# Configuring MFA, authentication, verification and invitation messages
With Amazon Cognito, you can customize SMS and email authentication, verification, and user invitation messages to enhance the security and user experience of your application. You can choose between code-based and one-click link verifications for some messages. This topic discusses how you can personalize authentication and verification communications in the Amazon Cognito console.
In the **Message templates** menu, you can customize:
+ Your email and SMS message templates for one-time password (OTP) and multi-factor (MFA) authentication
+ Your SMS and email verification messages
+ The verification type for email—code or link
**Note**
Amazon Cognito sends links with your link-based template in the verification messages when users sign up or resend a confirmation code. Emails from attribute-update and password-reset operations use the code template.
+ Your user invitation messages
+ FROM and REPLY-TO email addresses for emails going through your user pool
**Note**
The SMS and email verification message templates only appear if you have chosen to require phone number and email verification. Similarly, the SMS MFA message template only appears if the MFA setting is **required** or **optional**.
**Topics**
+ [Message templates](#cognito-user-pool-settings-message-templates)
+ [Customizing email and SMS MFA messages](#cognito-user-pool-settings-SMS-message-customization)
+ [Customizing email verification messages](#cognito-user-pool-settings-email-verification-message-customization)
+ [Customizing user invitation messages](#cognito-user-pool-settings-user-invitation-message-customization)
+ [Customizing your email address](#cognito-user-pool-settings-email-address-customization)
+ [Authorizing Amazon Cognito to send Amazon SES email on your behalf (from a custom FROM email address)](#cognito-user-pool-settings-ses-authorization-to-send-email)
## Message templates
You can use message templates to insert placeholders into your messages. Amazon Cognito replace the placeholders with the corresponding values. You can reference *Universal template placeholders* in message templates of any type, although these values won't be present in all message types.
**Universal template placeholders**
| Description | Token | Message type |
| --- | --- | --- |
| Verification code | \$1\$1\$1\$1\$1\$1 | Verification, confirmation, and MFA messages |
| Temporary password | \$1\$1\$1\$1\$1\$1 | Forgot-password and invitation messages |
| User name | \$1username\$1 | Invitation and advanced security messages |
One of the available automated responses with [threat protection](cognito-user-pool-settings-threat-protection.md) is to notify the user that Amazon Cognito detected potentially-malicious activity. You can use advanced security template placeholders to do the following:
+ Include specific details about an event such as IP address, city, country, sign-in time, and device name. Amazon Cognito threat protection can analyze these details.
+ Verify whether a one-click link is valid.
+ Use event ID, feedback token, and user name to build your own one-click link.
**Note**
To generate one-click links and use the `{one-click-link-valid}` and `{one-click-link-invalid}` placeholders in advanced security email templates, you must already have a domain configured for your user pool.
Threat protection adds the following placeholders that you can insert into the message templates. These placeholders apply to **Adaptive authentication messages**, notifications that Amazon Cognito sends to users whose sessions have been evaluated for a level of risk. To configure message templates with these variables, update the **Full-function** configuration of your threat protection in the Amazon Cognito console, or submit templates in a [SetRiskConfiguration](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetRiskConfiguration.html) request.
**Advanced security template placeholders**
| Description | Token |
| --- | --- |
| IP address | \$1ip-address\$1 |
| City | \$1city\$1 |
| Country | \$1country\$1 |
| Log-in time | \$1login-time\$1 |
| Device name | \$1device-name\$1 |
| One-click link is valid | \$1one-click-link-valid\$1 |
| One-click link is not valid | \$1one-click-link-invalid\$1 |
| Event ID | \$1event-id\$1 |
| Feedback token | \$1feedback-token\$1 |
## Customizing email and SMS MFA messages
To customize the SMS and email messages for [multi-factor authentication (MFA)](user-pool-settings-mfa.md), edit **MFA message** from the **Message templates** menu in the Amazon Cognito user pools console.
**Important**
Your custom message must contain the `{####}` placeholder. This placeholder is replaced with the authentication code before the message is sent.
Amazon Cognito sets a maximum length for SMS messages, including the authentication code, of 140 UTF-8 characters.
### Customizing SMS verification messages
To customize the SMS message for phone number verification, edit the **Verification message** template from the **Message templates** menu of your user pool.
**Important**
Your custom message must contain the `{####}` placeholder. This placeholder is replaced with the verification code before the message is sent.
The maximum length for the message, including the verification code, is 140 UTF-8 characters.
## Customizing email verification messages
To verify the email address of a user in your user pool with Amazon Cognito, you can send the user an email message with a link that they can select, or you can send them a code that they can enter.
To customize the email subject and message content for email address verification messages, edit the **Verification message** template in the **Message templates** menu of your user pool. You can choose a **Verification type** of **Code** or **Link** when you edit your **Verification message** template.
When you choose **Code** as the verification type, your custom message must contain the `{####}` placeholder. When you send the message, the verification code replaces this placeholder.
When you choose **Link** as the verification type, your custom message must include a placeholder in the format `{##Verify Your Email##}`. You can change the text string between the placeholder characters, for example `{##Click here##}`. A verification link titled *Verify Your Email* replaces this placeholder.
The link for an email verification message directs your user to a URL like the following example.
```
https:///confirmUser/?client_id=abcdefg12345678&user_name=emailtest&confirmation_code=123456
```
The maximum length for the message, including the verification code (if present), is 20,000 UTF-8 characters. You can use HTML tags in this message to format the contents.
## Customizing user invitation messages
You can customize the user invitation message that Amazon Cognito sends to new users by SMS or email message by editing the **Invitation messages** template in the **Message templates** menu.
**Important**
Your custom message must contain the `{username}` and `{####}` placeholders. When Amazon Cognito sends the invitation message, it replaces these placeholders with your user's user name and password.
The maximum length of an SMS message, including the verification code, is 140 UTF-8 characters. The maximum length of an email message, including the verification code, is 20,000 UTF-8 characters. You may use HTML tags in your email messages to format the contents.
## Customizing your email address
By default, Amazon Cognito sends email messages to users in your user pools from the address **no-reply@verificationemail.com**. You can choose to specify custom FROM and REPLY-TO email addresses instead of **no-reply@verificationemail.com**.
**To customize the FROM and REPLY-TO email addresses**
1. Navigate to the [Amazon Cognito console](https://console.aws.amazon.com/cognito/home), and choose **User Pools**.
1. Choose an existing user pool from the list, or [create a user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-as-user-directory.html).
1. Choose the **Authentication methods** menu. Under **Email**, choose **Edit**.
1. Choose an **SES Region**.
1. Choose a **FROM email address** from the list of email addresses you have verified with Amazon SES in the **SES Region** you selected. To use an email address from a verified domain, configure email settings in the AWS Command Line Interface or the AWS API. For more information, see [Verifying email addresses and domains in Amazon SES](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/verify-addresses-and-domains.html) in the *Amazon Simple Email Service Developer Guide*.
1. Choose a **Configuration set** from the list of configuration sets in your chosen **SES Region**.
1. Enter a friendly **FROM sender name** for your email messages, in the format `John Stiles `.
1. To customize the REPLY-TO email address, enter a valid email address in the **REPLY-TO email address** field.
## Authorizing Amazon Cognito to send Amazon SES email on your behalf (from a custom FROM email address)
You can configure Amazon Cognito to send email from a custom FROM email address instead of its default address. To use a custom address, you must give Amazon Cognito permission to send email message from an Amazon SES verified identity. In most cases, you can grant permission by creating a sending authorization policy. For more information, see [Using sending authorization with Amazon SES](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization.html) in the *Amazon Simple Email Service Developer Guide*.
When you configure a user pool to use Amazon SES for email messages, Amazon Cognito creates the `AWSServiceRoleForAmazonCognitoIdpEmailService` role in your account to grant access to Amazon SES. No sending authorization policy is needed when the `AWSServiceRoleForAmazonCognitoIdpEmailService` service-linked role is used. You only need to add a sending authorization policy when you use both the default email functionality in your user pool *and* a verified Amazon SES identity as the FROM address.
For more information about the service-linked role that Amazon Cognito creates, see [Using service-linked roles for Amazon Cognito](using-service-linked-roles.md).
The following example sending authorization policy grants Amazon Cognito a limited ability to use an Amazon SES verified identity. Amazon Cognito can only send email messages when it does so on behalf of both the user pool in the `aws:SourceArn` condition and the account in the `aws:SourceAccount` condition. For more examples, see [Amazon SES sending authorization policy examples](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-policy-examples.html) in the *Amazon Simple Email Service Developer Guide*.
**Note**
In this example, the "Sid" value is an arbitrary string that uniquely identifies the statement. For more information about policy syntax, see [Amazon SES sending authorization policies](https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-policies.html) in the *Amazon Simple Email Service Developer Guide*.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "stmnt1234567891234",
"Effect": "Allow",
"Principal": {
"Service": [
"email.cognito-idp.amazonaws.com"
]
},
"Action": [
"SES:SendEmail",
"SES:SendRawEmail"
],
"Resource": "arn:aws:ses:us-east-1:111122223333:identity/support@example.com",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "111122223333"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:cognito-idp:us-east-1:111122223333:userpool/us-east-1_EXAMPLE"
}
}
}
]
}
```
------
The Amazon Cognito console adds a similar policy for you when you select an Amazon SES identity from the drop-down menu. If you use the CLI or API to configure the user pool, you must attach a policy structured like the previous example to your Amazon SES Identity.