KnowledgebaseMail Server › Routing outbound mail through SES, SendGrid, or Postmark

Routing outbound mail through SES, SendGrid, or Postmark

Running your own inbound mail server is reasonable; sending outbound mail from a fresh VPS IP is hard mode. The IP has no sender reputation, every major mailbox provider treats it as suspicious, and mail goes to spam (or is rejected) for weeks while you build trust. The shortcut: route outbound through a service with established sender reputation. This article covers the three common choices.

Why route through a third party at all

  • Reputation: the relay has been sending mail for years from IPs the major providers trust. Your message inherits that trust.
  • Deliverability monitoring: the relay tells you when a bounce happens, why, and which destinations are filtering you. Roll-your-own logging is much less informative.
  • DKIM signing: the relay handles signing for its sending domains; even your custom domain gets the alignment benefits.
  • Compliance: bounces and complaints are automatically suppression-listed. Hard-bouncing addresses get tracked so you don't keep hitting them.

The cost is roughly $0.10–$1 per 1000 messages depending on volume tier. Often free for the first thousands of messages per month.

Postmark (recommended default)

Postmark is opinionated and the most expensive per-message of the three (~$10/month for 10k messages), but it has the best deliverability reputation for transactional mail. They actively reject senders who try to send marketing — keeps their IPs clean.

Setup:

  1. Sign up at postmarkapp.com, create a "Server" (their term for sending domain).
  2. Verify your domain by adding DKIM and Return-Path DNS records they provide.
  3. Generate a Server Token (API credential).
  4. Configure Postfix to relay through Postmark.

Postfix config in /etc/postfix/main.cf:

relayhost = [smtp.postmarkapp.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

/etc/postfix/sasl_passwd:

[smtp.postmarkapp.com]:587 your-server-token:your-server-token

Postmark uses the same string as both username and password. After saving:

chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
systemctl reload postfix

Test: echo "Test body" | mail -s "Test" you@gmail.com. Check the Postmark dashboard — the message should appear in your Server's activity feed within seconds.

AWS SES (cheapest at scale)

SES is dirt cheap ($0.10 per 1000 messages, no monthly minimum) and reliable, but the setup involves more friction and the deliverability tier is "good" rather than "great." Best for high-volume senders who already use AWS.

Setup:

  1. Verify your sending domain in the SES console (add DKIM CNAME records).
  2. Move out of the SES sandbox (initial accounts can only send to verified addresses; request production access).
  3. Create an IAM user with SES SendRawEmail permission, generate SMTP credentials (NOT the same as the IAM access key — SES has a separate SMTP password derivation).
  4. Configure Postfix:
relayhost = [email-smtp.us-east-1.amazonaws.com]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_sasl_mechanism_filter = login

# /etc/postfix/sasl_passwd
[email-smtp.us-east-1.amazonaws.com]:587 SES_SMTP_USER:SES_SMTP_PASS

SendGrid

Middle ground on price ($15-20/month for 40k messages on Essentials tier). Good marketing-mail features (lists, templates, A/B testing). Less opinionated than Postmark; will send both transactional and marketing mail.

Setup mirrors the others:

relayhost = [smtp.sendgrid.net]:587
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

# /etc/postfix/sasl_passwd
[smtp.sendgrid.net]:587 apikey:SG.your-api-key-here

SendGrid uses the literal string "apikey" as the SASL username; the password is your API key.

SPF alignment for relayed mail

Whichever relay you pick, update your SPF to include their sending domain so receivers don't flag your mail as spoofed:

# For Postmark
example.com.  IN TXT "v=spf1 a mx include:spf.mtasv.net ~all"

# For SES
example.com.  IN TXT "v=spf1 a mx include:amazonses.com ~all"

# For SendGrid
example.com.  IN TXT "v=spf1 a mx include:sendgrid.net ~all"

DKIM is signed by the relay using their CNAME-delegated keys (the verification step in setup). Receivers see DKIM signed by your domain via the relay's key — fully aligned with your sending identity.

What still hits your VPS

This article covers outbound only. Your inbound MX still points at your VPS; incoming mail still hits Postfix on the VPS directly. The relay only handles what your VPS sends OUT.

If you want a fully managed inbound side too, services like Mailgun Routes and Postmark's Inbound Streams let you receive on a hosted MX and forward to your VPS (or to a webhook). Useful for low-volume / hobby setups; overkill for serious mail.

When to drop the relay

If you're sending under ~100 messages a day, low-stakes mail (server notifications, log alerts), and you've done the sender warmup (see the related warmup article), running your VPS as both source and relay is fine. For anything customer-facing, anything that goes to mailboxes you don't control, anything where deliverability matters — keep the relay. It's cheap insurance.

Also Read

DKIM key rotation playbook — rolling keys without breaking inbound mail
Getting delisted from Spamhaus, UCEPROTECT, Barracuda — the realistic process
Sender reputation for a brand-new VPS IP — the warm-up strategy that actually works
Connecting Thunderbird, iOS, and Android to your IMAP server
Postfix + Dovecot from scratch — production-grade mail on a LYLIX VPS

« « Back

Powered by WHMCompleteSolution