BYOK

Bring Your Own Keys (BYOK)

Connect your own AWS account for full infrastructure control. One-click IAM role setup with AES-256 encrypted credential storage.

How it works

1

Choose BYOK mode

Select BYOK during onboarding or switch from Managed mode in settings. You'll connect your own AWS account.

2

Connect credentials

Use one-click IAM role assumption (recommended) or provide access keys. Credentials are encrypted with AES-256-GCM before storage.

3

Verify domains in your SES

Add your sending domains. Transmit creates the identities in your AWS SES account , you own the reputation.

4

Send through your infrastructure

All emails route through your AWS account. You pay AWS directly for SES usage (~$0.10/1K emails) plus Transmit's platform fee.

Capabilities

IAM Role Assumption

No long-lived credentials needed. Transmit assumes a role in your account using STS. Revoke access instantly by deleting the role.

AES-256-GCM Encryption

If you use access keys, they're encrypted with AES-256-GCM before storage. Keys are decrypted only when needed for sending.

AWS-Direct Pricing

Pay AWS directly for SES (~$0.10/1K emails). No markup on sending costs. Transmit charges only for platform features.

Full Visibility

Access your own CloudWatch metrics, SES console, and AWS billing. Debug deliverability issues with full AWS tooling.

IAM Role Trust Policy

json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "xmit_org_abc123"
        }
      }
    }
  ]
}

// Transmit assumes this role to send on your behalf.
// The ExternalId prevents confused deputy attacks.
// Revoke access anytime by deleting the role.

Related features

Webhooks

Email Webhooks

Real-time notifications for email events. Get instant delivery, bounce, open, click, and complaint data pushed to your endpoint.

Deliverability

Domain Warmup

Automated IP and domain warming with exponential ramp-up. Auto-pause on high bounce rates protects your sender reputation.

Frequently Asked Questions

What is BYOK mode?
BYOK (Bring Your Own Keys) lets you connect your own AWS account to Transmit. You get full infrastructure control , your SES account, your reputation, your CloudWatch metrics , while Transmit provides the dashboard, API, and features like warmup and analytics.
Should I use IAM roles or access keys?
IAM roles are recommended. They use temporary credentials via STS (refreshed every 50 minutes), require no stored secrets, and can be revoked instantly. Access keys work but are long-lived credentials that require secure storage.
How are my credentials protected?
Access keys are encrypted with AES-256-GCM using a key derived from your organization ID. The encryption happens before database storage. IAM roles don't store credentials at all , they use STS for temporary tokens.
What AWS permissions does Transmit need?
SES permissions for sending email and managing identities, SNS for delivery notifications, S3 for inbound email storage, and CloudWatch for metrics. We provide a minimal IAM policy that grants only what's needed.
Can I switch between Managed and BYOK mode?
Yes, but it requires re-verifying your domains in the new mode. Managed mode uses Transmit's SES infrastructure; BYOK uses yours. Switching modes changes where your domain identities live.
Get started in minutes

Start sending with Transmit

Set up in minutes. Volume-based pricing starts at $2/month.