Amazon SES Tenant Management: The Ultimate Enterprise Guide
Quick summary: SES tenants (GA Aug 2025) add $0.005/tenant/mo reputation isolation—when ISV platforms need them vs configuration sets alone, with IAM, pricing, and IaC.
Key Takeaways
- SES tenants (GA Aug 2025) add $0
- 005/tenant/mo reputation isolation—when ISV platforms need them vs configuration sets alone, with IAM, pricing, and IaC
- Tenant-level suppression lists followed in 2026, letting platforms isolate bounce and complaint suppressions per downstream customer
- If you run email for multiple retailers, business units, or SaaS customers from one SES account, that date matters more than any feature bullet list
- After tenants, AWS can pause one tenant while others keep sending—provided your architecture actually uses the feature

Table of Contents
On August 1, 2025, AWS shipped tenant management in Amazon SES—logical containers inside a single SES account where reputation metrics, automated pause policies, and (optionally) suppression lists apply per tenant instead of only at account level. Tenant-level suppression lists followed in 2026, letting platforms isolate bounce and complaint suppressions per downstream customer.
If you run email for multiple retailers, business units, or SaaS customers from one SES account, that date matters more than any feature bullet list. Before tenants, one customer’s complaint spike could pause your entire account. After tenants, AWS can pause one tenant while others keep sending—provided your architecture actually uses the feature.
This guide is for CTOs, platform engineers, and email infrastructure leads deciding whether to adopt tenants, how they compare to configuration sets and multi-account designs, and how to implement them without breaking production sends.
Executive Summary
Amazon SES tenants are regional logical containers that group identities, configuration sets, and templates, with independent reputation metrics and automated enforcement policies. They are not separate AWS accounts, not a deliverability magic switch, and not a replacement for configuration sets.
| Question | Short answer |
|---|---|
| Who needs tenants? | ISVs, MSPs, multi-brand enterprises, and any platform sending on behalf of many downstream entities in one SES account |
| Who can skip? | Single-brand senders, low-volume apps, teams already using strict per-customer AWS account isolation |
| Extra AWS cost? | $0.005/tenant/month + $0.005/1,000 tenant-tagged emails (AWS fact, SES pricing) |
| Minimum to send? | Verified identity + configuration set associated to the tenant; TenantName on API or X-SES-TENANT on SMTP |
| Our recommendation | Use configuration sets + tenants together on ISV platforms with 50+ downstream senders; enable tenant-level suppression wherever one customer’s complaints must not block another’s transactional mail |
Introduction
Enterprise email operations face a tension that configuration sets alone never fully resolved: operational separation versus reputation blast radius.
Configuration sets excel at separating streams—marketing vs transactional, dedicated IP pools, event destinations, tracking domains. They do not give AWS a first-class object to pause when one downstream customer misbehaves while leaving others untouched.
Enterprise email challenges
- Shared reputation risk: Account-level bounce and complaint enforcement protects recipients but punishes compliant senders on the same account.
- Governance at scale: Hundreds of customers in one ISV platform need IAM boundaries, not just application-level
customer_idcolumns. - Suppression bleed: Before tenant-level suppression, a complaint against Customer A could suppress that address for every tenant in the account.
- Operational visibility: Per-customer metrics buried in custom dashboards are slower than native tenant metrics in CloudWatch and EventBridge.
Why AWS introduced tenant management
AWS messaging teams documented the gap explicitly: configuration sets isolate configuration, but reputation enforcement historically occurred at account level. Tenants add reputation isolation—metrics, findings, pause policies, and Trust & Safety targeting—without forcing every ISV to provision a separate AWS account per customer.
What Is Amazon SES Tenant Management?
Definition and AWS terminology
A tenant is a named logical container (TenantName, up to 64 alphanumeric characters with hyphens and underscores) inside one SES account in one Region. Each tenant receives:
- Its own reputation metrics (sends, bounces, complaints in CloudWatch)
- Reputation findings (low and high severity)
- Sending status (Enabled, Paused, Enforced, Reinstated)
- Optional tenant-level suppression list (
SuppressionScope: TENANT)
Associable resources (AWS fact): verified identities, configuration sets, and email templates—either dedicated per tenant or shared across tenants.
Not supported: nested tenants, cross-account tenants, or cross-Region tenant objects.
Tenant lifecycle and sending status states
Typical lifecycle:
- CreateTenant — optionally set suppression attributes
- CreateTenantResourceAssociation — link identity and configuration set (minimum for sending)
- Send with
TenantName/X-SES-TENANT - Monitor findings → automatic or manual pause
- Remediate → reinstate (grace period ignores active findings temporarily)
- DeleteTenantResourceAssociation → DeleteTenant on offboard
Supported features and current limitations
| Capability | Status |
|---|---|
| SES V2 API + console | GA all commercial SES Regions (Aug 2025) |
| Default quota | 10,000 tenants/account; up to 300,000 via Service Quotas |
CloudFormation AWS::SES::Tenant | Supported |
| Reputation policies | Standard, Strict, None |
| EventBridge notifications | Status changes + reputation findings |
| Regional scope | Per-Region; no automatic replication |
| Contact lists | Account-level; not tenant-associable |
See architecture diagram: docs/ses-tenant-management-core-architecture.drawio (repo path).
Why AWS Introduced Tenants
| Stakeholder | Problem tenants address |
|---|---|
| SaaS / ISV | Send for hundreds of customers; isolate rogue sender without account-wide pause |
| Enterprise multi-BU | Marketing vs corporate vs subsidiary brands under one AWS bill |
| Multi-brand retail | Separate reputation per brand domain in one account |
| MSP | Managed email with per-client enforcement and reporting |
| Shared AWS account | Reduce pressure to spin up N accounts purely for SES isolation |
Tenants do not remove your obligation to monitor all downstream senders. AWS documentation states that combined tenant activity still affects overall account standing.
How Tenant Management Works
Resource association model
Resources attach via CreateTenantResourceAssociation. On each send, SES validates that the identity, configuration set, and template (if used) are associated with the specified tenant. Mismatches fail the send.
Dedicated assignment: one identity per customer. Shared assignment: common IP pool config set across tenants—higher operational risk, lower cost.
Sending flow and validation
API (AWS CLI v2.28.0+, SESv2):
# Assumes: AWS CLI 2.28.0+, identity and config set pre-associated to tenant
aws sesv2 send-email \
--tenant-name "retailer-01" \
--from-email-address "noreply@retailer.example.com" \
--destination "ToAddresses=shopper@example.org" \
--configuration-set-name "retailer-01-cs" \
--content 'Simple={Subject={Data=Order shipped,Charset=utf-8},Body={Text={Data=Your order is on the way.,Charset=utf-8}}}' \
--region us-east-1SMTP: include header X-SES-TENANT: retailer-01 plus X-SES-CONFIGURATION-SET.
Sequence: app → tenant validation → config set (IP pool, events) → delivery → tenant-scoped metrics.
Reputation findings and enforcement
| Policy | Behavior (per AWS implementation guide) |
|---|---|
| Standard (default) | Pause on high severity: bounce >15%, complaint >1% |
| Strict | Pause on any finding: bounce >10%, complaint >0.5% |
| None | Record findings only; no auto-pause |
Findings types include bounces, complaints, third-party feedback, and blocklist appearances. Paused tenants reject sends until remediated and re-enabled.
IAM, EventBridge, and CloudWatch integration
- IAM:
ses:TenantNamecondition keys scope send and suppression APIs to specific tenants. Separate tenant admin roles (create/associate/pause) from sender roles (send-only for one tenant). See policy templates inexamples/ses-tenant-management/iam/. - CloudWatch:
AWS/SESnamespace, dimensionsTenantIdandTenantName—metrics include Sends, Bounces, Complaints per tenant. Basic tenant metrics included without extra SES charge. - EventBridge: Default bus receives
Sending Status Enabled/DisabledandAdvisor Recommendation Status Open/Closed. Pattern inexamples/ses-tenant-management/eventbridge/tenant-reputation-rule.json.
Sequence: tenant send validation
- Application calls
SendEmailwithTenantName,ConfigurationSetName, andFromEmailAddress - SES resolves tenant record and checks sending status (Enabled vs Paused)
- SES verifies identity ARN is associated with tenant
- SES verifies configuration set ARN is associated with tenant
- If template specified, SES verifies template association
- SES applies suppression check against tenant or account list per
SuppressionScope - Email enters sending pipeline (config set → IP pool → delivery)
- Metrics increment under tenant dimensions; events route to config set destinations
- If reputation thresholds breached later, findings appear → optional auto-pause → EventBridge notification
For SMTP, step 1 uses X-SES-TENANT and X-SES-CONFIGURATION-SET headers instead of API parameters—the validation path is identical.
Trust & Safety interaction
When AWS Trust & Safety would historically pause an entire account, tenant isolation allows targeted tenant pause while compliant tenants continue. Account owners still receive Support cases for high-severity issues and remain responsible for all tenants’ practices.
SES Resource Association Matrix
| SES resource | Tenant-associable | Regional | Sharable across tenants | Notes |
|---|---|---|---|---|
| Email/domain identities | Yes | Yes | Optional | Delete blocked while associated |
| Configuration sets | Yes | Yes | Optional | Required on tenant sends |
| Templates | Yes | Yes | Optional | Validated at send time |
| Dedicated IP pools | Via config set | Yes | Optional | Not directly linked to tenant |
| Event destinations | Via config set | Yes | Per config set | SNS, Firehose, CloudWatch |
| VDM | Account feature | Yes | Account-wide | Doubles message charges when enabled |
| Suppression lists | Scope per tenant | Yes | Default: account shared | Set SuppressionScope: TENANT at create |
| Contact lists | No | Yes | Account | Manage at account level |
| MAIL FROM / DKIM | On identity | Yes | Per identity | Inherited via identity |
| Sending authorization | Identity-level | Yes | — | Orthogonal to tenant RBAC |
| IAM | — | — | — | ses:TenantName conditions |
| CloudWatch tenant metrics | Per tenant | Yes | — | Sends, Bounces, Complaints |
| SNS | Via config set events | Yes | — | Not a native tenant resource |
| EventBridge | Tenant events | Yes | Default bus | Automate pause response |
Tenant Management vs Configuration Sets
| Dimension | Configuration sets | Tenants |
|---|---|---|
| Primary purpose | Stream config: IPs, tracking, events | Reputation isolation + enforcement |
| Isolation | Logical send pipeline | Reputation metrics + pause boundary |
| Reporting | Per config set events | Per tenant metrics + findings |
| IAM | Resource ARNs on identity/config set | + ses:TenantName |
| Ops complexity | Moderate | Higher (lifecycle, policies, associations) |
| Best together? | Yes for ISV platforms | Tenants without config sets are incomplete |
FactualMinds recommendation: Configuration sets separate how email is sent (IP pool, event routing). Tenants separate who is accountable when reputation breaks. Use both.
Tenant Management vs Multiple AWS Accounts
| Dimension | SES tenants (single account) | Separate AWS accounts |
|---|---|---|
| Security isolation | Logical | Stronger (account boundary) |
| Cost | Lower base; tenant fees | Higher (account overhead, duplicated infra) |
| Governance | Central ops; tenant RBAC | Landing zone / SCP complexity |
| Compliance | Shared audit boundary | Easier regulatory separation |
| Scalability | Up to 300k tenants | Account limits apply |
| Automation | SES APIs, CloudFormation | Control Tower, StackSets |
| Enterprise fit | ISV scale in one bill | Banking/gov per-tenant accounts |
See aws-multi-account-strategy-landing-zone-best-practices for account-perimeter patterns.
Tenant Management vs Application-Level Multi-Tenancy
Your application database and RBAC still own customer data, billing, and UI. Tenants own SES-side enforcement.
| Layer | Owns |
|---|---|
| App DB + RBAC | Customer records, permissions, content |
| Configuration sets | IP pools, event pipelines, tracking |
| Tenants | SES reputation boundary, pause, suppression scope |
| AWS accounts | Hard multi-tenant isolation |
Hybrid (typical ISV): customer_id in app → maps to TenantName → IAM role per tenant or shared role with ses:TenantName condition.
When to Use Tenant Management
| Profile | Recommendation |
|---|---|
| Startup, single product | Skip tenants |
| SMB, one brand | Config sets only |
| Growing SaaS (under 50 customers) | Config sets; plan tenants |
| Enterprise SaaS / ISV | Tenants + config sets |
| Multi-brand retail | Tenants per brand |
| Banking / healthcare / gov | Tenants or account isolation based on compliance |
| MSP / marketing platform | Tenants per client |
| Transactional-only platform | Tenants if multiple downstream senders |
From a real engagement (architecture shape) — A marketing-automation platform at TargetBay scale (200M+ emails/month, multi-retailer roster) is the canonical tenant candidate: configuration sets separate transactional vs promotional streams; one tenant per retailer contains complaint spikes; tenant-level suppression prevents one retailer’s holiday bounce storm from suppressing addresses for the rest of the roster. This is an architecture recommendation—not a claim that tenant migration already occurred.
When to Avoid Tenant Management
- Single brand, single application — overhead exceeds benefit
- Strict account-per-customer already in place — tenants add little
- Low volume (under 100k/mo total) — manual monitoring suffices
- Custom portal is the only governance layer — without SES API integration, tenants become shelfware
- Teams unwilling to migrate to SESv2 — tenant APIs do not exist in v1
Pricing and Total Cost of Ownership
AWS tenant charges (fact)
From SES pricing:
- $0.005 per tenant per month
- $0.005 per 1,000 emails sent through tenants
- Plus standard outbound email ($0.10/1,000), attachments, dedicated IPs, VDM surcharges as applicable
CloudWatch basic tenant metrics incur no additional SES charge (AWS fact). Custom dashboards, alarms, and detailed monitoring bill at standard CloudWatch rates.
TCO beyond AWS line items
| Cost driver | Startup | Mid-market ISV | Enterprise |
|---|---|---|---|
| SDK/API migration | 1–2 eng-weeks | 2–4 eng-weeks | 4–8 eng-weeks |
| IAM policy refactor | Low | Medium | High (central IdP) |
| Onboarding automation | Manual OK | Lambda required | Full pipeline + audit |
| Ops runbooks | Ad hoc | EventBridge + on-call | 24/7 pause response |
| Training | 4 hours | 1 day | Multi-team workshops |
For a 200-customer ISV, AWS tenant fees at 1M emails/customer/month are roughly $1/month per customer in tenant surcharges alone ($1.00 customer fee = $0.005 base + ~$0.005 email share at 1M emails across 200 tenants)—engineering and ops labor dominate the first-year TCO.
TCO examples (AWS math only)
Assume 1M tenant-tagged emails/month per scenario (excluding base send fees):
| Tenants | Monthly tenant fee | Tenant email fee | Tenant subtotal |
|---|---|---|---|
| 10 | $0.05 | $5.00 | $5.05 |
| 100 | $0.50 | $5.00 | $5.50 |
| 1,000 | $5.00 | $5.00 | $10.00 |
| 10,000 | $50.00 | $5.00 | $55.00 |
Implementation TCO dominates at small scale: SDK upgrades, IAM redesign, onboarding automation, and EventBridge runbooks often exceed AWS tenant line items for the first year.
Pre-Adoption Considerations
IAM and RBAC
Map organizational roles before creating tenants:
| Role | Permissions | Typical owner |
|---|---|---|
| Tenant admin | CreateTenant, associations, policy updates | Platform team |
| Tenant sender | SendEmail + ses:TenantName | Application workload |
| Tenant auditor | GetTenant, ListRecommendations, CloudWatch read | Security / compliance |
| Account owner | Full SES + Support | Cloud center of excellence |
Never attach admin policies to application credentials. Rotate SMTP credentials per tenant when customers receive dedicated SMTP users.
Resource ownership
Document which team owns identity DNS (customer vs platform), configuration set design (central vs delegated), and pause/reinstate authority (ops vs customer success). Ambiguity here delays reinstatement after false-positive findings.
Configuration Sets and domains
Every tenant send requires a configuration set associated to that tenant. If the identity has a default configuration set, it must still be associated via tenant resource linkage. Domain verification (DKIM, MAIL FROM) remains at the identity level—tenants do not replace DNS work documented in SES migration guides.
VDM and reporting
Virtual Deliverability Manager operates at account level. Enabling VDM doubles per-message charges for analyzed sends. Tenant metrics in CloudWatch complement—but do not replace—VDM inbox placement dashboards for domain-level insight.
Monitoring and operational overhead
Budget on-call time for Sending Status Disabled events. Each pause may require customer outreach, list hygiene fixes, and reinstatement approval. Automate notification via EventBridge; do not rely on console polling.
Migration effort
Expect 2–8 engineering weeks for mature ISV platforms depending on send path count (API, SMTP, batch workers), suppression Lambda branches, and IAM centralization. Use the migration checklist in the implementation section.
Compliance and disaster recovery
Tenants do not encrypt email or store message bodies. GDPR, CAN-SPAM, and industry rules still apply per customer relationship. DR plans must address Regional SES outages—tenants do not replicate across Regions automatically.
Infrastructure as Code
AWS::SES::Tenant supports ResourceAssociations and Tags at create time. Suppression attributes may require API/CLI if not yet in your CloudFormation resource type version—validate in target Region before pipeline commit.
Regional behavior
Create tenant inventory per Region. A customer failover from us-east-1 to us-west-2 requires duplicate tenants, associations, and IAM updates. Global Endpoints (MREP) address send resilience separately—see docs/aws-ses-mrep-tenants-combined.drawio in this repository.
Advantages of Tenant Management
- Logical reputation isolation within one account
- Automated pause per tenant (Standard/Strict policies)
- Native per-tenant CloudWatch metrics
- IAM simplification via
ses:TenantName - Tenant-level suppression (2026)
- EventBridge integration for ops automation
- Scales to thousands of tenants without N AWS accounts
- Cleaner offboarding (delete associations, then tenant)
Limitations and Downsides
Warning — Tenants do not improve inbox placement by themselves. They contain blast radius when reputation degrades.
- Regional only; multi-Region = duplicate work
- Migration complexity from config-set-only designs
- Sends fail if associations or
TenantNamemissing - Account-level reputation risk remains (AWS fact)
- Minimum volume thresholds before some findings trigger
- Reinstated grace period can mask lingering issues
- Vendor pattern lock-in to SESv2 tenant model
- Extra AWS and engineering cost vs config sets alone
What broke — A platform running 40 retailers on shared account-level suppression saw transactional password resets blocked for 39 retailers after one retailer’s promotional list imported dead addresses. Complaint processing called
PutSuppressedDestinationwithoutTenantName. Fix: enableSuppressionScope: TENANTat tenant creation and pass--tenant-nameon all suppression API calls. Detection: sudden cross-customer send volume drop in app metrics while SES account status stayed healthy.
Enterprise Implementation Guide
Planning and tenant model design
- Inventory customers/BUs → candidate
TenantName(stable, not display name) - Map identities and config sets per tenant
- Choose reputation policy per tier (Strict for new, Standard for mature)
- Define pause → notify → remediate → reinstate runbook
IAM, identity onboarding, configuration sets
Reproduce this — Clone
examples/ses-tenant-management/. SetAWS_REGION,TENANT_NAME,IDENTITY_ARN,CONFIG_SET_ARN, then run./scripts/onboard-tenant.sh. CloudFormation and IAM policy templates included.
Naming convention example: {customer_slug}-tenant, {customer_slug}-cs, domain identity per customer.
Monitoring, testing, rollout, rollback
- Deploy EventBridge rule → SQS → Lambda for pause alerts
- Test Strict policy on sandbox tenant with seeded bounces (monitor account impact)
- Roll out per cohort: new customers first, migrate legacy second
- Rollback: remove
TenantNamefrom sends (reverts to non-tenant sends) only if associations allow—plan explicitly
Migration checklist (config-set-only → tenants)
| Phase | Actions |
|---|---|
| Assess | Export all config sets, identities, and send volumes per downstream customer |
| Design | Assign TenantName per customer; document shared vs dedicated resources |
| Pilot | One low-risk customer; Strict policy; validate metrics in CloudWatch |
| SDK | Upgrade to SESv2; add TenantName to SendEmail / bulk APIs |
| SMTP | Add X-SES-TENANT to all SMTP paths |
| Suppression | Recreate tenants with SuppressionScope: TENANT; update Lambda processors |
| IAM | Replace broad ses:SendEmail with ses:TenantName conditions |
| Events | Subscribe ops queue to EventBridge pause and finding events |
| Cutover | Enable tenant sends per customer; monitor 72 hours before next wave |
| Decommission | Remove non-tenant send paths only after full validation |
Operational readiness checklist
- CloudWatch dashboard: sends, bounces, complaints by
TenantName - EventBridge rule deployed with tested SQS/Lambda target
- Runbook: pause → customer notification → root cause → reinstate
- On-call alert when
Sending Status Disabledfires - Quarterly IAM review of tenant admin policies
- Service Quota request filed if approaching 10,000 tenants
- Per-Region tenant inventory documented
- CloudTrail alerts on
DeleteTenantin production - Customer SLA language updated for tenant-pause scenarios (SLO design guide)
- Backup send path documented for catastrophic Region failure (non-tenant fallback is not automatic)
Best Practices
- Naming:
{env}-{customer}-tenant; tag withcost-center,customer_id - Least privilege: Never attach admin tenant policies to senders
- Automation: Provision tenants in onboarding Lambda; store
TenantArnin app DB - IaC: Version CloudFormation/Terraform; see
terraform-vs-aws-cdk-infrastructure-as-code-decision-guide - Monitoring: Dashboard per tenant; alarm on
Sending Status Disabledevents - CloudTrail: Audit
CreateTenant,UpdateReputationEntityCustomerManagedStatus - Documentation: Runbook link in every tenant record
Common Mistakes
- Tenants without configuration sets on every send
- Config sets sufficient but tenants added anyway (overengineering)
- One tenant for all customers (defeats purpose)
- Missing
TenantNameon API/SMTP - IAM policies without
ses:TenantNamecondition - Manual console-only provisioning at scale
- Shared suppression scope for ISV platforms
- Ignoring regional duplication
- Expecting tenants to fix bad list hygiene
- No EventBridge automation on pause events
Reference Enterprise Architectures
Enterprise SaaS (marketing automation shape)
A platform sending promotional and transactional mail for many retailers routes all sends through SESv2 with TenantName. Each retailer receives:
- Dedicated tenant with
SuppressionScope: TENANT - Two configuration sets:
retailer-{id}-txnandretailer-{id}-mktwith separate IP pools where volume justifies dedicated IPs ($24.95/IP/month) - Strict reputation policy for first 30 days, then Standard after baseline metrics stabilize
- Onboarding Lambda invoking
CreateTenant+CreateTenantResourceAssociationwhen sales provisions a new account
EventBridge forwards pause events to a shared ops queue; customer success receives the tenant ARN and finding description within minutes.
Managed email platform (MSP)
MSPs often host dozens of clients with uneven volume. Long-tail clients share a managed dedicated IP pool via one configuration set; enterprise clients get dedicated pools. Every client still gets a unique tenant so a local gym’s spam complaint does not pause a fintech client’s transactional receipts.
Marketing platform
Advertisers are tenants. Campaign sends must include both TenantName and the advertiser’s configuration set. Creative review stays in the application; reputation enforcement stays in SES. Integrate with SendGrid-to-SES migration patterns when advertisers move from legacy ESPs.
Multi-brand retailer
Brand A and Brand B share corporate AWS billing but never share reputation. Each brand: one tenant, one marketing config set, one transactional config set. Corporate HR mail may live in a third tenant with lower volume and shared IPs.
Healthcare
HIPAA-bound workloads may still use SES for operational mail (appointment reminders, not clinical record content in body). Tenants separate hospital affiliates; PHI boundary decisions remain with compliance. Pair with AWS cloud security services for logging and encryption.
Banking
Retail banking marketing and statements benefit from tenant separation by product line. For core banking divisions under regulatory separation, separate AWS accounts often remain the answer—tenants complement but do not replace account-level audit boundaries.
Government
Agencies frequently mandate account isolation. Tenants help when policy allows shared accounts for sub-agency streams (e.g., public notices vs internal alerts).
Internal enterprise platform
Engineering, HR, and Sales each receive tenants. Internal senders rarely need Strict policies; Standard suffices. Central IT retains tenant admin IAM; departments receive sender-only roles.
Diagrams: docs/ses-tenant-management-core-architecture.drawio, docs/ses-tenant-send-validation-sequence.drawio, docs/ses-tenant-saas-platform-reference.drawio, docs/ses-tenant-decision-accounts-vs-tenants.drawio.
Decision Matrix
| Scenario | Config sets only | Tenants only | Tenants + config sets | Multi-account | Hybrid |
|---|---|---|---|---|---|
| Startup | Best | — | — | — | — |
| SMB single brand | Best | — | — | — | — |
| Growing SaaS | Good | — | Best | — | — |
| Enterprise ISV | Partial | Risky | Best | Good | Good |
| Multi-brand retail | Partial | — | Best | Good | — |
| Healthcare | Partial | — | Good | Best | Good |
| Banking | — | — | Good | Best | Good |
| Government | — | — | — | Best | Good |
| MSP | Partial | — | Best | Good | — |
FactualMinds Expert Recommendations
When tenants are essential: ISV or MSP platforms with 50+ downstream senders in one SES account, especially when a single customer’s complaint spike previously threatened account-wide sending.
When tenants add little: Single-brand transactional mail, or organizations already running one SES account per customer via a landing zone.
SaaS adoption path: (1) Migrate to SESv2, (2) add config sets per stream, (3) enable tenants for new customers, (4) backfill legacy customers in waves, (5) enable tenant suppression and EventBridge automation.
Enterprise adoption path: Start with BU-level tenants; keep regulated divisions on separate accounts if compliance requires it.
Migration: Run parallel sends without TenantName only during cutover windows; associate resources before switching; never delete identities still linked to tenants.
Need hands-on help? See our Amazon SES consulting and SES migration services.
Frequently Asked Questions
- What are Amazon SES tenants? Logical containers for identities, config sets, templates, and per-tenant reputation in one account.
- When did tenants launch? August 1, 2025, all commercial SES Regions.
- Is there an activation step? No account flag; use SESv2 APIs or console immediately (AWS fact).
- How many tenants can I create? 10,000 default; 300,000 with quota increase.
- Do tenants cost extra? Yes—$0.005/tenant/mo + $0.005/1k tenant emails.
- Do tenants improve deliverability? They isolate enforcement; they do not auto-improve inbox placement.
- Tenants vs configuration sets? Complementary; use both on ISV platforms.
- Tenants vs separate accounts? Tenants are cheaper and simpler; accounts are stronger isolation.
- Required headers for SMTP?
X-SES-TENANTandX-SES-CONFIGURATION-SET. - Required API parameter?
TenantNameonSendEmail/SendBulkEmail. - What is Standard policy? Auto-pause on high-severity findings.
- What is Strict policy? Auto-pause on any finding.
- Can I manually pause a tenant? Yes—
UpdateReputationEntityCustomerManagedStatus. - What happens when paused? Sends for that tenant fail until reinstated.
- Are tenants regional? Yes—create per Region.
- Can templates be shared? Yes, via resource association.
- Can identities be shared? Yes, but dedicated per customer is safer for ISVs.
- Does CloudFormation support tenants? Yes—
AWS::SES::Tenant. - How do tenant suppression lists work? Set
SuppressionScope: TENANTat create; useTenantNameon suppression APIs. - Does PutSuppressedDestination support tenants? Yes—optional
TenantNameparameter. - Are contact lists per tenant? No—account-level resource.
- Does VDM work per tenant? VDM is account-level; metrics are not tenant-native in VDM.
- What CLI version is required? AWS CLI 2.28.0+ documented in AWS blog examples.
- Can nested tenants exist? No—flat structure only.
- Does account reputation still matter? Yes—AWS warns combined tenant activity affects account standing.
- What EventBridge events fire? Sending status changes and advisor recommendation open/close.
- How do I test policies safely? Use isolated test tenant, Strict policy, controlled bounce seeds—monitor account metrics.
- Can I delete an identity associated to a tenant? No—remove association first.
What to Do This Week
Decision checklist
- Count downstream senders in one SES account (>50 → strong tenant case)
- Confirm SESv2 SDK/CLI versions in production
- Map identities and config sets per customer/BU
- Estimate tenant AWS fees ($0.005/tenant/mo + volume)
- Choose Standard vs Strict policy tiers
- Plan tenant-level suppression for ISV platforms
- Deploy EventBridge pause automation
- Clone
examples/ses-tenant-managementfor first tenant
Implementation checklist
- Create pilot tenant with identity + config set associations
- Update send path with
TenantName - Attach IAM
ses:TenantNamesender policy - Wire bounce handler with
PutSuppressedDestination --tenant-name - Dashboard CloudWatch metrics by tenant
- Document reinstate runbook
- Schedule legacy customer migration waves
Next steps: Book a deliverability assessment or review SES ecommerce patterns for suppression automation.
What This Post Doesn’t Cover
- Mailbox-provider-specific inbox placement mechanics (Gmail Postmaster, Yahoo CFL)
- Deliverability Expert Services engagements
- Cross-Region tenant replication or Global Endpoints interaction (see
docs/aws-ses-mrep-tenants-combined.drawiofor MREP patterns) - Full legal/compliance sign-off for regulated industries—engage counsel alongside architecture
- SES Mail Manager and ingress endpoint pricing
Official AWS references
AWS Cloud Architect & AI Expert
AWS-certified cloud architect and AI expert with deep expertise in cloud migrations, cost optimization, and generative AI on AWS.



