# KumoMTA on AWS — Production Readiness Checklist (Condensed)

Use this condensed checklist before routing production traffic. The full 100+ item checklist is in the [enterprise guide](/blog/kumomta-production-setup-aws-enterprise-guide/).

## Identity and DNS

- [ ] Elastic IP allocated and associated
- [ ] PTR (reverse DNS) requested and matches HELO hostname
- [ ] SPF published and lookup count validated
- [ ] DKIM signing verified on live message
- [ ] DMARC published with operational rua mailbox

## MTA and policy

- [ ] KumoMTA and TSA daemon enabled on boot
- [ ] Transactional and marketing IP pools separated
- [ ] Destination-aware queue/retry policy applied
- [ ] Suppression workflow for hard bounces and complaints

## AWS security and ops

- [ ] SSM Session Manager enabled; SSH restricted or disabled
- [ ] Instance role least-privilege (CloudWatch, S3, Secrets, KMS)
- [ ] CloudTrail and GuardDuty alerting configured
- [ ] EBS encryption and backup policy in place

## Observability

- [ ] CloudWatch agent shipping logs and host metrics
- [ ] Alarms on queue depth, complaint rate, SMTP/TLS errors
- [ ] Synthetic SMTP probe scheduled
- [ ] DR restore drill completed in non-production

## Deliverability

- [ ] IP warmup schedule documented and enforced
- [ ] Google Postmaster / SNDS access verified
- [ ] Complaint and hard-bounce thresholds defined
