AWS SES Dedicated IP Allowlist for Email Deliverability
Last Updated:
Overview
To meet FRM compliance requirements, Okta will be gradually migrating the primary email provider for the default Okta domain (noreply@okta.com) from SendGrid to FedRAMP-authorized AWS SES for FRM cells. During this time, customers will see a gradual increase in the proportion of their outgoing emails routed via AWS SES.
Email delivery issues can occur when customer email security infrastructure or allowlists are not configured with the correct outbound sending IP addresses.
Our service uses AWS SES dedicated sending IP addresses for emails. Some email security platforms, including Mimecast, may temporarily defer or throttle emails from cloud email providers due to reputation-based filtering, greylisting, or connection throttling policies.
Adding Okta’s SES dedicated sending IP addresses and associated sending domains to your organization’s allowlist can help improve email deliverability and reduce delayed email delivery.
Applies To
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Administration
- Security
- IP Address
- Firewall
- Email Notification
- Allowlist
Solution
Allowlist SES Dedicated Sending IP Addresses:
Add the following dedicated SES outbound IP addresses to the infrastructure allowlist to ensure successful delivery of Okta emails:
- 24.110.95.110
- 24.110.95.109
- 24.110.95.108
Review Minecast Policies (If Applicable)
For organizations using Minecast, review the following configurations:
- Permit sender policies
- Trusted sender configuration
- Greylisting policies
- Connection throttling policies
Additional Information
AWS documents that recipient email systems may temporarily defer messages through greylisting or throttling mechanisms. In these situations, Amazon SES automatically retries message delivery.
Allowlisting trusted SES dedicated IP addresses can help reduce these delays and improve overall email delivery reliability.
