An EC2 box cannot send email on its own — AWS blocks outbound port 25 and the IP has no reputation, so messages vanish or land in spam. Everything transactional (the contact form, WordPress notifications) has to hand off to a real service. We use Amazon SES.
SES is the service; SMTP is the protocol
A common misconception is that SES replaces SMTP. It doesn’t — SES exposes an SMTP endpoint, and Trellis already ships msmtp as WordPress’s mail transport. So wp_mail() just relays to SES over SMTP, no plugin required.
DKIM alignment carries DMARC — no MX needed
We verified the domain with three DKIM CNAMEs. Because SES signs with d=rootstest.de, DKIM aligns with the From header and DMARC passes on DKIM alone. That means no custom MAIL FROM subdomain and, crucially, no MX record to collide with whatever the domain might use for real mail later.
The envelope-sender gotcha
Our first tests landed in spam. The header From was correct, but the envelope (Return-Path) was a gmail.com address relayed through SES — a textbook spoofing signal. Aligning the envelope to wordpress@rootstest.de fixed it, and the next message went straight to the inbox.
Clean auth, no MX
DKIM and DMARC aligned, envelope and header both on the sending domain, and zero new MX records.