Email Configuration

SES Setup

StackFlow uses Amazon Simple Email Service (SES) in the us-east-1 region for all outbound email notifications. SES is configured to use a verified domain identity for the sending address and SMTP credentials are stored in AWS Secrets Manager. The platform supports both transactional emails (notifications, alerts) and bulk emails (digest reports).

⚙️ Minimum Requirements

SES: Sender domain stackflow-tech.com verified with DKIM and SPF in us-east-1
SES: Production access (not sandbox) -- request sending limit increase before go-live
DynamoDB: StackFlow_EmailTemplate table with at least templates: incident-created, sla-breach-warning, password-reset
IAM: StackFlowAPIRole with ses:SendEmail, ses:SendTemplatedEmail on SES identity ARN
SNS Topic: stackflow-ses-bounces subscribed to SES bounce/complaint SNS notifications

aws ses verify-email-identity   --email-address itsm@your-instance.stackflow-tech.com   --region us-east-1

aws ses verify-domain-identity   --domain your-instance.stackflow-tech.com   --region us-east-1

SES Sandbox: New AWS accounts start in SES sandbox mode, which limits sending to verified email addresses only. Request production access via the AWS console before going live with StackFlow email notifications.

Sender Identity Verification

Configure the sender identity in Admin → System Properties → email.from_address. The domain must be verified in SES via DNS records (TXT record for domain verification + CNAME records for DKIM). Once verified, any email address at the domain can be used as a sender without individual verification.

Email Templates

StackFlow uses SES email templates for all notification types. Templates are stored in SES and also in StackFlow's database for preview and editing in the admin console. Available template variables include all fields from the triggering record (incident, change, RITM) plus organization branding variables.

Template Name	Trigger	Recipients
`incident_created`	Incident created	Reporter, affected user
`incident_assigned`	Incident assigned	Assigned user
`incident_resolved`	Incident resolved	Reporter + satisfaction survey link
`sla_warning`	SLA 75% elapsed	Assignment group manager
`sla_breach`	SLA breached	Manager + escalation group
`approval_request`	Approval needed	Approver(s)

Bounce Handling

Bounced emails are handled via the SNS topic stackflow-inbound-email. SES publishes bounce and complaint notifications to this topic, which triggers the StackFlowAPI Lambda to update the user's email status and suppress future sends to bounced addresses. Hard bounces result in immediate suppression; soft bounces are retried 3 times before suppression.

DKIM and SPF

Configure DKIM and SPF records for your sending domain to improve email deliverability and prevent phishing. SES provides Easy DKIM with 2048-bit keys. Add the provided CNAME records to your DNS. SPF record should include include:amazonses.com in your domain's SPF policy.

# Example DNS records for email authentication
# SPF record (TXT)
v=spf1 include:amazonses.com ~all

# DKIM records (CNAME - SES provides actual values)
{token1}._domainkey.your-instance.stackflow-tech.com CNAME {token1}.dkim.amazonses.com
{token2}._domainkey.your-instance.stackflow-tech.com CNAME {token2}.dkim.amazonses.com

# DMARC record (TXT)
_dmarc.your-instance.stackflow-tech.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@your-instance.stackflow-tech.com"

← Previous

Code Library

Implementation examples

Email-to-Ticket

Inbound email routing rules