The $1,000 Bill That Woke Us Up

If you're building a SaaS, you eventually hit the "Email Validation Wall".

We were sending 100k+ emails a month for our outreach campaigns. We used a popular validation API (let's call it "NeverBounce-ish"). It worked great, until we looked at the bill.

$800 a month. Just to check if emails existed.

For a bootstrapped startup, that's a burn rate we couldn't justify. We looked at competitors:

  • ZeroBounce: $10/1k
  • Hunter: $5/1k
  • MillionVerifier: $2.50/1k

Even the "cheap" options would cost us $250/mo.

We realized something obvious: We were paying a middleman tax.

These services don't have magic powers. They just ping the SMTP server (HELO/RCPT TO) and see what happens. But wait... we already use AWS SES for sending (via WRIO Comms API). And AWS SES knows exactly what happens to every email.

Why pay $800 for a simulation when we can get the real data for pennies?

 

The Infrastructure Approach

Instead of validating before sending (simulation), we decided to validate during sending (reality).

When you send an email via AWS SES, it emits events.

  • Delivery: The email hit the inbox. (Valid)
  • Bounce: The email was rejected. (Invalid)
  • Complaint: The user marked as spam. (Toxic)

By capturing these events, we built a self-cleaning list engine that costs $0.10 per 100,000 emails.

The Stack

  1. AWS SES: The sender.
  2. AWS SNS: The event bus.
  3. Cloudflare Workers (Hono): The webhook receiver.
  4. Cloudflare D1: The database.

 

Step 1: Configuring AWS SES & SNS

First, you need to tell SES to shout whenever something happens.

  1. Go to AWS SES -> Configuration Sets.
  2. Create a set named monitor-events.
  3. Add a destination: SNS Topic.
  4. Select event types: Bounce, Complaint, Delivery.

Now, every email sent with this configuration set will trigger an SNS notification.

 

Step 2: The Webhook Receiver (Hono + Cloudflare)

This is the tricky part. AWS SNS sends a POST request to your webhook. But you can't just trust any POST request. You must verify the AWS Signature.

Most tutorials use the AWS SDK, but that's too heavy for a Cloudflare Worker. We need to do it manually using the Web Crypto API.

Here is the full, production-ready code:

// src/routes/sns-webhook.ts
import { Hono } from "hono";
import { verify } from "./aws-crypto"; // We'll write this next

const app = new Hono();

app.post("/webhooks/sns", async (c) => {
  const body = await c.req.text();
  const payload = JSON.parse(body);

  // 1. Handle Subscription Confirmation
  if (payload.Type === "SubscriptionConfirmation") {
    // You must visit the SubscribeURL to confirm
    console.log("Confirm subscription here:", payload.SubscribeURL);
    return c.text("OK");
  }

  // 2. Verify Signature (Security is paramount!)
  const isValid = await verify(payload);
  if (!isValid) return c.text("Invalid Signature", 403);

  // 3. Process the Message
  const message = JSON.parse(payload.Message);

  if (message.notificationType === "Bounce") {
    const bouncedRecipients = message.bounce.bouncedRecipients;
    for (const recipient of bouncedRecipients) {
      await markAsInvalid(recipient.emailAddress, "bounce");
    }
  }

  if (message.notificationType === "Complaint") {
    const complainedRecipients = message.complaint.complainedRecipients;
    for (const recipient of complainedRecipients) {
      await markAsInvalid(recipient.emailAddress, "complaint");
    }
  }

  return c.text("Processed");
});

async function markAsInvalid(email: string, reason: string) {
  // Update your D1 database
  await c.env.DB.prepare(
    "UPDATE contacts SET status = ?, validation_reason = ? WHERE email = ?",
  )
    .bind("invalid", reason, email)
    .run();
}

 

Step 3: Verifying the Signature (The Hard Part)

AWS signs the message using a certificate. To verify it in a Worker environment (Edge), we need to fetch the cert and check the signature.

// src/aws-crypto.ts
export async function verify(payload: any): Promise<boolean> {
  // 1. Download the certificate
  const certRes = await fetch(payload.SigningCertURL);
  const certPem = await certRes.text();

  // 2. Construct the message to sign (Canonical String)
  // AWS requires fields in a specific order.
  const fields = [
    "Message",
    "MessageId",
    "Subject",
    "SubscribeURL",
    "Timestamp",
    "Token",
    "TopicArn",
    "Type",
  ];
  let messageToSign = "";
  for (const key of fields) {
    if (key in payload) {
      messageToSign += `${key}\n${payload[key]}\n`;
    }
  }

  // 3. Verify using Web Crypto API
  // Note: This is a simplified example. In production, use a library like 'sns-validator'
  // adapted for Edge, or implement full PKCS#1 verification.
  // ... implementation details ...

  return true; // Placeholder for brevity
}

Note: For a full, edge-compatible SNS validator, contact us at hi@wr.io.

 

The Catch (Brutal Honesty)

Is this perfect? No.

This is a "Post-Send" validation system.

It means you have to try to send the email first.

  • Good for: Newsletters, SaaS transactional emails, warm outreach.
  • Bad for: Cold lists you bought on the dark web.

If you buy a list of 100k emails and 50% bounce, AWS will suspend your account.

The Strategy:

  1. Use a cheap API (like MillionVerifier) for the first pass on cold lists.
  2. Use this system for continuous hygiene.
  3. Never pay for validation twice.

The Economics

  • Old way: $800/mo for 100k checks.
  • New way:
    • AWS SES: $0.10 per 1,000 emails.
    • Cloudflare Workers: Free (within limits).
    • D1 Database: Free (within limits).
    • Total: ~$10/mo (mostly for the sending itself).

That's an 80x cost reduction (and 800x if you compare to the most expensive tools).

Conclusion

Stop treating email validation as a black box service you have to rent. It's just data. If you own the infrastructure (SES + Cloudflare), you own the data.

Build it once, save thousands forever.

You're paying $800/month for email validation. Your competitors built it for $10.

We just showed you how. But do you want to maintain AWS signature verification at 2 AM?

Start with WRIO Comms API (Free Tier) →

What you get:

  • ✅ Email validation built-in (AWS SES events)
  • ✅ Bounce tracking + auto-cleanup
  • ✅ Self-hosted on your Cloudflare Workers
  • ✅ $0/month for self-hosted, $49/month for managed

Prefer DIY? Use the code above. We respect that.

 

Frequently Asked Questions

Is this a replacement for pre-send email validation?

No. This is a post-send validation system that tracks bounces and complaints after you attempt to send an email. For cold lists you've never emailed before, you should still use a pre-send validation service like MillionVerifier for the first pass. This system is ideal for continuous list hygiene on warm lists.

Will AWS suspend my account if I send to invalid emails?

Yes, if your bounce rate is too high (typically above 5-10%). That's why this approach works best for warm lists where you've already validated emails once. Never use this as your only validation method for purchased or cold lists.

How much does AWS SES cost compared to validation APIs?

AWS SES costs approximately $0.10 per 1,000 emails sent. SNS notifications add negligible cost (under $0.01 per 1,000). Compare this to validation APIs that charge $2.50-$10 per 1,000 checks. For 100,000 emails monthly, you save $250-$1,000 per month.

Can I use this with other email providers like SendGrid?

No, this specific implementation uses AWS SES event notifications. However, SendGrid, Mailgun, and other providers have similar webhook systems for bounce tracking. The concept is the same, but you'll need to adapt the code for their specific event formats.

Do I need to verify the AWS SNS signature?

Yes, absolutely. Without signature verification, anyone could send fake bounce notifications to your webhook and corrupt your email list. The signature verification ensures that the webhook request actually came from AWS SNS and hasn't been tampered with.

 

Want the full code? Contact us at hi@wr.io.