Amazon SES at USD 0.10
per thousand.
The cheapest serious email infrastructure in the market on a pure per-message basis. We do not pretend to compete on raw price — we compete on operational depth, EU sovereignty, and the cases where SES's account-level constraints stop fitting. The honest comparison below; cases where SES is still right; cases where it is not.
Where SES wins, where it doesn't.
We will not pretend to be cheaper than SES at the per-message line. SES is the cheapest serious email infrastructure in the world for AWS-native teams running clean transactional traffic at modest volumes. The gap closes — and reverses — once you factor in the operational work AWS leaves to you, the dedicated IP add-on, the 5XX-error handling, and the EU sovereignty exposure. For teams handling European customer data, the comparison is not close.
For pure-transactional, AWS-native, sub-1M/month, no-EU-data senders, SES wins decisively on cost. For everyone else — anyone past 1M/month, anyone marketing-heavy, anyone with European subscribers, anyone whose engineering team is not deep on AWS deliverability internals — our SMTP Relay or dedicated KumoMTA hosting deliver materially better outcomes once the total cost of ownership is honest.
SES's strength is the AWS economics and the integration with the rest of the AWS stack (CloudWatch, SNS, EventBridge, IAM). That strength is real but situational. The senders who migrate from SES to us are usually leaving for two reasons: SES's account-level deliverability controls hit a ceiling at scale, and the EU customer-data exposure became an active compliance issue.
Five ways the maths changes.
Each dimension below is the place where the SES-vs-managed-MTA comparison either confirms SES is right for you or reveals the hidden costs that the per-message price masks.
The per-message price
The argument SES wins on without help. USD 0.10 per 1,000 emails when sending from EC2 is the cheapest in the market.
USD 0.10 per 1,000 emails from EC2. USD 1.00 per 1,000 emails from outside AWS. No monthly minimum, no flat fee for the API itself. At 1M emails a month from EC2 the bill is USD 100. At 10M it is USD 1,000. At 100M it is USD 10,000. Amazon's pricing has been stable on this metric for years and the economics are genuinely hard to argue with on raw cost-per-message.
Flat-fee tiers: €89/month for 100K, €259/month for 250K, €599/month from 500K. Past 1M, dedicated KumoMTA at €299-649/month (effectively unlimited within hardware capacity). At 500K emails/month our €599 lands at roughly USD 1.28 per 1,000 — about 3.8× the SES per-message price. The honest comparison: at this metric alone, SES is cheaper. The real maths needs the next four dimensions to be complete.
The operational work AWS leaves to you
SES is infrastructure-as-a-service in the AWS sense — Amazon runs the engine; everything else is your responsibility. The hidden cost is the engineering time that work consumes.
You handle: SPF, DKIM, DMARC setup and DNS publishing. IP warmup using SES's automated curve (which is generic, not list-tuned). Bounce and complaint event processing via SNS into your own analytics. Suppression list management (SES has a basic one; tuning it is your work). Per-domain throttling — SES's approach is account-wide, not per-receiving-domain. Reputation recovery if a bad campaign spikes complaint rate. The pricing is per message; the engineering work behind making the messages land is per engineer-hour.
Authentication, IP warmup, bounce processing, suppression list, per-domain throttling, and reputation monitoring are all included in the price. Engineers on our side handle them; the application team writes application code. For teams with a deliverability engineer on staff (the typical SES shop) the time savings is roughly 8-15 hours/week of senior engineering attention. At Western European fully-loaded engineer rates that is meaningful money — usually exceeds the per-message price difference by month two.
The dedicated IP economics
SES dedicated IPs are an add-on at USD 24.95 per IP per month, plus the per-message charge. The economics are favourable for very large senders and worse for the middle band.
Dedicated IP at USD 24.95/IP/month, plus the per-message price. SES Standard dedicated IPs require manual warmup; Managed dedicated IPs are warmed automatically by Amazon at higher cost. For a sender doing 5M/month with two dedicated IPs from EC2: USD 500 (sending) + USD 50 (IPs) = USD 550/month. Reasonable economics at this scale, comparable to our €949 PowerMTA Multi-IP tier on price alone — and less operational depth.
Dedicated IP included in plans from €259/month (1 IP, up to 250K) and €599/month (2 IPs, from 500K). Past 500K, dedicated MTA at €529/month (1 IP) or €949/month (multi-IP, 4-8 IPs across two PoPs). Effectively comparable per-IP cost at the SES Multi-IP equivalent volume; significantly lower at the entry tier where SES's IP add-on bumps the bill disproportionately.
EU data sovereignty
The dimension where the comparison stops being close. Amazon SES is run by Amazon Web Services Inc., a U.S. corporation. The EU data exposure is structural.
U.S. parent. CLOUD Act applies regardless of which AWS region the sending happens in — the eu-west-1 region's IPs are in Dublin but the corporate parent that operates the IPs is U.S.-based. AWS European Sovereign Cloud (announced 2023, EU-incorporated subsidiary) is a real product but adds significant cost and is not the standard SES offering. For senders with European subscriber lists subject to GDPR and the EU Data Act's Chapter VII obligations on cloud providers, SES's standard offering is increasingly an active compliance problem rather than a theoretical risk.
Slovenian parent, no U.S. subsidiary, hardware in five European jurisdictions all outside CLOUD Act reach. The EU Data Act's third-country transfer obligations do not apply because there is no third-country transfer to characterise — both controller and processor are EU entities. For a Data Protection Impact Assessment, the analysis is materially simpler than the SES equivalent.
Per-domain tuning
SES is account-level, not per-receiving-domain. Below a certain volume this is irrelevant; past it, the lack of per-domain control is the reason SES placement plateaus.
Account-level configuration sets and IP pools provide some segmentation, but the throttling, the warmup, and the reputation tracking work at the account or pool level rather than per-receiving-domain. When Gmail starts throttling a specific IP for a specific reason, SES's response is a generic backoff rather than the per-domain decay that PowerMTA and KumoMTA deliver. For senders past 5M/month where 2-3 percentage points of placement difference is meaningful revenue, this is the ceiling SES hits and dedicated MTA alternatives keep growing past.
Per-receiving-domain throttling is the central abstraction in PowerMTA's VirtualMTAs and KumoMTA's egress sources. Gmail, Microsoft, Yahoo, Apple, ProtonMail — each gets its own concurrency limit, message rate, and backoff policy, tuned to that mailbox provider's current behaviour and adjusted as their behaviour changes. This is the work that distinguishes a serious bulk sender's deliverability from an account-level relay's, and it is the single biggest reason senders past 5M/month migrate off SES even though the per-message price is lower.
SES is cheap. Until you count the hours.
Send-cost is the variable everyone quotes. Engineer hours is the variable that decides whether SES makes financial sense. The chart below maps actual TCO at 5 million monthly messages including the operational layer SES does not include — bounce processing, suppression list management, reputation monitoring, IP warmup, the dashboards and alerts that detect problems before they compound.
SES looks cheap because the price-per-message is genuinely low. €0.10 per thousand at high volume is below every other provider in this category. The price-per-message is also not the variable that decides whether SES makes financial sense. The variable is engineer hours. SES is infrastructure, not a managed service. Senders who run SES in production spend somewhere between 10 and 40 hours per month on the operational layer that SES does not include — bounce processing, suppression list management, reputation monitoring, IP warmup, DKIM rotation, the dashboards and alerts that detect problems before they compound. The chart below maps actual TCO at 5 million monthly messages including engineer hours at fully loaded €120 per hour.
Three lines on the chart at 5 million messages per month workload. SES alone (raw infrastructure cost) sits at roughly €500 per month in send fees plus a few euros for SNS, S3, CloudWatch. SES with internal engineering effort included at the typical rate of 25 hours per month sits at roughly €3,500 monthly. Our equivalent at the Multi-IP tier sits at €949 per month all-in. The chart is uncomfortable for the SES side. The send-cost gap that looks like a 10x advantage for SES inverts to a 6x disadvantage once the labour is included. We do not draw this chart to be smug. The labour cost is real. We draw it because most senders evaluating SES for the first time miss the labour cost in their model and rebuild the budget at month four when the actual hours show up on a timesheet.
// monthly cost (eur) at 5M messages/mo · send-cost vs all-in vs ours
Methodology: SES send-cost computed at €0.10 per thousand × 5 million = €500/month, plus €30 estimated for SNS topic delivery, S3 log archiving, CloudWatch alarms. Engineer hours estimated at 25 hours/month from interview data across 6 senders running SES in production at this volume range during 2024-2025, fully loaded at €120/hour = €3,000. Total SES all-in: ~€3,530/month. Variance: senders with mature internal tooling and dedicated deliverability engineers can run SES at lower hourly load (10-15 hours); senders without internal tooling commonly hit 35-40 hours in months when reputation incidents land. BIG BOX number is the published Volume tier price.
The honest framing is that SES wins for senders with engineering depth and time to invest in the operational layer, and we win for senders who would rather buy that layer pre-built. Companies like Netflix and Reddit run SES at huge scale because they have entire teams maintaining the bounce processing, suppression management, and reputation tooling around it. A growth-stage company with one engineer who is also responsible for half a dozen other systems does not have that depth. For them, SES looks cheaper on month one and is more expensive every month after. The decision is not about price. It is about which operational layer your team should be spending their hours on, and the answer to that question is rarely "the one our managed-service vendor would charge €949 per month to run for us."
When which.
We genuinely send people back to SES every month for the cases where SES is the right answer. Below is the honest split.
Stay on Amazon SES when
- You are AWS-native (everything else of yours runs on AWS) and the integration with CloudWatch, SNS, EventBridge, and IAM is part of your operational fabric.
- Your traffic is purely transactional — password resets, order confirmations, receipts, OTP codes — with effectively zero complaint rate and stable engagement.
- You are sending under 1M emails/month and the absolute monthly cost difference is small compared to the migration overhead.
- Your team has a senior engineer fluent in AWS deliverability internals (SES configuration sets, dedicated IP pools, SNS event routing, suppression list maintenance) and the operational work is genuinely cheap for you.
- Your subscriber list is U.S.-based with no EU recipients and the CLOUD Act exposure is genuinely irrelevant to your situation.
- You have AWS credits available that materially offset the per-message bill.
Migrate off SES when
- You are past 5M emails/month and per-domain placement tuning has become the ceiling on your deliverability.
- You have European subscribers in your list and the CLOUD Act exposure is now a documented compliance issue rather than an abstract one.
- You run marketing campaigns alongside transactional traffic and the lack of true stream separation has caused at least one cross-contamination incident.
- Your AWS account is hitting SES sending quota or reputation issues that AWS Support is slow to resolve.
- You are migrating off AWS for unrelated reasons and the SES retention is incidental.
- Your team does not have the AWS deliverability fluency to operate SES well, and the operational cost has been absorbed quietly by the application team.
- You need a vendor who is on the phone within 4 hours when something goes wrong, not a support ticket queue.
SES → us, in practice.
SES migrations are the ones we are most cautious about. The reason: SES users are typically more technically sophisticated than SendGrid or Mailgun users, and the migration value-prop is harder to articulate against the per-message price. We do these migrations carefully, with explicit modelling of the total-cost-of-ownership comparison before signing.
The application change is small. SES exposes both an SMTP endpoint and an HTTP API; both have direct equivalents on our side. For SES SDK users, the AWS SDK calls have to be replaced with HTTP requests — there is no compatibility shim because the AWS SDK is bound to AWS-specific signing logic. The replacement is usually trivial (10-50 lines of code per send-path) but it is more work than the SendGrid or Mailgun cutover.
The reputation transfer follows the standard pattern. Your domain reputation goes with you; the SES IP-level reputation does not. The new dedicated IPs warm on a 4-6 week curve. SES-specific note: if you were using SES Managed dedicated IPs (the auto-warmed tier), your IPs were never named to your DNS — they were SES's IPs, with their reputation. The warmup on our new IPs starts cleaner than from a SES-Standard configuration, but it still needs the full ramp.
The suppression list transfer requires SES API access. SES's account-level suppression list and per-configuration-set suppression are both pullable through the API; we extract both lists, deduplicate the union, and load the deduped set into our infrastructure before traffic flows. SES bounce and complaint events flowing through SNS for the last 90 days get pulled and reconciled — anyone who hard-bounced or complained on SES gets added to our suppression even if they were not in the SES suppression list (sometimes they were not, depending on how you configured the auto-suppression).
The traffic cutover is the standard 10%-increment parallel run with daily per-domain placement monitoring. The SES-specific risk we watch for is the SES sending quota reset behaviour — if you cut over too aggressively and your SES account goes to zero traffic for 30+ days, the SES sending quota resets and re-warming SES later would be expensive. Most clients keep a thin layer of low-volume traffic on SES through the migration window in case rollback is needed; we coordinate that with you explicitly.
SES migration, specifically.
Questions we hear when AWS-native teams are evaluating the move off SES — typically around the engineer-hour TCO and the jurisdictional exposure inherited from AWS's parent. Cross-cutting topics (pricing tiers, support, deliverability methodology) are on the main FAQ.
01 If SES is so much cheaper per message, how do you compete on price at all? +
02 We use SES because everything else is on AWS. Do you integrate with AWS at all? +
03 Our SES account has been throttled. Should we migrate or fix the SES side? +
04 What about AWS European Sovereign Cloud — does that solve the CLOUD Act issue? +
05 Will my SES sending quota reset if I migrate? +
06 SES's automated IP warmup is convenient. Do you have an equivalent? +
07 Is the migration worth it if our SES bill is under USD 500/month? +
The operational layer nobody itemises.
SES is infrastructure, not delivery service. The 18 items below are what every production sender ends up building or buying around it, distributed across AWS-composed tooling, external products, and pure engineering effort. Most are not in the SES first-year budget projection. All are in the SES second-year invoice when the engineering hours are honestly counted.
The honest framing of SES is that it is not an email service. It is an infrastructure component. You wire it into an email service you build yourself. The list below is what a production-grade email delivery operation requires beyond what SES ships out of the box, the things every sender at scale ends up building or buying separately and rarely accounts for in their first SES budget projection. Some items are AWS services you can compose into a workable equivalent. Some are external tools. Some are internal engineering effort that does not exist as a product anywhere on the market. All of them are line items that show up on your team's roadmap whether you anticipate them or not. Often at the worst time. The buyers who build their TCO model from this list arrive at the comparison with us already done.
| Capability needed | SES default | What you build or buy |
|---|---|---|
| // reputation & deliverability | ||
| IP warmup with feedback | Schedule-based, no feedback loop | Custom feedback wrapper, ~80 hrs eng |
| Reputation monitoring | CloudWatch metrics, basic | Glock Apps / Ongage / custom dashboards |
| Postmaster Tools integration | Not provided | Manual setup at Gmail/Yahoo/Microsoft |
| SmartScreen visibility | Not provided | Microsoft SNDS registration + monitoring |
| // list & bounce hygiene | ||
| Bounce processing | SNS topic delivers raw events | Lambda + parser + categorisation logic |
| Suppression list management | Account-level suppression, basic | Custom multi-domain logic, pre-send check |
| Complaint handling | SNS topic for FBL events | Workflow to remove + reason-code logging |
| Email validation API | Not provided | ZeroBounce / Briteverify subscription |
| // authentication infrastructure | ||
| DKIM key rotation | Manual, customer-managed | Cron job + DNS automation + monitoring |
| DMARC monitoring | Not provided | Red Sift / Valimail / custom RUA parser |
| MTA-STS deployment | Not provided | DNS record + HTTPS-hosted policy file |
| BIMI infrastructure | Not provided | SVG hosting + VMC procurement + DNS |
| // observability & operations | ||
| Per-sender dashboards | CloudWatch, single account view | Multi-tenant aggregation layer in Grafana |
| Real-time deliverability alerts | CloudWatch alarms, basic | PagerDuty + multi-signal alert logic |
| Throttling per receiver | Sending rate, account-level only | Custom send pacer + receiver-aware logic |
| Incident response runbooks | Not provided | Internal runbooks, on-call rotation |
| // support & escalation | ||
| Engineer-level support | AWS Premium Support tier required | Business or Enterprise AWS plan, +€100-€15k/mo |
| Deliverability expertise on call | Not provided | Hire internal deliverability engineer or consultant |
Eighteen items above. Some take a week to wire up. Some take quarters of engineering effort, particularly the reputation tooling and the suppression list infrastructure that nobody warns you about until you are already running at 5 million messages per month and the bounce rate starts mattering for real. The total accumulates to the engineer-hour cost in section 01b — that is where the 25 hours per month estimate comes from, distributed across these tasks at the cadence each one demands. We are not arguing that SES is wrong. We are arguing that SES is wrong if you do not have the team to build everything above it. For senders who have that team, SES wins. For senders who do not, the math is what we showed in the chart. None of this is hidden. It is rarely surfaced in the comparison conversation, and when we do surface it the buyer has already half-decided.
Bring the SES bill.
The honest SES comparison call is built around your actual SES usage data. Bring the last 3 months of your SES bill, your traffic profile, and your dedicated-IP configuration. We model the total cost of ownership against our infrastructure transparently — about 1 in 4 of these calls ends with us recommending you stay on SES because the maths does not justify migrating. The honest answer wins long-term customers.