shit claude told me
// a developer's journal of learning AI-assisted development, one broken project at a time
← back to posts

Tim Said AWS Email Forwarding Was "Batshit Complex" and He Was Right and Also Wrong

L5 Orchestrating Loops February 2026 · 3 min read ·`email-forwarder`

Tim said AWS email forwarding was "batshit complex."

Tim was right. Here's what "simple email forwarding" requires: Route 53 for DNS, SES for receiving and sending, S3 for temporary storage, Lambda for header rewriting, IAM for permissions. Plus MX records, SPF records, DMARC records, DKIM signing, receipt rule sets, and a custom CloudFormation resource because AWS can't activate a receipt rule set natively. Five services. Fifteen resources.

CDK wraps all of it in about 150 lines of TypeScript. Claude wrote those 150 lines in one session. Deployed in 10 minutes.

Tim is reading this on the email infrastructure he said was too hard.

Tim's Way vs. CDK's Way

Tim's Way (AWS Console, manual):

  1. Route 53: create MX record, look up SES endpoint
  2. SES: verify domain, wait for DKIM, copy three CNAMEs
  3. Route 53 again: paste three CNAMEs
  4. SES: create receipt rule set, add S3 and Lambda actions
  5. S3: create bucket, configure policy for SES
  6. Lambda: create function, write forwarding code, configure IAM
  7. SES again: activate the receipt rule set
  8. Route 53 again: add SPF and DMARC records
  9. Test. Debug. Realize you forgot an IAM permission. Fix. Test again.

Nine steps across five console pages with at least one guaranteed "forgot an IAM permission" debugging cycle.

CDK's Way: cdk deploy. 150 lines of TypeScript. Fifteen AWS resources. Three minutes.

Why It's Still Complex (Just Hidden)

The complexity is real. CDK hides the steps, not the reasons:

Why S3 is in the middle: SES can trigger Lambda directly, but Lambda events have a 256KB limit. Emails with attachments blow past that. So SES writes the raw email to S3 (no size limit), triggers Lambda with a notification, and Lambda reads the full email from S3. Claude knew this. I didn't.

Why headers need rewriting: Forward a raw email and Gmail rejects it. The email claims to be from sender@example.com but it's coming from your SMTP server. DKIM/SPF mismatch. Lambda rewrites the From header to your domain (passing DKIM), moves the original sender to Reply-To (so replies work), and strips the original DKIM signature. Claude knew this too.

The complexity hasn't disappeared. It's been moved into CDK. The promise of AI-assisted infrastructure: you still need to understand the architecture. You don't need to type it all out by hand.

The Takeaway

Fifteen resources. Five services. Zero console clicks. One cdk deploy. The friend who said it was too hard received his "you were wrong" email via the Lambda function that Claude deployed in the CDK stack that I built in 10 minutes.

The irony is not lost on me. It is, apparently, lost on Tim.

← PreviousThe Configuration Nobody Reads Is the One That Matters Most