Post Syndicated from Sesan Komaiya original https://aws.amazon.com/blogs/messaging-and-targeting/archiving-and-sending-to-final-smtp-server/
In today’s digital landscape, where email communication plays a vital role in business operations, Keeping your email archive secure, compliant, and retrievable is crucial for any business. However, managing the large volume of email data can lead to operational difficulties, including regulatory compliance, maintaining an audit trail, and preventing data loss. That’s where Amazon Simple Email Service (SES) Mail Manager’s email archiving feature comes in.
In this blog post, we will explore how Amazon SES Mail Manager’s email archiving and search features can improve email security and compliance. If you’re a newcomer to Mail Manager, look at this blog post on Amazon SES Mail Manager. It provides valuable information on important features, such as Ingress Endpoint, Traffic Policy, Rule Sets, and SMTP Relay.
Problem Statement:
Imagine a scenario where a critical email from a key client is buried deep within your organization’s email archives, and you need to retrieve it for an important audit. The challenge of ensuring your business remains compliant with stringent data retention policies across every email communication for thousands of employees for a certain period or permanently.
Solution explained:
Amazon SES Mail Manager Email archiving is a powerful tool that addresses many of the challenges organizations face dealing with the difficulty and expense of archiving email at scale. Compliance and regulatory frameworks like GDPR, HIPAA, and SOX often require email archiving, which is a common objective identified by customers needing to comply with those regulatory frameworks. For regulated businesses, failure to comply with email archiving regulations can result in severe financial penalties and reputational damage.
Amazon SES Mail Manager securely archives and safeguards your emails, providing easy search and export functionality. It provides full-time, enterprise-level archiving without increasing the storage requirements of your mailbox server. The feature provides a reliable and efficient solution to address most compliance requirements. By automatically archiving the types of emails you specify, the service ensures that your organization maintains a comprehensive audit trail of its communications, enabling quick retrieval and review as needed.
The email archiving feature of Mail Manager provides organizations the ability to archive email while in transit rather than archiving at the user’s mailbox. Many organizations prefer archiving in transit for email archiving to meet compliance requirements and maintain comprehensive records. If you would like to learn more about in transit archiving, visit this blog – Email Archiving with Mail Manager: Why To Archive In Transit vs At The Mailbox.
How email flows with an Amazon SES Mail Manager Email Archiving
For instructional purposes in this blog post, we’ll focus on how you can introduce Mail Manager archiving into your existing email infrastructure. We’ll cover how to seamlessly integrate Mail Manager with reference architectures. Later in the blog, we are going to explore Mail Manager’s archiving capabilities, including search, export and retention policies.
Current setup
Our example organization has an existing mail server (it might be a on-premises Microsoft Exchange Server, Microsoft 365, Google Workspace, etc). Their DNS is configured to route all email directly to this mail server. There is currently no archiving capacity within the existing email infrastructure, when needed, archiving is handled by individual mailbox users and PST files. While this method is suitable for personal email archiving, it fails to meet the organizations’ security requirements and compliance standards.
Figure 1: Example organization’s existing inbound email workflow.
Email Archiving in transit
We are going to introduce Mail Manager into the current mail flow (see figure 1) to archive all incoming messages from our example enterprise’s email infrastructure.
Figure 2: Example organization’s proposed inbound email workflow, with Mail Manager archiving in-transit prior to delivery.
In the new architecture (see figure 2), we’ve introduced Mail Manager into the organization’s inbound email workflow. This new workflow leverages Mail Manager’s ability to archive either all inbound emails, or only those that match specified criteria. By using a Mail Manager Rule set, our example organization can selectively store and preserve emails that meet their configured criteria.
Mail Manager Email Archiving and Search and Export Capabilities
Mail Manager’s archive search capabilities are designed to be user-friendly and efficient. You can perform searches based on various criteria, such as sender, recipient, subject line, date range, or even specific keywords in the Subject line. The search results provide options to either export the search to Amazon Simple Storage Service (S3), or you can choose to download a single email.
Let’s explore using Mail Manager’s archive search to find a specific email by the sender’s address:
Figure 3: Mail Manager’s archive search interface
Once found, we can click on the results to review the email in the console:
Figure 4: Mail Manager’s archive search results
Once we’ve found the target email, it can be downloaded by clicking on “View details“. The image below shows an example message details page with information about the email, including message headers such as In-Reply-To, X-Original-Mailer and X-Mailer.
Figure 5: Mail Manager’s archived email detailed page
Mail Manager’s archive search history tab allows us to find archive searches created in the last 30 days, and view the search results, as shown in the image below:
Figure 6: Mail Manager’s archive search history
Mail Manager’s archive export history tab lists all of the archived email searches you exported to an Amazon S3 Bucket within the last 30 days.
Figure 7: Export History
Step by Step Setup:
Now that we have explained how Mail Manger can be inserted into our example organization’s email workflow to provide email archiving, let’s explore how you can implement Mail Manager’s archiving capabilities in your inbound email workflows. The following diagram (Figure 3) illustrates the overall structure and components involved in this architecture:
Figure 8: End-to-End Mail workflow
Follow the steps below to configure Mail Manager in your AWS account to implement this architecture:
- Log into the SES Console and select Mal Manager from the left navigation menu.
- Note, as of this writing, Mail Manager is generally available in the following AWS Regions: US East (N. Virginia), US West (Oregon), Europe (Ireland, Frankfurt), Asia Pacific (Tokyo, Sydney).
- Under Mail Manger navigation, create an archive (or multiple archives for different use cases)
- Enter a unique name in the Archive name field.
- (Optional) Select a retention period in the Retention period field to override the default retention period of 180 days.
- (Optional) You can encrypt your archive either by entering your own AWS KMS key into the KMS key ARN field, or by selecting Create new key.
- Choose Create archive.
- Under Mail Manger navigation, create a traffic policy to determine the email you want to block or allow.
- Create traffic policy.
- On the Create a traffic policy page, enter a unique name for your traffic policy.
- (Optional) If you want to discard any messages above a certain size, enter a value in bytes in the Maximum message size field.
- In Default action, choose whether the traffic policy is to either Allow or Deny (block) messages that fall outside of (are not addressed by) the conditions of your policy statements.
- Select Add new policy statement to create a statement for your traffic policy.
- Choose either Allow or Deny (block) for the action to be taken when the statement’s conditions are met.
- Build a condition by selecting an email protocol and a conditional operator for the value you enter. Select Add new condition if you want to add more conditions to this policy statement. To learn more about a condition property and its operators and valid values, see the Policy statement conditions reference.
- If you’re subscribed to an Email Add On, you’ll be able to select it here as an email protocol.
- If you want add more policy statements and conditions, repeat steps above.
- Select Create traffic policy.
- Under Mail Manger navigation, create a rule set to perform actions on the email you allow in.
- Create rule set and enter a unique name for your rule set.
- Create new rule on the edit page.
- In the Rule details sidebar, enter a unique name for your rule.
- Select Add new condition to create a condition that the message must match; or check the EXCEPT in the case of: box followed by Add new exception to create a condition that the message must not match.
- Build the condition or exception by selecting an email property and a conditional operator for the value you enter. Select Add new condition or Add new exception if you want to add more conditions or exceptions to this rule. To learn more about a condition property and its operators and valid values, see the Rule conditions reference.
- Select Add new action to define the action to be taken when the rule’s conditions are matched and/or exceptions are not matched. To add more actions to be taken, select Add new action. To learn more about actions and their parameters, see the Rule actions reference.
- Create an Archive rule. Save rule set
- Under Mail Manger navigation, Create your ingress endpoint and assign to it the traffic policy and rule set.
- choose Ingress endpoints under Mail Manager.
- On the Ingress endpoints page, select Create ingress endpoint.
- On the Create new ingress endpoint page, enter a unique name for your ingress endpoint.
- Choose whether it will be a Open or Authenticated endpoint.
- Select a traffic policy to determine the email you want to block or allow.
- Select a rule set containing the rule actions you want to perform on the email you allow in.
- Select Create ingress endpoint.
- Configure your environment to use the ingress endpoint.
- At the time you create an ingress endpoint, an “A” record for the endpoint will be generated and its value displayed on the ingress endpoint’s summary screen in the SES console. The way you use the value of this record depends on the type of endpoint you created and your use case.
- DNS providers have different procedures and interfaces for configuring email records. The key pieces of information you need to put into your DNS settings are listed in our documentation – https://docs.aws.amazon.com/ses/latest/dg/eb-ingress.html#eb-ingress-a-record
- Under Mail Manger navigation, create an SMTP Relay to send mail on to your existing mail server.
- choose SMTP relays under Mail Manager.
- On the SMTP relays page, select Create SMTP relay.
- On the Create SMTP relay page, enter a unique name for your SMTP relay.
- Depending on what type of SMTP Realy you want to configure, follow the respective instructions:
- inbound (non-authenticated)
- outbound (authenticated) SMTP relay
- Update your DNS MX records to point to your new Mail Manager’s ingress point, instead of the existing mail server.
Note: Make sure that you have tested the steps above in your development environment and that you understand the steps before deploying into your production environment.
Conclusion
Amazon SES Mail Manager’s email archiving capabilities are designed for organizations that are seeking to enhance the security, compliance, and audit-ability of their email communications. By seamlessly integrating this feature into their existing email infrastructure, organizations can now archive all inbound messages in transit, ensuring a comprehensive, tamper-proof record of their email activities. The powerful search and export functionality of Mail Manager makes it easy to quickly locate and access specific emails when needed, whether for compliance audits, legal requests, or internal investigations.
This level of email visibility and control is particularly crucial for organizations operating in highly regulated industries like government, healthcare and finance, where the stakes for non-compliance can be severe. Beyond the compliance benefits, Mail Manager’s email archiving also helps to alleviate the operational headaches and expenses associated with traditional in-house archiving systems. By offloading this responsibility to AWS, organizations can focus their resources on their core business priorities, while still maintaining the security and accessibility of their critical email data.
If you’re looking to strengthen your email security posture, simplify your compliance efforts, and improve the overall management of your email archives, we encourage you to explore how Amazon SES Mail Manager’s email archiving capabilities can be seamlessly integrated into your existing email infrastructure. Take the first step towards a more secure, compliant, and efficient email management solution by contacting us today.
About the Authors