NHSDigital · chrisbloe · Mar 19, 2026
@@ -38,8 +38,7 @@ def lambda_handler(event, context):
     BODY_HTML = _construct_email_body(BODY_TEXT, transfer_report_meta_data)
     SUBJECT = _construct_email_subject(transfer_report_meta_data)
 
-    SENDER = secret_manager.get_secret(os.environ["EMAIL_REPORT_SENDER_EMAIL_PARAM_NAME"])
-    SENDER_KEY = secret_manager.get_secret(os.environ["EMAIL_REPORT_SENDER_EMAIL_KEY_PARAM_NAME"])
+    SENDER = os.environ["EMAIL_REPORT_SENDER"]
     RECIPIENT = secret_manager.get_secret(os.environ["EMAIL_REPORT_RECIPIENT_EMAIL_PARAM_NAME"])
     RECIPIENT_INTERNAL = secret_manager.get_secret(os.environ["EMAIL_REPORT_RECIPIENT_INTERNAL_EMAIL_PARAM_NAME"])
 

@@ -16,10 +16,9 @@ resource "aws_lambda_function" "email_report_lambda" {
 
   environment {
     variables = {
-      EMAIL_REPORT_SENDER_EMAIL_PARAM_NAME             = var.email_report_sender_email_param_name,
+      EMAIL_REPORT_SENDER                              = local.from_email
       EMAIL_REPORT_RECIPIENT_EMAIL_PARAM_NAME          = var.email_report_recipient_email_param_name
       EMAIL_REPORT_RECIPIENT_INTERNAL_EMAIL_PARAM_NAME = var.email_report_recipient_internal_email_param_name
-      EMAIL_REPORT_SENDER_EMAIL_KEY_PARAM_NAME         = var.email_report_sender_email_key_param_name
     }
   }
 }

@@ -62,10 +62,8 @@ data "aws_iam_policy_document" "email_report_lambda_ssm_access" {
     ]
 
     resources = [
-      "arn:aws:ssm:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:parameter${var.email_report_sender_email_param_name}",
       "arn:aws:ssm:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:parameter${var.email_report_recipient_email_param_name}",
       "arn:aws:ssm:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:parameter${var.email_report_recipient_internal_email_param_name}",
-      "arn:aws:ssm:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:parameter${var.email_report_sender_email_key_param_name}",
     ]
   }
 }
@@ -115,10 +113,6 @@ resource "aws_iam_policy" "email_report_lambda_send_raw_email" {
   policy = data.aws_iam_policy_document.email_report_send_raw_email.json
 }
 
-data "aws_ssm_parameter" "email_report_sender_email" {
-  name = var.email_report_sender_email_param_name
-}
-
 data "aws_iam_policy_document" "email_report_send_raw_email" {
   statement {
     sid = "SendEmailWithAttachment"
@@ -128,7 +122,7 @@ data "aws_iam_policy_document" "email_report_send_raw_email" {
     ]
 
     resources = [
-      "arn:aws:ses:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:identity/${data.aws_ssm_parameter.email_report_sender_email.value}",
+      "arn:aws:ses:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:identity/${local.from_email}",
     ]
   }
 }

@@ -1,20 +1,12 @@
 locals {
   ses_domain = "mail.${var.hosted_zone_name}"
+  from_email = "gp2gp-reports@${aws_ses_domain_identity.gp2gp_inbox.domain}"
 }
 
 data "aws_ssm_parameter" "asid_lookup_address_prefix" {
   name = var.asid_lookup_inbox_prefix_param_name
 }
 
-resource "aws_ses_email_identity" "gp2gp_inbox_sender_address" {
-  email = data.aws_ssm_parameter.email_report_sender_email.value
-}
-
-moved {
-  from = aws_ses_email_identity.email_report
-  to   = aws_ses_email_identity.gp2gp_inbox_sender_address
-}
-
 resource "aws_ses_domain_identity" "gp2gp_inbox" {
   domain = local.ses_domain
 }
@@ -71,7 +63,34 @@ resource "aws_route53_record" "gp2gp_inbox_dmarc" {
   type    = "TXT"
   ttl     = 300
 
+  records = ["v=DMARC1; p=none; adkim=s; aspf=s"]
+}
+
+resource "aws_ses_domain_mail_from" "sending" {
+  domain           = aws_ses_domain_identity.ndr_ses.domain
+  mail_from_domain = "mail.${aws_ses_domain_identity.ndr_ses.domain}"
+
+  behavior_on_mx_failure = "UseDefaultValue"
+}
+
+resource "aws_route53_record" "ses_mail_from_mx" {
+  zone_id = data.aws_route53_zone.gp_registrations.zone_id
+  name    = "mail.${aws_ses_domain_identity.ndr_ses.domain}"
+  type    = "MX"
+  ttl     = 600
+
   records = [
-    "v=DMARC1; p=none;"
+    "10 feedback-smtp.eu-west-2.amazonses.com"
   ]
-}
+}
+
+resource "aws_route53_record" "ses_mail_from_spf" {
+  zone_id = data.aws_route53_zone.gp_registrations.zone_id
+  name    = "mail.${aws_ses_domain_identity.ndr_ses.domain}"
+  type    = "TXT"
+  ttl     = 600
+
+  records = [
+    "v=spf1 include:amazonses.com -all"
+  ]
+}
@@ -41,16 +41,6 @@ variable "log_alerts_technical_failures_above_threshold_rate_param_name" {
   description = "SSM parameter containing the technical failure rate threshold percentage"
 }
 
-variable "email_report_sender_email_param_name" {
-  type        = string
-  description = "SSM parameter containing the sender email address for emailing reports"
-}
-
-variable "email_report_sender_email_key_param_name" {
-  type        = string
-  description = "SSM parameter containing the sender email key for SMTP auth"
-}
-
 variable "email_report_recipient_email_param_name" {
   type        = string
   description = "SSM parameter containing the recipient email address for emailing reports"
@@ -138,4 +128,4 @@ variable "log_alerts_slack_channel_id_param_name" {
 variable "log_alerts_slack_bot_token_param_name" {
   type        = string
   description = "SSM parameter containing the slack bot token needed to send message to slack channels"
-}
+}
@@ -3,10 +3,8 @@ reports_generator_bucket_param_name                                  = "/registr
 log_group_param_name                                                 = "/registrations/dev/data-pipeline/cloudwatch-log-group-name"
 asid_lookup_inbox_prefix_param_name                                  = "/registrations/dev/user-input/asid-lookup-inbox-prefix"
 log_alerts_technical_failures_above_threshold_rate_param_name        = "/registrations/dev/user-input/log-alerts-technical-failures-above-threshold-rate"
-email_report_sender_email_param_name                                 = "/registrations/dev/user-input/email-report-sender-email"
 email_report_recipient_email_param_name                              = "/registrations/dev/user-input/email-report-recipient-email"
 email_report_recipient_internal_email_param_name                     = "/registrations/dev/user-input/email-report-recipient-internal-email"
-email_report_sender_email_key_param_name                             = "/registrations/dev/user-input/email-report-sender-email-key"
 log_alerts_technical_failures_webhook_url_param_name                 = "/registrations/dev/user-input/log-alerts-technical-failures-webhook-url"
 log_alerts_technical_failures_above_threshold_webhook_url_param_name = "/registrations/dev/user-input/log-alerts-technical-failures-above-threshold-webhook-url"
 log_alerts_general_webhook_url_param_name                            = "/registrations/dev/user-input/log-alerts-general-webhook-url"

@@ -3,10 +3,8 @@ reports_generator_bucket_param_name                                  = "/registr
 log_group_param_name                                                 = "/registrations/prod/data-pipeline/cloudwatch-log-group-name"
 asid_lookup_inbox_prefix_param_name                                  = "/registrations/prod/user-input/asid-lookup-inbox-prefix"
 log_alerts_technical_failures_above_threshold_rate_param_name        = "/registrations/prod/user-input/log-alerts-technical-failures-above-threshold-rate"
-email_report_sender_email_param_name                                 = "/registrations/prod/user-input/email-report-sender-email"
 email_report_recipient_email_param_name                              = "/registrations/prod/user-input/email-report-recipient-email"
 email_report_recipient_internal_email_param_name                     = "/registrations/prod/user-input/email-report-recipient-internal-email"
-email_report_sender_email_key_param_name                             = "/registrations/prod/user-input/email-report-sender-email-key"
 log_alerts_technical_failures_webhook_url_param_name                 = "/registrations/prod/user-input/log-alerts-technical-failures-webhook-url"
 log_alerts_technical_failures_above_threshold_webhook_url_param_name = "/registrations/prod/user-input/log-alerts-technical-failures-above-threshold-webhook-url"
 log_alerts_general_webhook_url_param_name                            = "/registrations/prod/user-input/log-alerts-general-webhook-url"