Loading...
Loading...
Connected a custom email domain to a third-party ticketing system so inbound emails automatically create support tickets — with full authentication, encryption, and monitoring built in from day one.
Client: Enterprise Client
The challenge
The client needed inbound emails sent to their custom domain to automatically appear as tickets in their support platform (Zendesk). The catch: the email domain was managed separately from the ticketing system, and there was no native integration between the two.
Emails needed to be received securely, authenticated (to prevent spoofing), stored for compliance, and forwarded reliably to the ticketing platform with the correct headers so that replies would route back to the original sender. They also needed no-reply addresses to bounce cleanly rather than creating junk tickets.
On top of that, the system needed to be fully monitored. If an email failed to forward, someone needed to know immediately — not discover it days later when a customer complained about a missing response.
Architecture diagram: email flow from SES receipt to Zendesk delivery
Screenshot coming soon
What we built
We built a serverless email forwarding system that receives emails on the client's custom domain, stores them securely, and forwards them to Zendesk with the correct routing headers — all fully automated.
The system starts at the domain level. We configured full email authentication: DKIM signing (so recipients can verify emails genuinely came from this domain), SPF records (so mail servers know which systems are authorised to send on behalf of the domain), and DMARC policies (so spoofed emails are rejected). This means emails forwarded to Zendesk pass all authentication checks and don't end up in spam.
When an email arrives, the system first checks if it's addressed to a no-reply address. If so, it bounces immediately with a clean SMTP rejection — no Lambda function is invoked, no ticket is created, no resources are wasted.
For legitimate emails, the raw message is stored in encrypted cloud storage (for compliance and debugging), then processed through a two-stage pipeline. The first stage extracts metadata and queues the email for processing. The second stage retrieves the stored email, rewrites the headers for correct Zendesk routing (so the ticket shows the right sender and replies go to the right place), and forwards it via authenticated SMTP.
If forwarding fails due to a temporary issue (network blip, rate limiting), the system retries automatically with increasing delays. If it fails permanently (invalid recipient, rejected message), it logs the error and moves on without blocking other emails.
The entire system is monitored with 16 alarms covering Lambda errors, processing delays, queue depth, encryption issues, and unusual email volume. A composite "system health" alarm aggregates the most critical signals into a single indicator. When something goes wrong, the team gets a formatted notification explaining what happened and what to check.
CloudWatch dashboard: email forwarding system health overview
Screenshot coming soon
SES domain configuration: DKIM, SPF, and DMARC authentication
Screenshot coming soon
Technical detail
This section is for readers with a technical background who want to understand the architecture and implementation choices.
Built entirely with AWS CDK (TypeScript), deploying 9 stacks covering application logic, security, monitoring, networking, audit logging, and storage.
Email Receiving: Amazon SES receives inbound email with TLS required and spam scanning enabled. A Receipt Rule Set contains two ordered rules: (1) a no-reply bounce rule that returns SMTP 550 for no-reply/noreply addresses, and (2) a receipt rule that stores the raw email in S3 and invokes the receiver Lambda asynchronously.
Domain Authentication: Full DKIM (RSA 2048-bit), SPF (include:amazonses.com), and DMARC (quarantine policy, strict alignment) configuration. MAIL FROM domain configured for SPF pass on forwarded messages.
Processing Pipeline: - Email Receiver Lambda — Triggered by SES. Extracts messageId, source, destination, subject, and timestamp from the SES event. Constructs an SQS message with the S3 location and forwarding configuration. Sends to SQS with retry logic (3 attempts, exponential backoff). - Email Processor Lambda — Triggered by SQS event source mapping. Retrieves raw email from S3, parses it into a structured message object. Removes conflicting authentication headers (DKIM-Signature, ARC-*, Return-Path). Sets From to the original recipient address (for correct Zendesk mailbox routing). Sets Reply-To to the original sender (so Zendesk can identify the customer). Adds forwarding metadata headers (X-Forwarded-By, X-Forwarding-Timestamp). Sends via SES SendRawEmail API.
Error Handling: Errors are categorised as transient (throttling, timeouts, connection issues — retried with exponential backoff up to 90s max delay) or permanent (invalid data, access denied — not retried, message deleted to prevent infinite loops). Failed messages move to a dead-letter queue after max receive count is exhausted.
Network Isolation: Lambda functions run inside a VPC with no internet access. All AWS service communication flows through VPC endpoints (S3, SQS, KMS). Security groups restrict traffic to HTTPS (port 443) only.
Encryption: All data encrypted at rest with KMS customer-managed keys. Separate keys for S3 storage, SQS messages, and CloudWatch Logs. Keys rotate automatically.
Monitoring (16 alarms): Lambda errors, throttles, timeouts, and high invocation volume for both functions. SQS queue depth and message age. DLQ message detection. KMS errors, throttling, and high usage. A SystemHealthCompositeAlarm aggregates the critical signals. Custom metrics published per invocation: EmailsReceived, EmailsProcessed, EmailsForwarded, EmailsFailed, ProcessingTimeMs, S3RetrievalTimeMs, SESSendTimeMs, RetryCount.
Audit: CloudTrail captures all API calls. S3 access logging records all object-level operations on the email storage bucket.
The results
Monitoring alarms: composite health indicator and individual alerts
Screenshot coming soon
Interested in something similar?
Book a free 30-minute discovery call. We'll listen to what you need, tell you what's realistic, and give you a straight answer on whether we can help.