Blend uses Amazon Simple Email Service (SES) to send emails. Amazon supports DMARC, SPF, and DKIM. Email is sent from the lender's email address, for example, jane@yourbank.com. In order to send email from the @yourbank.com domain, Blend meets the industry’s highest email standards.
- What is Amazon SES?
- What IP Addresses will Blend be sending emails from?
- How do I figure out the addresses SES uses for sending my emails?
What is Amazon SES?
Amazon Simple Email Service (SES) is the service Blend uses to send emails securely with your lender's domain name, to prevent Blend emails from being blocked.
What IP Addresses will Blend be sending emails from?
When Blend configures SES to connect to an ISP to deliver an email using the standard email sending protocol (SMTP), a connection is established between the SES mail transfer agent (MTA) that sends out the email and the ISP's MTA that will receive it. Each MTA has an IP address associated with it. What we are interested in is the SES MTA's IP address (outgoing IP address). Knowing this information could be useful in a number of situations. For example, you might want to add SES IP addresses to the allowlist (formally known as "whitelist") with your company's receiving email servers to let emails sent through SES go through your firewall while still protecting yourself from attacks coming from the rest of the Internet.
How do I figure out the addresses SES uses for sending my emails?
SES maintains a number of IP addresses from which your email can be sent, and you can figure out those addresses by querying SES's SPF record (in the amazonses.com domain).
Here's how to do the query in a Linux terminal window (including a filter to include only the SPF record). At the time of this post's writing, this is the DNS response returned for that query:
$ dig TXT amazonses.com +short| grep 'v=spf1'
At the time of this post's writing, this is the DNS response returned for that query: Here's the equivalent query (and result) using the Windows command prompt:
"v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ~all"
Here's the equivalent query (and result) using the Windows command prompt:
C:>nslookup -type=TXT amazonses.com | find "v=spf1"
"v=spf1 ip4:199.255.192.0/22 ip4:199.127.232.0/22 ip4:54.240.0.0/18 ~all"
Any email sent through SES will be sent through one of the IP addresses listed in the record. In this example, which is valid at the time of the writing of this post, we can see that SES is using three blocks of IPV4 (32-bit) addresses: 199.255.192.0/22, 199.127.232.0/22, and 54.240.0.0/18. The blocks are defined using CIDR notation; each block is specified as an IP address followed by the '/' sign and then the number of bits in the prefix. The 199.255.192.0 block, for instance, designates all IP addresses that have the first 22 bits equal to the first 22 bits of 199.255.192.0, with the remaining bits taking all possible value combinations. Therefore, that block designates all addresses in the interval 199.255.192.0 -- 199.255.195.255. The block 199.127.232.0/22 designates all IP addresses in the interval 199.127.232.0 -- 199.127.235.255 and, finally, the 54.240.0.0/18 block designates all IP addresses in the interval 54.240.0.0 -- 54.240.63.255.
Keep in mind that those IP addresses are subject to change. If SES adds or removes any outgoing IP address, we will update the SPF record, so you need to check back from time to time if you want to make sure you have the latest list of IP address ranges. Another thing to note is that there is no guarantee which particular SES IP address of the list of IP addresses your email will be sent through. If you need to perform an allowlist process for the emails you're sending through SES, you will have to allow all SES IP address blocks.