Amazon SES authentication credentials invalid

Amazon SES returns 535 when SMTP credentials are wrong or from a different Region. Generate SES SMTP credentials in the console for the exact Region.

Updated Jul 1, 2026

The short answer

Amazon SES returns "535 Authentication Credentials Invalid" when the username and password your client presents over the SES SMTP interface aren't valid SES SMTP credentials. The usual cause is using raw AWS/IAM access keys instead of generated SES SMTP credentials, or using credentials from a different AWS Region. Fix it by generating SMTP credentials in the SES console for the exact Region you're connecting to.

Amazon SES rejects your SMTP login with 535 Authentication Credentials Invalid when the username and password your mail client presents are not valid SES SMTP credentials for the Region you're connecting to. Per the AWS SMTP response-code table, this code specifically means the application "didn't provide the correct SMTP credentials to Amazon SES" — and AWS explicitly notes that your SMTP credentials aren't the same as your AWS credentials.

What causes "535 Authentication Credentials Invalid" in Amazon SES?

Four causes account for almost every occurrence:

  1. Using raw AWS/IAM keys instead of SES SMTP credentials. The SES SMTP interface does not accept your AWS access key ID and secret access key directly. The SMTP password is derived from a secret access key via an HMAC-SHA256 signing algorithm — it is not the secret key itself.
  2. Wrong Region. SES SMTP credentials are unique to each AWS Region. Credentials generated in us-east-1 will fail against email-smtp.eu-west-1.amazonaws.com. (Credentials created before January 10, 2019 worked across all Regions; anything newer is Region-scoped — see the AWS re:Post troubleshooting article.)
  3. Typos or stray whitespace in the username or password — a trailing space or truncated paste is enough to fail.
  4. Encoding/secret mishandling. The SMTP username and password must be Base64-encoded during the AUTH LOGIN exchange (most clients do this automatically). Note SES SMTP credentials also cannot be derived from temporary security credentials (STS/role session tokens).

Distinguish 535 from its look-alikes

SES returns several similar codes — match yours exactly, because the fix differs:

  • 535 Authentication Credentials Invalid — credentials are wrong (this page).
  • 530 Authentication required — your client connected but never attempted SMTP AUTH. Enable authentication in your client.
  • 454 Temporary authentication failure — a transient SES-side validation issue; retry with backoff.
  • 535 Account not subscribed to SES — the AWS account owning the credentials isn't signed up for SES.
  • 554 Access denied: User ... is not authorized to perform ses:SendRawEmail — credentials authenticated fine, but the IAM/sending-authorization policy lacks send permission.

How do I fix "535 Authentication Credentials Invalid"?

1. Generate fresh SES SMTP credentials in the correct Region. In the SES console, confirm the Region selector matches your SMTP endpoint host (e.g. email-smtp.us-west-2.amazonaws.comus-west-2). Choose SMTP settings → Create SMTP Credentials, create the IAM user, then Show the SMTP password and Download .csv — you cannot view it again after closing the dialog. (Source: Obtaining Amazon SES SMTP credentials.)

2. Use the SMTP username/password verbatim. The SMTP username (e.g. AKIAIOSFODNN7EXAMPLE) and the generated SMTP password are what go into your SMTP config — not your IAM secret access key. Paste both with no surrounding spaces.

3. If you must derive a password from an existing IAM key, use the official AWS algorithm rather than passing the secret directly. The SMTP username is the access key ID; the password is computed as:

import hmac, hashlib, base64
def calculate_key(secret_access_key, region):
DATE, SERVICE, MESSAGE, TERMINAL, VERSION = "11111111", "ses", "SendRawEmail", "aws4_request", 0x04
def sign(key, msg): return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest()
sig = sign(("AWS4" + secret_access_key).encode("utf-8"), DATE)
for part in (region, SERVICE, TERMINAL, MESSAGE):
sig = sign(sig, part)
return base64.b64encode(bytes([VERSION]) + sig).decode("utf-8")

The region you pass must be the same Region you connect to. Don't use temporary credentials — SES rejects SMTP passwords derived from them.

4. Verify connectivity and ports. Connect to your Region's endpoint on port 587 (STARTTLS) or 465 (TLS Wrapper); ports 25 or 2587 also support STARTTLS and 2465 also supports TLS Wrapper, which AWS recommends trying if your network blocks the standard ports. Authentication must occur over TLS.

5. Re-test. You can also re-confirm credentials under SES console → SMTP settings. If you rotated keys, delete the old IAM SMTP user and create a new one rather than editing in place.

With Courier

Courier's Amazon SES provider integration does not use the SMTP interface at all — it authenticates against the AWS SES API directly, using either an AWS Access Key ID / Secret Access Key pair or an IAM Role ARN (cross-account trust) in the SES provider configuration. Because of that, a bare 535 Authentication Credentials Invalid — which is specific to SES's SMTP endpoint — isn't an error Courier's SES provider will surface. If you're seeing an authentication failure from Courier's SES integration, it will show up as an AWS API/IAM authorization error instead: double-check that the Access Key ID/Secret Access Key or Role ARN entered in the Courier SES provider is current, unrevoked, and scoped to the Region you're sending from.

References

Authoritative sources

DOCS

Amazon SES SMTP issues — SMTP response codes (AWS docs)

DOCS

Obtaining Amazon SES SMTP credentials (AWS docs)

DOCS

Troubleshoot Authentication credentials invalid error in SES (AWS re:Post)

DOCS

Connecting to an Amazon SES SMTP endpoint (AWS docs)

FAQ

Common questions

Because the SES SMTP interface doesn't accept raw AWS access keys. The SMTP password is derived from your secret access key via an HMAC-SHA256 algorithm and is Region-specific. Generate dedicated SES SMTP credentials in the SES console (SMTP settings → Create SMTP Credentials) for the exact Region your endpoint uses, or convert the secret key using AWS's documented algorithm.

No. SES SMTP credentials are unique to each AWS Region. If you send from more than one Region you must generate a separate set for each. Only credentials created before January 10, 2019 work across all Regions; anything newer will return 535 if used against a different Region's endpoint.

535 Authentication Credentials Invalid means your client attempted SMTP AUTH but the username/password were wrong. 530 Authentication required means your client never attempted to authenticate at all — you need to enable SMTP authentication in your mail client or library.

Keep going

Related Amazon SES errors

530

Amazon SES 530 authentication required

554

Amazon SES 554 Message: Rejected Email Address is not Verified

is not authorized to perform ses sendemail

535

SMTP Error 535

SMTP server authentication error

View all errors →

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Start building freeRead the docs

Reply-code definitions per RFC 4954 (SMTP AUTH). Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.

Multichannel Notifications Platform for SaaS

Products

Platform

Integrations

Customers

Blog

API Status

Subprocessors

© 2026 Courier. All rights reserved.