AWS SES Email Configuration for Authentik

In this short tutorial, we’ll configure an Authentik instance to use AWS SES for email delivery. This will enable Authentik to send emails for notifications, flows, and other system events.

0. Prerequisites

• Ensure your Authentik instance is running.
• The setup must include both the Authentik server and the Authentik worker containers.

1. Create an Identity in SES

1. Go to the AWS SES Console.
2. Navigate to Configuration > Identities.
3. Click “Create identity” and choose one of the following:
   • Domain–to send emails from any address under your domain (recommended).
   • Email address–to verify and use a single email address (e.g., no-reply@yourdomain.com).
4. For this tutorial, we’ll select Email address and verify it to confirm ownership.

2. Create SMTP Credentials

1. In the AWS SES Console, navigate to SMTP Settings.
2. Click “Create SMTP credentials”.
3. You’ll be redirected to the IAM service to create a new user with SMTP permissions. This user will be used to send emails via SES.
4. After creating the user:
   • Download or copy the IAM username, SMTP username, and SMTP password.
   • ⚠️ Note: These are not the same as your AWS access keys.

Tip: You can create multiple SMTP credential sets—each tied to a different IAM user—and reuse them across different applications as needed.

3. Configure Environment Variables in Authentik

Update your .env file with the following AWS SES SMTP settings:

# SMTP Config for AWS SES
AUTHENTIK_EMAIL__HOST=email-smtp.ca-central-1.amazonaws.com
AUTHENTIK_EMAIL__PORT=587
AUTHENTIK_EMAIL__USERNAME=YOUR_SES_SMTP_USERNAME
AUTHENTIK_EMAIL__PASSWORD=YOUR_SES_SMTP_PASSWORD
AUTHENTIK_EMAIL__USE_TLS=true
AUTHENTIK_EMAIL__USE_SSL=false
AUTHENTIK_EMAIL__FROM=no-reply@yourdomain.com

Note: The value for AUTHENTIK_EMAIL__FROM must match the email address you verified in Step 1.

4. Apply Config Changes

Restart the Authentik services to apply the updated environment variables:

docker compose down
docker compose up -d

This will restart both the server and worker containers with the new configuration.

5. Test the Email Configuration

To verify that the email settings are working, run the following command inside the worker container:

ak test_email no-reply@yourdomain.com