How can I block emails from specific domains or email addresses in Amazon SES?

Resolution

To block specific domains or email addresses so that they don't send emails to your Amazon SES identity, complete the following steps:

1. Open the Lambda console.
   Note: The Lambda function must be in the same AWS Region that you use with Amazon SES. 

2. Choose Create function.

3. Select Author from scratch.

4. For Function Name, enter a name for your function. For example, you can enter SESReceiptRule.

5. For Runtime, choose Node.js 20.x.

6. Under Change default execution role, for Execution Role, choose Create a new role with basic Lambda permissions.

7. Choose Create function.

8. Under Code source, enter the following code:

   // Copyright 2023 Amazon.com, Inc. or its affiliates. All Rights Reserved.
   // SPDX-License-Identifier: MIT-0
   'use strict';
   
   export const handler = async (event) => {
       console.log('Blocking email filter starting');
       const sesNotification = event.Records[0].ses;
       const messageId = sesNotification.mail.messageId;
       const receipt = sesNotification.receipt;
       const mail = sesNotification.mail;
   
       // Convert the environment variable into array. Clean spaces from it.
       const blockingListString = process.env.blockingList;
       const blockingListArray = blockingListString.replace(/\s/g, '').split(",");
   
       // Check if the mail source matches with any of the email addresses or domains defined in the environment variable
       const isListed = () => {
           return blockingListArray.some(item => mail.source.endsWith(item));
       };
   
       console.log('Processing message:', messageId);
   
       // Processing the message
       if (isListed()) {
           console.log('Rejecting messageId: ', messageId, ' - Source: ', mail.source, ' - Recipients: ', receipt.recipients, ' - Subject: ', mail.commonHeaders['subject']);
           return { disposition: 'STOP_RULE_SET' };
       } else {
           console.log('Accepting messageId:', messageId, ' - Source: ', mail.source, ' - Recipients: ', receipt.recipients, ' - Subject: ', mail.commonHeaders['subject']);
           return { disposition: 'CONTINUE' };
       }
   };

9. Under Environment variables, for Key, enter blockingList.
   Note: You can create an unlimited number of environment variables. However, the total size of the set can't exceed 4 KB. For more information, see Create Lambda environment variables.

10. For the blockingList value, enter a comma-separated list of the email addresses and domains that you want to block. For example, enter "example.com, JohnDoe@example.com".
    Note: You don't need to change the Lambda function code to edit the list of email addresses and domains.

11. Choose Save.

Create an Amazon SES receipt rule

Complete the following steps:

1. Open the Amazon SES console.
2. In the navigation pane, choose Email Receiving.
3. Choose Create a Rule Set, enter a rule set name, and then choose Create a Rule Set. Or, choose an existing active rule set.
   Note: If you create a new rule set, then select the rule set and choose Set as Active Rule Set.
4. Choose View Active Rule Set.
5. Choose Create Rule.
   Note: You can also choose to update an existing rule.
6. For Rule name, enter a name for the rule. Then, complete the following fields:
   For Status, select Enabled.
   (Optional) Configure Transport Layer Security (TLS) or Spam and virus scanning.
7. Choose Next.
8. Under Recipient conditions, choose Add new recipient condition. Enter the email addresses or domains that are associated with your Amazon SES identity.
   Important: Enter the email address or domain that you don't want to receive the emails. Don't enter the email address or domain that you want to block emails from. For example, if your Amazon SES identity uses the email address "JaneRoe@example.net" and you want to block emails from "example.com", enter "JaneRoe@example.net".
9. Choose Next.
10. Under Add actions, for Add new action, select Invoke AWS Lambda function. Then, complete these fields:
    For Lambda function, select your function.
    For Invocation type, choose RequestResponse invocation.
    (Optional) Configure SNS topic.
11. Choose Next Step.
12. Choose Create Rule.
    Note: If you get a Missing Permissions dialog box with the message "unable to access the Lambda function", then Amazon SES requires permissions to the function. Choose Add permissions to configure the required permissions.

Check the function's CloudWatch logs

To verify that the email is blocked, complete the following steps:

1. Open the Amazon CloudWatch console.
2. In the navigation pane, choose Logs.
3. From the list of log groups, select your Lambda function's log group. For example, choose /aws/lambda/name_of_your_function.
4. Choose the log stream that you want to check. The log stream shows the email messages and domains that the Lambda function processed.
   Example log stream:

   14:08:25 START RequestId: aa939984-1b9b-11e7-83d2-efc6877bdc9b Version: $LATEST
   14:08:25 2017-04-07T14:08:25.957Z aa939984-1b9b-11e7-83d2-efc6877bdc9b Blocking email filter starting
   14:08:25 2017-04-07T14:08:25.958Z aa939984-1b9b-11e7-83d2-efc6877bdc9b Processing message: jc0iurgrtkrsrs7f5pk0rsmf4r3q0poikdjfdi01
   14:08:25 2017-04-07T14:08:25.959Z aa939984-1b9b-11e7-83d2-efc6877bdc9b Rejecting messageId: jc0iurgrtkrsrs7f5pk0rsmf4r3q0poikdjfdi01 - Source:
   user@example.com - Recipients: [ 'user@domain.com' ] - Subject: This is an unwanted message
   14:08:25 END RequestId: aa939984-1b9b-11e7-83d2-efc6877bdc9b

Related information

Amazon SES email receiving concepts and use cases

Invoke Lambda function action