Host Your Own Business Email Using Amazon Workmail

nurulramadhona

Nurul Ramadhona

Posted on March 25, 2023

Host Your Own Business Email Using Amazon Workmail

Continuing the previous post where I told you how important email is and why we choose Workmail as our email service. Then, here we will get started on how to set up email hosting using Amazon Workmail. I'll do all the steps using AWS CLI, so make sure you have installed it and set the credential.

Are you comfortable with the Console? Please go ahead with it, no pressure at all :)

When I created this series, Amazon Workmail was only available in 3 regions. In this case, I randomly choose N. Virginia (us-east-1) and you can choose which one you wanna use.

Workmail Region

More about Amazon Workmail, click here!

So, what are we gonna do?

  1. Create Organization

  2. Create User

  3. Register Domain

  4. Update Default Domain

  5. Create User Alias

  6. Send & Receive Email

  7. Update Mailbox Quota

  8. Create Group

  9. Associate User To The Group

  10. Setup Email On Mobile Email Client App

I think those 10 steps are enough for us to get started with Amazon Workmail!

1. Create Organization

Here we will start using the free domain provided which is awsapps.com. So please decide on the alias first, then AWS will do the rest to set up your email hosting such as domain verification along with the webmail client link provided.

For example, I use dhona as an alias, so AWS will verify dhona.awsapps.com and use dhona.awsapps.com/mail to access the webmail client.

$ aws workmail create-organization --alias dhona --region us-east-1
OrganizationId: m-fb75a642ab0f4745b33b54f729f6af01
$ aws workmail describe-organization --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
ARN: arn:aws:workmail:us-east-1:0123456789:organization/m-fb75a642ab0f4745b33b54f729f6af01
Alias: dhona
CompletedDate: '2023-03-23T18:20:03.872000+07:00'
DefaultMailDomain: dhona.awsapps.com
DirectoryId: d-9067aebc88
DirectoryType: IdentityPoolDirectory
OrganizationId: m-fb75a642ab0f4745b33b54f729f6af01
State: Active
Enter fullscreen mode Exit fullscreen mode

Note*: please save the organization-id as we always use it for the next configurations.

2. Create Users

When we're creating a user, we don't need to choose the domain that will be used directly. So it will be just a user, not an email user but the state is still disabled.

$ aws workmail create-user --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --name dhona --display-name "Nurul Ramadhona" --password $password --region us-east-1
UserId: 510f7b96-800d-47e2-a869-c3c47af4e9ea
$ aws workmail describe-user --user-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
DisplayName: Nurul Ramadhona
Name: dhona
State: DISABLED
UserId: 510f7b96-800d-47e2-a869-c3c47af4e9ea
UserRole: USER
Enter fullscreen mode Exit fullscreen mode

To enable the user, we will need to choose a "temporary" primary email address. Why is it temporary? Because we can change it anytime we want (I'll tell you more about it in the fifth step). By doing this, you will create an email address for that user.

$ aws workmail register-to-work-mail --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --entity-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --email dhona@dhona.awsapps.com --region us-east-1
$ aws workmail describe-user --user-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
DisplayName: Nurul Ramadhona
Email: dhona@dhona.awsapps.com
EnabledDate: '2023-03-23T19:00:40.432000+07:00'
Name: dhona
State: ENABLED
UserId: 510f7b96-800d-47e2-a869-c3c47af4e9ea
UserRole: USER
Enter fullscreen mode Exit fullscreen mode

Note*: entity-id is an ID of either a user or group. Please adjust it based on your condition, you're managing a user or group. Don't get confused!

Right after the user is enabled, we can log in to the webmail client and start sending/receiving emails.

Workmail Login

Workmail Webmail

3. Register Domain To The Organization

Within an organization, we can have more than one domain to be used. Since we got a free alias dhona.awsapps.com, here I'll add my external domain dhona.xyz (you can skip this step if you don't have one and jump to the sixth step). We can use the domain either from Amazon Route53 or external domain.

$ aws workmail register-mail-domain --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --domain-name dhona.xyz --region us-east-1
Enter fullscreen mode Exit fullscreen mode

When we use a custom domain, we should add some required DNS records generated by Workmail. Each record has its own purpose.

$ aws workmail get-mail-domain --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --domain-name dhona.xyz --region us-east-1
DkimVerificationStatus: PENDING
IsDefault: false
IsTestDomain: false
OwnershipVerificationStatus: PENDING
Records:
(the required DNS records will be shown here)
Enter fullscreen mode Exit fullscreen mode
  • Mail Exchange (MX): used to direct where the mail server of that domain is placed.

For example: Value: 10 inbound-smtp.us-east-1.amazonaws.com.

It shows the mail server address by using the domain along with the priority which is 10. The domain can consist of more than one IP address in case we have multiple servers. Anyway, if the domain is in use somewhere (you already hosted your email service using that domain), I suggest you wait till the migration process is done.

  • Sender Policy Framework (SPF): used to list all addresses that are allowed to send email using the domain.

For example: Value: v=spf1 include:amazonses.com ~all

It means all emails that don't come from amazonses.com should be marked as insecure or spam.

  • DomainKeys Identified Mail (DKIM): used by the receiver to verify emails using the key signed through cryptographic authentication. The hostname is marked with ._domainkey.

For example: Value: abcdefghijklmnopqrstuvwxyz.dkim.amazonses.com.

  • Domain-based Message Authentication, Reporting and Conformance (DMARC): used to decide the action if the authentication is failed. This is just an additional record after SPF and DKIM.

For example: Value: v=DMARC1;p=quarantine;pct=100;fo=1

It means the receiver should quarantine all emails that don't pass the authentication checks and generate a report to the sender when the emails fail to deliver.

Those 3 things are parts of email security. You can get to know more about them and you can also make them custom as you need. In this case, I'll follow what Workmail has generated for me. If we already set the DNS records properly, the domain will be successfully verified and ready to be used.

4. Update Default Domain

Since now we have two domains, we are free to choose which one will be used as the default domain.

$ aws workmail update-default-mail-domain --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --domain-name dhona.xyz --region us-east-1
$ aws workmail describe-organization --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
ARN: arn:aws:workmail:us-east-1:0123456789:organization/m-fb75a642ab0f4745b33b54f729f6af01
Alias: dhona
CompletedDate: '2023-03-23T18:20:03.872000+07:00'
DefaultMailDomain: dhona.xyz
DirectoryId: d-9067aebc88
DirectoryType: IdentityPoolDirectory
OrganizationId: m-fb75a642ab0f4745b33b54f729f6af01
State: Active
$ aws workmail list-mail-domains --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
MailDomains:
- DefaultDomain: false
  DomainName: dhona.awsapps.com
- DefaultDomain: true
  DomainName: dhona.xyz
Enter fullscreen mode Exit fullscreen mode

5. Create User Alias

Alias in this section is different from alias of the organization. When we create a user, the user can have multiple email addresses using different domains registered on Workmail. One acts as the primary email address and the rest as aliases. It's a good choice if you have more than one domain but you want to use the same username. All emails sent to an alias will be directed to and received by the primary email address.

$ aws workmail create-alias --entity-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --alias dhona@dhona.xyz --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
Enter fullscreen mode Exit fullscreen mode

As I said above, we can change our primary email address anytime we want. So I'll make dhona@dhona.xyz as primary email of the user named dhona.

$ aws workmail update-primary-email-address --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --entity-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --email dhona@dhona.xyz --region us-east-1
$ aws workmail list-users --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
Users:
- DisplayName: Nurul Ramadhona
  Email: dhona@dhona.xyz
  EnabledDate: '2023-03-23T19:00:40.432000+07:00'
  Id: 510f7b96-800d-47e2-a869-c3c47af4e9ea
  Name: dhona
  State: ENABLED
  UserRole: USER
Enter fullscreen mode Exit fullscreen mode

6. Send & Receive Email

For testing the email, we will create one more user and we will see if it works along with SPF, DKIM and DMARC checks.

$ aws workmail create-user --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --name nurul --display-name "Nurul Ramadhona" --password $password --region us-east-1
UserId: 4b1d1dd0-4c9a-451a-83de-4145063999f0
$ aws workmail register-to-work-mail --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --entity-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --email nurul@dhona.xyz --region us-east-1
$ aws workmail describe-user --user-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
DisplayName: Nurul Ramadhona
Email: nurul@dhona.xyz
EnabledDate: '2023-03-23T20:03:58.821000+07:00'
Name: nurul
State: ENABLED
UserId: 4b1d1dd0-4c9a-451a-83de-4145063999f0
UserRole: USER
Enter fullscreen mode Exit fullscreen mode

Here is the result:

Workmail SPF DKIM DMARC

It's a test email within the same domain, passed all authentication.

7. Update Mailbox Quota

With Workmail, we are free to customize the quota of each mailbox. By default, each user gets 50GB and we are allowed to increase or decrease as we need.

$ aws workmail get-mailbox-details --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --user-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --region us-east-1
MailboxQuota: 51200
MailboxSize: 0.010987281799316406
$ aws workmail update-mailbox-quota --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --user-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --mailbox-quota 12800 --region us-east-1
$ aws workmail get-mailbox-details --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --user-id 4b1d1dd0-4c9a-451a-83de-4145063999f0 --region us-east-1
MailboxQuota: 12800
MailboxSize: 0.02144145965576172
Enter fullscreen mode Exit fullscreen mode

8. Create Group

A group always be the best practice for managing users. Let's say we have a company that consists of many departments such as HR, Marketing, Developers, etc. It will be easier to spread information to all members of each department so no one will lose any updates.

$ aws workmail create-group --name developers --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
GroupId: bcefb7d0-1f5a-45e4-8ef4-853a74823e86
$ aws workmail register-to-work-mail --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --entity-id bcefb7d0-1f5a-45e4-8ef4-853a74823e86 --email developers@dhona.xyz --region us-east-1
$ aws workmail list-groups --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --region us-east-1
Groups:
- Email: developers@dhona.xyz
  EnabledDate: '2023-03-23T20:40:45.076000+07:00'
  Id: bcefb7d0-1f5a-45e4-8ef4-853a74823e86
  Name: developers
  State: ENABLED
Enter fullscreen mode Exit fullscreen mode

9. Associate User To The Group

Now, we will add some users to the Developers group and use developers@dhona.xyz as the email address (should not already used by other groups/users).

$ aws workmail associate-member-to-group --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --group-id bcefb7d0-1f5a-45e4-8ef4-853a74823e86 --member-id 3815a14e-e0d1-4d31-b998-bb290589191c --region us-east-1
$ aws workmail associate-member-to-group --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --group-id bcefb7d0-1f5a-45e4-8ef4-853a74823e86 --member-id 510f7b96-800d-47e2-a869-c3c47af4e9ea --region us-east-1
$ aws workmail list-group-members --organization-id m-fb75a642ab0f4745b33b54f729f6af01 --group-id bcefb7d0-1f5a-45e4-8ef4-853a74823e86 --region us-east-1
Members:
- EnabledDate: '2023-03-23T18:37:51.155000+07:00'
  Id: 3815a14e-e0d1-4d31-b998-bb290589191c
  Name: admin
  State: ENABLED
  Type: USER
- EnabledDate: '2023-03-23T19:00:40.432000+07:00'
  Id: 510f7b96-800d-47e2-a869-c3c47af4e9ea
  Name: dhona
  State: ENABLED
  Type: USER
Enter fullscreen mode Exit fullscreen mode

I'll log in to one of the members.

Workmail Send Email To Group

Workmail Receive Email From Group

10. Setup Email On Mobile Email Client App

The webmail client provided by Workmail is not the only email client we can use. As with other email services, we can set up our email on mobile too by using the Microsoft Exchange option. Here is how it goes:

Workmail Mobile Setup

Workmail on Mobile

Access to the email also brings other features such as Calendar into our mobile app and we can use it as well as the email itself. Here's an example of how I create a reminder on the Calendar from the webmail client and mobile. Both will be synchronized automatically.

  • Create Reminder from Webmail Client

Workmail Calendar

Workmail Calendar 2

  • Create Reminder from Mobile

Workmail Calendar 3

Workmail Calendar 4

What's next?

We reach at the end of this post but it's not the end of this series. So please keep this state because we will use it again in the next post.

💖 💪 🙅 🚩
nurulramadhona
Nurul Ramadhona

Posted on March 25, 2023

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related