Client vetting best practices for Amazon SES customers managing multiple client accounts

Overview

If you're an Amazon SES customer that manages email sending for multiple clients, then your success depends on maintaining a strong sender reputation. Proper client vetting protects your sender reputation and maintains high deliverability across your entire client portfolio, regardless of if you operate as:

• A software as a service (SaaS) provider.

• An email service provider (ESP).

• An enterprise that manages email operations across multiple client accounts.

Implementing comprehensive client onboarding best practices positions your organization to align with the AWS Acceptable Use Policy. At the same time, you build a foundation of trust as you thoroughly vet your clients’ email practices, business legitimacy, and regulatory compliance before they join your platform.

Important: This article focuses on how to vet clients that use your Amazon SES infrastructure. If you're new to Amazon SES and want guidance on how to get started with the service, then see Getting started with Amazon SES.

Understanding the challenge

For Amazon SES customers that serve multiple clients, poor email practices from a single client can put your entire operation at risk. Without proper safeguards, such as configuration sets and tenant management to isolate each client, a single problematic sender can degrade your account reputation. Changes in your account reputation can trigger account-level enforcement actions that affect all your clients. Major email providers, such as Gmail, primarily evaluate sender reputation based on domain authentication and domain-level sending patterns rather than IP address reputation alone.

Poor email practices can manifest in several forms:

• Spam campaigns that flood recipient inboxes with unsolicited messages.
• Phishing attempts that impersonate legitimate entities to obtain credentials or sensitive information.
• Spoofing that forges sender identities to deceive recipients.
• Account takeovers where unauthorized users gain access to send harmful content.

Each abuse type can result in Internet Service Provider (ISP) filtering mechanisms, blocklisting, and reputation damage. With Amazon SES features, such as configuration sets and tenant management, you can isolate each client and prevent issues from affecting other clients. However, proactive client vetting is essential to build a portfolio of quality senders and avoid the support burdens that come with problematic clients.

For more information about list management best practices, see Managing lists and subscriptions in Amazon SES and Email validation for Amazon SES.

Technical considerations for client evaluation

Your evaluation process for client onboarding must examine multiple layers of client infrastructure, history, and practices to identify potential risks before they affect your service quality.

Technical evaluation encompasses several areas:

• Domain ownership: To verify domain ownership, add DNS records that Amazon SES provides. Then, Amazon SES validates the records to confirm that the domain belongs to you before the service allows you to send emails.

• DNS configuration: To assess DNS configurations, verify record accuracy and check for misconfigurations. Also, validate that Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) records align with email authentication standards for deliverability and protection. To manage these tasks, use Virtual Deliverability Manager for Amazon SES and the Virtual Deliverability Manager advisor to automate many of these DNS checks. These features provide real-time validation of your DNS records and identify potential configuration issues before they affect email delivery.

• Authentication protocol: Implement SPF, DKIM, and DMARC protocols to authenticate outgoing emails and help prevent spoofing. Virtual Deliverability Manager continuously monitors these authentication protocols and provides recommendations through the Virtual Deliverability Manager advisor when Amazon SES detects misconfigurations.

• Historical performance analysis: Analyze historical email metrics to identify delivery patterns, refine sending practices, and improve future campaign performance.

Each component provides insights into client legitimacy and email sending competency. For comprehensive guidance on sender reputation and best practices, see Maintaining a positive sender reputation.

Building your client onboarding framework

Follow these best practices to onboard new clients through structured workflows:

Verify company through business records

Examine corporate entity formation and history through public records. Search Secretary of State websites, such as “[State Name] Secretary of State business search", local business licensing authorities, and the Better Business Bureau. Look for documents such as:

• Articles of incorporation

• Active business licenses

• Doing Business As (DBA) filings

• Principal officers that match your contacts

• Legitimate business addresses

• Operational duration
  Note: Businesses under 6 months require additional scrutiny.

• Good standing status

Red flags include the inability to locate business records, recently formed entities with large sending volumes, mismatches between provided and official information, or a suspended business status.

Assess infrastructure

To assess the infrastructure of a business, complete the following tasks:

• To verify domain ownership, confirm how long your new clients have maintained their domains. Legitimate businesses use domain privacy protection (WHOIS privacy) for security, compliance, and privacy reasons. However, clients that use privacy protection services require additional verification steps to confirm business legitimacy through alternative methods.

• Verify that clients have established and actively monitor postmaster@ and abuse@ email addresses for complaint management and industry compliance.

• To verify that clients can control DNS records and authentication protocols, confirm that they can publish necessary SPF, DKIM, and DMARC records that authorize you to send emails on their behalf. This task demonstrates technical competency and commitment to authentication standards.

Review email service provider history

To review email service provider history, complete the following tasks:

• Check your client's previous IP addresses and domain reputation. To check the reputation, use tools such as Google Postmaster Tools and Microsoft SNDS. Request historical IP addresses and domains and verify reputation across multiple quarters.

• Request documentation of previous sending performance and deliverability challenges. Clients that previous providers terminated or can’t explain provider changes present elevated risks.

• Review for frequent provider changes because of deliverability issues. These changes might indicate poor email practices and compliance problems.

Evaluate sending pattern and historical performance

To evaluate sending patterns and historical performance, complete the following tasks:

• Evaluate key metrics, including bounce rates, complaint rates, delivery rates, engagement rates (opens and clicks), list growth, and unsubscribe rates.

• Analyze email types, such as promotional, transactional, and marketing. Also analyze sent emails, list segmentation practices, sending frequency, and historical performance data including deliverability rates and complaint volumes.

• Review whether clients share lists with partners or use affiliate marketing. These practices can increase complaint rates.

• Investigate any previous blocklist incidents and resolution methods to assess sender practices.

• Review 3-month historical metrics to evaluate list quality and maintenance procedures.

Review list acquisition, consent, and management practices

To review list acquisition, consent, and management practices, complete the following tasks:

• Examine subscriber acquisition methods, including signup forms, consent check boxes, and double opt-in confirmation processes. Ask the client to provide clear documentation of when and how each recipient gave permission.

• Verify that clients properly handle Feedback Loop complaints, promptly unsubscribe complainants, and analyze root causes. Make sure that clients manage unsubscribe requests and distinguish between hard and soft bounces.

• Avoid clients that use purchased lists, affiliate marketing, co-registration, or common distribution accounts, such as sales@ or support@. These practices inherently involve contacting recipients without proper consent, increase bounce and complaint rates, and trigger spam filters.

• Review client privacy policies and verify that client practices align with stated policies.

• Monitor list hygiene procedures, including suppression list maintenance that transfers across platforms. This maintenance demonstrates a commitment to best practices and regulatory compliance.

For more information about best practices for list management, see Managing lists and subscriptions in Amazon SES and Email validation for Amazon SES.

Use email validation for specific use cases

For clients who are legitimate senders but haven't historically followed best practices, Amazon SES offers email validation to help assess list quality. However, the gold standard remains organic growth through confirmed opt-ins and proper list maintenance.

Note: It’s not a best practice to use recipient validation to "clean" purchased lists.

Implement performance testing protocol

Evaluate your new clients through limited test sends to randomly selected segments of their mailing lists. While test audience size varies based on the client's total list size, target at least 10,000 recipients to achieve statistically relevant results.

Note: You might need to adjust this threshold based on list size and sending patterns.

During these tests, monitor metrics including bounce rates, engagement metrics (opens and clicks), unsubscribe rates, and spam complaints across different domains. This approach can help assess sender legitimacy and maintain email delivery standards. Test sends must represent typical client content and sending patterns to provide accurate performance indicators.

Using Amazon SES features for client protection

While thorough client vetting helps you avoid onboarding problematic senders, Amazon SES provides additional features that automate enforcement and provide ongoing monitoring. These features complement your manual vetting process by isolating clients and catching issues that emerge over time, serving as your automated safety net.

Tenant management

Tenant management independently monitors each client and automatically enforces policies at the tenant level based on complaint and bounce rate thresholds. When a tenant exceeds configured limits, Amazon SES restricts that specific tenant without affecting your other clients or account-level reputation. This isolation prevents one problematic client from triggering account-wide enforcement actions that affect your entire operation. For implementation guidance, see Setting up tenants.

Virtual Deliverability Manager

Virtual Deliverability Manager provides comprehensive visibility into sending performance across identities and configuration sets. Virtual Deliverability Manager dashboards offer immediate visibility into bounce rates, complaint rates, and delivery rates. These dashboards simplify monitoring outliers, such as a single client delivering at 60% while other clients are at 99%. The advisor feature continuously validates DNS configurations and authentication protocols to catch issues before they affect deliverability. You can also export metrics to Amazon CloudWatch for custom alerts. Use Virtual Deliverability Manager to establish baseline metrics during your client evaluation process and track performance in real-time after clients begin sending emails. For details, see Getting started with Virtual Deliverability Manager.

Configuration sets

Configuration sets allow for granular tracking by assigning unique configuration sets to each client. You can then track metrics separately, apply different policies, and quickly identify clients that experience issues. Configuration sets work together with tenant management to provide both isolation and detailed visibility. For setup guidance, see Using configuration sets in Amazon SES.

Monitor account health proactively

After you finish the onboarding process and clients begin sending emails, implement the following practices to help preserve email reputation and catch warning signs early.

Establish monitoring cadences

To establish monitoring cadences, complete the following tasks:

• Track sudden list size spikes, content modifications after onboarding, and privacy policy updates when volume or metrics shift.

• Monitor client account changes, including frequent updates to contact details or payment information.

• Watch for irregular sending patterns where clients repeatedly start and stop activities.

• Use Virtual Deliverability Manager and CloudWatch to establish automated alerts for significant metric changes. Set thresholds that trigger investigation before the issues reach tenant management enforcement levels.

• Maintain regular client performance review schedules. Conduct monthly or quarterly manual reviews.

Verify ongoing compliance

To verify ongoing compliance, complete the following tasks:

• Verify business records periodically to make sure that clients maintain legitimate operations.

• Confirm that domain ownership and authentication configurations are current. Use the Virtual Deliverability Manager advisor to set up quarterly checks to verify SPF, DKIM, and DMARC records.

• Regularly review tenant management metrics to identify clients that approach enforcement thresholds. When a client reaches 75% of any threshold, initiate a review conversation.

Use identity-level metrics in Virtual Deliverability Manager to compare performance across clients. Investigate occurrences where a client's performance significantly deviates from others.

Benefits of comprehensive client onboarding

Comprehensive onboarding positions your business as a service provider that prioritizes quality. This approach helps mitigate risks from potentially problematic clients and fosters a portfolio of reputable senders. When you follow the guidelines in this article, you help safeguard your service quality, enhance deliverability for all clients, and contribute to a healthier email environment.

Conclusion

The systematic approach to client evaluation combines proactive manual vetting with Amazon SES features, such as tenant management and Virtual Deliverability Manager. These features help protect your infrastructure investment and maintain the trust that ISPs place in responsible email senders. Success requires balancing growth ambitions with reputation protection. The shift toward domain-based reputation models makes proper authentication and client isolation more important than ever. Equally important is your commitment to educating clients about email deliverability best practices. When your clients understand the principles behind these best practices and can self-serve to resolve common issues, they become active participants in maintaining your platform's reputation.

About the author

Ajith K S

Ajith is part of the AWS Trust & Safety team in India. He works with customers to reduce abuse systemically, manage escalations, and provide guidance on compliance and prevention.