Nurul Ramadhona
Posted on March 25, 2023
Continuing the previous post where I told you how important email is and why we choose Workmail as our email service. Then, here we will get started on how to set up email hosting using Amazon Workmail. I'll do all the steps using AWS CLI, so make sure you have installed it and set the credential.
Are you comfortable with the Console? Please go ahead with it, no pressure at all :)
When I created this series, Amazon Workmail was only available in 3 regions. In this case, I randomly choose N. Virginia (us-east-1) and you can choose which one you wanna use.
More about Amazon Workmail, click here!
So, what are we gonna do?
Create Organization
Create User
Register Domain
Update Default Domain
Create User Alias
Send & Receive Email
Update Mailbox Quota
Create Group
Associate User To The Group
Setup Email On Mobile Email Client App
I think those 10 steps are enough for us to get started with Amazon Workmail!
1. Create Organization
Here we will start using the free domain provided which is awsapps.com
. So please decide on the alias first, then AWS will do the rest to set up your email hosting such as domain verification along with the webmail client link provided.
For example, I use dhona
as an alias, so AWS will verify dhona.awsapps.com
and use dhona.awsapps.com/mail
to access the webmail client.
$ aws workmail create-organization --alias dhona --region us-east-1
OrganizationId: m-fb75a642ab0f4745b33b54f729f6af01
$ aws workmail describe-organization --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
ARN: arn:aws:workmail:us-east-1:0123456789:organization/m-fb75a642ab0f4745b33b54f729f6af01
Alias: dhona
CompletedDate: '2023-03-23T18:20:03.872000+07:00'
DefaultMailDomain: dhona.awsapps.com
DirectoryId: d-9067aebc88
DirectoryType: IdentityPoolDirectory
OrganizationId: m-fb75a642ab0f4745b33b54f729f6af01
State: Active
Note*: please save the organization-id
as we always use it for the next configurations.
2. Create Users
When we're creating a user, we don't need to choose the domain that will be used directly. So it will be just a user, not an email user but the state is still disabled.
$ aws workmail create-user --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --name dhona --display-name "Nurul Ramadhona" --password $password --region us-east-1
UserId: 510f7b96-800d-47e2-a869-c3c47af4e9ea
$ aws workmail describe-user --user-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
DisplayName: Nurul Ramadhona
Name: dhona
State: DISABLED
UserId: 510f7b96-800d-47e2-a869-c3c47af4e9ea
UserRole: USER
To enable the user, we will need to choose a "temporary" primary email address. Why is it temporary? Because we can change it anytime we want (I'll tell you more about it in the fifth step). By doing this, you will create an email address for that user.
$ aws workmail register-to-work-mail --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --entity-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --email dhona@dhona.awsapps.com --region us-east-1
$ aws workmail describe-user --user-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
DisplayName: Nurul Ramadhona
Email: dhona@dhona.awsapps.com
EnabledDate: '2023-03-23T19:00:40.432000+07:00'
Name: dhona
State: ENABLED
UserId: 510f7b96-800d-47e2-a869-c3c47af4e9ea
UserRole: USER
Note*: entity-id
is an ID of either a user or group. Please adjust it based on your condition, you're managing a user or group. Don't get confused!
Right after the user is enabled, we can log in to the webmail client and start sending/receiving emails.
3. Register Domain To The Organization
Within an organization, we can have more than one domain to be used. Since we got a free alias dhona.awsapps.com
, here I'll add my external domain dhona.xyz
(you can skip this step if you don't have one and jump to the sixth step). We can use the domain either from Amazon Route53 or external domain.
$ aws workmail register-mail-domain --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --domain-name dhona.xyz --region us-east-1
When we use a custom domain, we should add some required DNS records generated by Workmail. Each record has its own purpose.
$ aws workmail get-mail-domain --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --domain-name dhona.xyz --region us-east-1
DkimVerificationStatus: PENDING
IsDefault: false
IsTestDomain: false
OwnershipVerificationStatus: PENDING
Records:
(the required DNS records will be shown here)
- Mail Exchange (MX): used to direct where the mail server of that domain is placed.
For example: Value: 10 inbound-smtp.us-east-1.amazonaws.com.
It shows the mail server address by using the domain along with the priority which is 10. The domain can consist of more than one IP address in case we have multiple servers. Anyway, if the domain is in use somewhere (you already hosted your email service using that domain), I suggest you wait till the migration process is done.
- Sender Policy Framework (SPF): used to list all addresses that are allowed to send email using the domain.
For example: Value: v=spf1 include:amazonses.com ~all
It means all emails that don't come from amazonses.com
should be marked as insecure or spam.
-
DomainKeys Identified Mail (DKIM): used by the receiver to verify emails using the key signed through cryptographic authentication. The hostname is marked with
._domainkey
.
For example: Value: abcdefghijklmnopqrstuvwxyz.dkim.amazonses.com.
- Domain-based Message Authentication, Reporting and Conformance (DMARC): used to decide the action if the authentication is failed. This is just an additional record after SPF and DKIM.
For example: Value: v=DMARC1;p=quarantine;pct=100;fo=1
It means the receiver should quarantine all emails that don't pass the authentication checks and generate a report to the sender when the emails fail to deliver.
Those 3 things are parts of email security. You can get to know more about them and you can also make them custom as you need. In this case, I'll follow what Workmail has generated for me. If we already set the DNS records properly, the domain will be successfully verified and ready to be used.
4. Update Default Domain
Since now we have two domains, we are free to choose which one will be used as the default domain.
$ aws workmail update-default-mail-domain --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --domain-name dhona.xyz --region us-east-1
$ aws workmail describe-organization --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
ARN: arn:aws:workmail:us-east-1:0123456789:organization/m-fb75a642ab0f4745b33b54f729f6af01
Alias: dhona
CompletedDate: '2023-03-23T18:20:03.872000+07:00'
DefaultMailDomain: dhona.xyz
DirectoryId: d-9067aebc88
DirectoryType: IdentityPoolDirectory
OrganizationId: m-fb75a642ab0f4745b33b54f729f6af01
State: Active
$ aws workmail list-mail-domains --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
MailDomains:
- DefaultDomain: false
DomainName: dhona.awsapps.com
- DefaultDomain: true
DomainName: dhona.xyz
5. Create User Alias
Alias in this section is different from alias of the organization. When we create a user, the user can have multiple email addresses using different domains registered on Workmail. One acts as the primary email address and the rest as aliases. It's a good choice if you have more than one domain but you want to use the same username. All emails sent to an alias will be directed to and received by the primary email address.
$ aws workmail create-alias --entity-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --alias dhona@dhona.xyz --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
As I said above, we can change our primary email address anytime we want. So I'll make dhona@dhona.xyz
as primary email of the user named dhona
.
$ aws workmail update-primary-email-address --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --entity-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --email dhona@dhona.xyz --region us-east-1
$ aws workmail list-users --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
Users:
- DisplayName: Nurul Ramadhona
Email: dhona@dhona.xyz
EnabledDate: '2023-03-23T19:00:40.432000+07:00'
Id: 510f7b96-800d-47e2-a869-c3c47af4e9ea
Name: dhona
State: ENABLED
UserRole: USER
6. Send & Receive Email
For testing the email, we will create one more user and we will see if it works along with SPF, DKIM and DMARC checks.
$ aws workmail create-user --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --name nurul --display-name "Nurul Ramadhona" --password $password --region us-east-1
UserId: 4b1d1dd0-4c9a-451a-83de-4145063999f0
$ aws workmail register-to-work-mail --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --entity-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --email nurul@dhona.xyz --region us-east-1
$ aws workmail describe-user --user-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
DisplayName: Nurul Ramadhona
Email: nurul@dhona.xyz
EnabledDate: '2023-03-23T20:03:58.821000+07:00'
Name: nurul
State: ENABLED
UserId: 4b1d1dd0-4c9a-451a-83de-4145063999f0
UserRole: USER
Here is the result:
It's a test email within the same domain, passed all authentication.
7. Update Mailbox Quota
With Workmail, we are free to customize the quota of each mailbox. By default, each user gets 50GB and we are allowed to increase or decrease as we need.
$ aws workmail get-mailbox-details --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --user-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --region us-east-1
MailboxQuota: 51200
MailboxSize: 0.010987281799316406
$ aws workmail update-mailbox-quota --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --user-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --mailbox-quota 12800 --region us-east-1
$ aws workmail get-mailbox-details --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --user-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --region us-east-1
MailboxQuota: 12800
MailboxSize: 0.02144145965576172
8. Create Group
A group always be the best practice for managing users. Let's say we have a company that consists of many departments such as HR, Marketing, Developers, etc. It will be easier to spread information to all members of each department so no one will lose any updates.
$ aws workmail create-group --name developers --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
GroupId: bcefb7d0-1f5a-45e4-8ef4-853a74823e86
$ aws workmail register-to-work-mail --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --entity-id bcefb7d0-1f5a-45e4-8ef4-853a74823e86 --email developers@dhona.xyz --region us-east-1
$ aws workmail list-groups --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
Groups:
- Email: developers@dhona.xyz
EnabledDate: '2023-03-23T20:40:45.076000+07:00'
Id: bcefb7d0-1f5a-45e4-8ef4-853a74823e86
Name: developers
State: ENABLED
9. Associate User To The Group
Now, we will add some users to the Developers group and use developers@dhona.xyz
as the email address (should not already used by other groups/users).
$ aws workmail associate-member-to-group --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --group-id bcefb7d0-1f5a-45e4-8ef4-853a74823e86 --member-id 3815a14e-e0d1-4d31-b998-bb290589191c --region us-east-1
$ aws workmail associate-member-to-group --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --group-id bcefb7d0-1f5a-45e4-8ef4-853a74823e86 --member-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --region us-east-1
$ aws workmail list-group-members --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --group-id bcefb7d0-1f5a-45e4-8ef4-853a74823e86 --region us-east-1
Members:
- EnabledDate: '2023-03-23T18:37:51.155000+07:00'
Id: 3815a14e-e0d1-4d31-b998-bb290589191c
Name: admin
State: ENABLED
Type: USER
- EnabledDate: '2023-03-23T19:00:40.432000+07:00'
Id: 510f7b96-800d-47e2-a869-c3c47af4e9ea
Name: dhona
State: ENABLED
Type: USER
I'll log in to one of the members.
10. Setup Email On Mobile Email Client App
The webmail client provided by Workmail is not the only email client we can use. As with other email services, we can set up our email on mobile too by using the Microsoft Exchange option. Here is how it goes:
Access to the email also brings other features such as Calendar into our mobile app and we can use it as well as the email itself. Here's an example of how I create a reminder on the Calendar from the webmail client and mobile. Both will be synchronized automatically.
- Create Reminder from Webmail Client
- Create Reminder from Mobile
What's next?
We reach at the end of this post but it's not the end of this series. So please keep this state because we will use it again in the next post.
Posted on March 25, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.