats no-KYC even if no government ID is requested. Self-hosted offshore providers with crypto payment and email-only signup provide structural no-KYC that AWS cannot match.

What ASH provides as Amazon SES alternative

Email-only signup

Signup form requires only email address. No name, address, phone, credit card, or identity verification. Payment via cryptocurrency through our self-hosted BTCPay Server or Monero acceptance. The minimum data collection is structural rather than policy: we have not built systems to accept identity verification.

Immediate production capability

Infrastructure provisioning takes hours rather than days. No sandbox phase. No use case review. No production access approval. Once IPs are warmed (the standard warmup period applies for new dedicated IPs), full operational capacity is available.

Self-hosted PowerMTA or Postal

The same underlying MTAs that power Amazon SES (PowerMTA, refined Postfix variants) are available on our infrastructure. PowerMTA managed for high-volume operations. Postal for cost-effective open-source approach. Customer chooses based on operational requirements and license preference.

Standard SMTP integration

Application integration via standard SMTP rather than AWS SDK. Standard email libraries (nodemailer for Node.js, ActionMailer for Rails, smtplib for Python, PHPMailer for PHP, gomail for Go) configured for our SMTP server. No AWS-specific code dependency.

Per-IP rDNS configuration

Each customer IP has reverse DNS pointing to a hostname under the customer's domain. The PTR record matches HELO/EHLO greeting. Receiver-side authentication checks rely on this alignment for sender legitimacy.

FBL processing

We operate FBL relationships with Microsoft (SNDS), Yahoo, Comcast, Cox, and others. Complaint signals route to customer accounts. Comparable to SES SNS webhook integration but through standard mechanisms.

Pre-flight IP validation

14-check pre-flight on every IP before customer assignment: Spamhaus SBL/XBL/PBL, SURBL, Microsoft SNDS, Postmaster Tools history, SpamCop, UCEPROTECT, Barracuda, Senderbase, Composite Block List, reverse DNS history, PTR record patterns. IPs failing any check are not assigned.

Architecture options for Sendy users specifically

Sendy is the marketing platform specifically built for Amazon SES integration. Sendy users considering offshore alternatives have specific options.

Sendy with non-SES backend

Sendy can be configured to use SMTP backends other than SES. The configuration requires some adjustment but works for most use cases. Sendy on ASH dedicated server with Postal or PowerMTA underneath produces similar architecture as Sendy + SES but with offshore infrastructure.

Migration from Sendy to MailWizz or Acelle

For operators willing to switch platforms, MailWizz or Acelle provide more features than Sendy with similar pricing. The migration involves rebuilding lists, templates, and campaign workflows in the new platform. More features available after migration justify the migration cost for many operators.

Keep Sendy, use offshore SMTP

Operators happy with Sendy can keep using it while changing the SMTP backend. Configuration change in Sendy delivery settings. Same Sendy experience with different infrastructure underneath. The simplest migration path for Sendy-committed operators.

The migration roadmap from SES to self-hosted

Phase 1: Infrastructure provisioning (week 1)

ASH account signup with email and crypto payment. Dedicated server provisioning in chosen jurisdiction. MTA installation (PowerMTA managed or Postal Docker). Initial IP allocation with warmup planning.

Phase 2: Application integration (week 1-2)

Replace AWS SDK calls with standard SMTP library configuration. Update authentication credentials, SMTP server addresses, encryption settings. Test sends to internal addresses verify configuration works.

Phase 3: Authentication setup (week 1-2)

Publish SPF authorizing new infrastructure IPs. Configure DKIM signing on new MTA. Set DMARC to p=none initially. Domain verification at ASH parallels SES domain verification but uses standard DNS-based methods (publish DKIM keys, SPF records).

Phase 4: IP warmup (week 2-8)

New dedicated IPs go through 30-45 day warmup. SES sending continues during warmup to maintain operations. Volume ramp on new infrastructure from cold to operational level.

Phase 5: Gradual cutover (week 6-10)

Application configured for split traffic between SES and new infrastructure. Start at 10% new, monitor delivery metrics. Increase percentage as confidence builds. Verify webhook event handling on new infrastructure.

Phase 6: SES discontinuation (week 10-12)

After 100% verified on new infrastructure, stop SES usage. AWS account may remain active for other services. SES specifically can be discontinued without canceling entire AWS account. Domain verifications and dedicated IP allocations in SES are released.

Honest disclaimers

SES pricing is genuinely competitive

At low to moderate volumes, Amazon SES per-message pricing is hard to beat. The economic case for self-hosted alternative depends on factors beyond cost: privacy posture, content category, operational requirements. Customers prioritizing cost alone should stay on SES.

Self-hosted requires more operational competence

SES handles many operational details automatically (authentication setup, reputation management, scaling). Self-hosted requires the operator to handle these. Operators without engineering capability find self-hosted operationally challenging.

Migration is non-trivial

The 30-90 day migration timeline is realistic. Operators planning faster migration produce deliverability problems. The IP warmup period specifically is non-negotiable.

AWS ecosystem integration is real value

Customers running AWS-native infrastructure benefit from SES integration with other AWS services. Lambda triggers, S3 attachments, CloudWatch monitoring, SNS webhook delivery all work smoothly. Migration to non-AWS infrastructure loses this integration tightness.

Authentication is the operator's responsibility

SES domain verification ensures only customer-authorized domains can send. Self-hosted infrastructure requires the operator to configure SPF, DKIM, DMARC properly. Mistakes produce authentication failures that hurt deliverability.