{"id":51496760,"url":"https://github.com/conflicthq/mailsend-ses","last_synced_at":"2026-07-07T16:00:59.437Z","repository":{"id":367785784,"uuid":"1282268667","full_name":"ConflictHQ/mailsend-ses","owner":"ConflictHQ","description":"Self-hosted Amazon SES deliverability test tool on Cloudflare Workers","archived":false,"fork":false,"pushed_at":"2026-06-27T16:04:00.000Z","size":132,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-27T17:23:06.600Z","etag":null,"topics":["aws-ses","cloudflare-workers","deliverability","email","email-deliverability","serverless","ses"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ConflictHQ.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-27T14:48:24.000Z","updated_at":"2026-06-27T16:04:04.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ConflictHQ/mailsend-ses","commit_stats":null,"previous_names":["conflicthq/mailsend-ses"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/ConflictHQ/mailsend-ses","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ConflictHQ%2Fmailsend-ses","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ConflictHQ%2Fmailsend-ses/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ConflictHQ%2Fmailsend-ses/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ConflictHQ%2Fmailsend-ses/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ConflictHQ","download_url":"https://codeload.github.com/ConflictHQ/mailsend-ses/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ConflictHQ%2Fmailsend-ses/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35234127,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-07T02:00:07.222Z","response_time":90,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-ses","cloudflare-workers","deliverability","email","email-deliverability","serverless","ses"],"created_at":"2026-07-07T16:00:58.075Z","updated_at":"2026-07-07T16:00:59.430Z","avatar_url":"https://github.com/ConflictHQ.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# mailsend\n\nA self-hosted Amazon SES deliverability test tool that runs as a single\nCloudflare Worker. List your verified SES identities, send test emails to real\ninboxes, and surface the SES-native deliverability signals that matter,\nincluding the account suppression list, a common cause of mail that is accepted\nbut never delivered.\n\nNo data is stored; every SES call is SigV4-signed in the Worker via\n[`aws4fetch`](https://github.com/mhart/aws4fetch).\n\n![mailsend: compose view and account deliverability panel](docs/screenshot.png)\n\n## Features\n\n- Account dashboard: sandbox vs. production detection, sending enabled,\n  enforcement status, 24h send quota and rate.\n- Identity picker: dropdown of your verified identities (domains and addresses);\n  selecting one shows DKIM, custom MAIL FROM, and verified-for-sending health.\n  Domain identities let you set any local part.\n- Real-inbox sends: To/Cc/Bcc/Reply-To, HTML and plain-text bodies, optional\n  precanned recipient chips, custom headers, and SES message tags.\n- Two send paths: `SendEmail` (v2) and `SendRawEmail` (v1, SMTP-style), so you\n  can test a key regardless of which action its policy grants.\n- Bounce / suppression management: view the full account suppression list, add\n  or remove entries, and spot-check any recipient before sending.\n- Per-send receipt: MessageId, RequestId, and round-trip latency.\n\n## How access is bounded\n\nWhat the tool can do is limited by two things, and both are yours to set.\n\nThe IAM policy on the key. The tool uses the SES actions listed in\n[`iam-policy.json`](./iam-policy.json), but you do not have to grant all of them.\nGrant the subset you are comfortable with and the UI disables any feature whose\npermission is missing rather than erroring. Start least-privilege and add actions\nas you need them. (In our own use the key was scoped to troubleshoot a single\nproduction account and nothing more.)\n\nSES itself. You can only send from identities that are verified and configured\n(DKIM, SPF, and so on). An account in the SES sandbox can only send to verified\naddresses, which stops an unverified setup from mailing arbitrary recipients.\nRequesting production access removes the recipient restriction; after that you\nare bound by your sending quota, send rate, and bounce and complaint thresholds\nrather than by a recipient allowlist.\n\n## Setup\n\nPrerequisites: a Cloudflare account, Node 22 or newer (required by Wrangler), and\nan AWS SES account with at least one verified identity. Wrangler comes in as a dev\ndependency.\n\n```bash\nnpm install\n```\n\n### Secrets (never committed)\n\n```bash\nwrangler secret put AWS_ACCESS_KEY_ID\nwrangler secret put AWS_SECRET_ACCESS_KEY\n```\n\n### IAM policy\n\nThe actions the tool can use are in [`iam-policy.json`](./iam-policy.json): read\n(`GetAccount`, `ListEmailIdentities`, `GetEmailIdentity`,\n`Get`/`ListSuppressedDestinations`), send (`SendEmail`, `SendRawEmail`), and\nsuppression management (`Put`/`DeleteSuppressedDestination`). Grant only the\nsubset you want exercised. A read-only key still gives you the account and\nidentity views without any send or suppression-write ability.\n\n### Config (`wrangler.toml` `[vars]`)\n\n| var | meaning |\n|---|---|\n| `SES_REGION` | SES region (e.g. `us-east-1`) |\n| `CONFIG_SET` | optional Configuration Set applied to every send |\n| `PRECANNED_RECIPIENTS` | comma-separated addresses shown as one-click chips |\n| `DEFAULT_FROM` | optional pre-selected From address |\n\n## Local dev\n\n```bash\ncp .dev.vars.example .dev.vars   # fill in real credentials\nnpm run dev\n```\n\n## Deploy\n\n```bash\nnpm run deploy\n```\n\nFor a custom domain, add the zone to your Cloudflare account, set the\n`[[routes]]` block in `wrangler.toml`, and redeploy.\n\n## Security\n\nThe Worker has no built-in authentication. Anyone who can reach its URL can send\nemail from your verified identities and, depending on the key's permissions,\nchange your account suppression list. Treat deploy access as send access.\n\nPut it behind an authenticating gateway before exposing it. We run\n[Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/applications/)\n(Zero Trust, Access, Applications) in front of the Worker. Combine that with a\nleast-privilege SES key (see [How access is bounded](#how-access-is-bounded)) so\nthat even with access the blast radius stays limited to what you intend.\n\nTo report a vulnerability, see [SECURITY.md](./SECURITY.md).\n\n## About\n\nmailsend is built and maintained by\n[CONFLICT](https://partners.amazonaws.com/partners/001E000000T6qNSIAZ/Conflict),\nan AWS Partner. It is the work of Leo Mata, an AWS Certified Solutions Architect\nand AWS Certified DevOps Engineer\n([credentials](https://www.credly.com/users/spartan)). It runs on\n[Cloudflare Workers](https://developers.cloudflare.com/workers/).\n\n## License\n\nMIT. See [LICENSE](./LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconflicthq%2Fmailsend-ses","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fconflicthq%2Fmailsend-ses","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fconflicthq%2Fmailsend-ses/lists"}