There is a particular kind of developer frustration that comes from needing to send a single password reset email and ending up three hours deep into AWS documentation. Transactional email should be simple. This post gets you from zero to a working send using SendFleet's BYOC (Bring Your Own Credentials) mode - your own AWS SES account, your domain, your sending reputation.
What is BYOC and why does it matter?
Most email APIs route your mail through their own infrastructure. That means your sending reputation lives in a shared pool with thousands of other senders. One bad actor spamming on the same IP range and your deliverability suffers for it. BYOC flips this: SendFleet acts purely as a routing layer, temporarily assuming a role in your AWS account to dispatch email directly through your SES. The email content never touches SendFleet's database. Your reputation is yours alone.
There are three things you need before you start:
- An AWS account with SES approved for production access (out of sandbox mode)
- A domain you control so you can add DNS records
- Permission to create IAM roles in your AWS account
Step 1: Create a SendFleet account
Register at sendfleet.net/register. Email verification is required before you can send anything. The Starter plan is free with 50 BYOC emails per month and no credit card required. If you need more volume you can upgrade to the paid BYOC plan at $9/month with no SendFleet-imposed cap.
Step 2: Create an IAM role in AWS
This is the step most people overthink. Open your AWS console, navigate to IAM, then Roles, then Create role. Choose "Custom trust policy" when prompted.
Do not write the trust policy yourself. Go to your SendFleet account settings under the BYOC section and copy the trust policy shown there. It already contains your unique ExternalId — a 48-character random value that prevents anyone else from assuming your role through SendFleet's infrastructure. This protects against what is known as the confused deputy problem (more on that in next week's post).
The trust policy will look roughly like this:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::SENDFLEET_ACCOUNT:root" },
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_UNIQUE_EXTERNAL_ID_HERE"
}
}
}]
}
After setting the trust policy, attach the required SES permissions listed in your SendFleet settings. These cover sending email and verifying domain identities. The role name must be SendFleet-BYOC-Role (exact case-sensitive).
Step 3: Connect the role to SendFleet
In your SendFleet dashboard, go to Settings. Paste your IAM Role ARN — it looks like this:
arn:aws:iam::123456789012:role/SendFleet-BYOC-Role
Select the AWS region where your SES account operates. Click Validate and save. SendFleet will attempt to assume the role and verify that your SES account is out of sandbox mode. If the validation fails, double-check that the trust policy ExternalId matches exactly what SendFleet shows in settings.
Step 4: Add and verify a sending domain
Go to Dashboard, then Domains, then Add BYOC domain. Enter your root domain - for example acme.com, not mail.acme.com.
SendFleet uses your assumed IAM role to register the domain identity in your SES account and return the DNS records you need to add. You will see five record types in the dashboard:
- Domain ownership TXT record (required)
- Three DKIM CNAME records (all three required)
- SPF TXT record (recommended, not required to send)
- MAIL FROM subdomain MX and SPF records (recommended)
- DMARC TXT record (recommended)
Add the TXT ownership record to your DNS. Once it propagates — usually five to fifteen minutes but sometimes up to an hour — click Verify ownership in the dashboard. Then add all three DKIM CNAMEs and click Verify DKIM. DKIM verification is the gate: you cannot send until it passes.
Step 5: Generate an API key
Go to Dashboard, then API Keys, then New key. Name it something clear like "Production" or "Development". The full secret key is shown exactly once. Copy it immediately and store it in your environment variables or a secrets manager. If you lose it there is no recovery — you generate a new one (*Revoke the lost keys).
Step 6: Send your first email
With your domain verified and API key in hand, you can send your first email with a single curl call:
curl -X POST https://sendfleet.net/api/send/ \
-H "X-API-Key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"to": "*Emails are not allowed*",
"from_email": "*Emails are not allowed*",
"from_name": "Acme",
"subject": "Welcome aboard",
"message": "Thanks for signing up!"
}'
A 200 OK response means your email has been accepted and queued. Delivery is asynchronous -SendFleet validates the request, places it in the SQS queue, and a background worker dispatches it to your SES account. The response includes a message_id you can use for tracking and a mode field confirming byoc.
{
"success": true,
"message": "Email queued for delivery via your SES account.",
"message_id": "1a2b3c4d-5e6f-7890-abcd-ef1234567890",
"mode": "byoc"
}
What comes next?
If you see warnings in the response about missing SPF or DMARC records, those are non-blocking but worth addressing. They improve deliverability and help mailbox providers trust your domain over time. We will cover the full DNS setup — SPF, DKIM, DMARC, and MAIL FROM — in detail in the June 11 post.
