diff --git a/sample.env b/sample.env
index 78761beac..d8694b5c1 100644
--- a/sample.env
+++ b/sample.env
@@ -1,5 +1,47 @@
+# STEPS TO SET UP
+# 
+# 1. Pull down AWS creds from cloud.gov using `cf env`, then update AWS section
+#   
+# 2. Uncomment either the Docker setup or the direct setup
+#
+# 3. Comment out the other setup
+# 
+# 4. Replace `NOTIFY_EMAIL_DOMAIN` with the domain your emails will come from (i.e. the "origination email" in your SES project)
+#
+# 5. Replace `SECRET_KEY` and `DANGEROUS_SALT` with high-entropy secret values
+#
+
 # ## REBUILD THE DEVCONTAINER WHEN YOU MODIFY .ENV ###
 
+#############################################################
+
+# AWS
+AWS_REGION=us-west-2
+AWS_ACCESS_KEY_ID="don't write secrets to the sample file"
+AWS_SECRET_ACCESS_KEY="don't write secrets to the sample file"
+AWS_PINPOINT_REGION=us-west-2
+AWS_US_TOLL_FREE_NUMBER=+18446120782
+
+#############################################################
+
+# Local Docker setup, all overwritten in cloud.gov
+ADMIN_BASE_URL=http://admin:6012
+API_HOST_NAME=http://dev:6011
+REDIS_URL=redis://redis:6380
+REDIS_ENABLED=1
+SQLALCHEMY_DATABASE_URI=postgresql://postgres:chummy@db:5432/notification_api
+SQLALCHEMY_DATABASE_TEST_URI=postgresql://postgres:chummy@db:5432/test_notification_api
+
+# Local direct setup, all overwritten in cloud.gov
+# ADMIN_BASE_URL=http://localhost:6012
+# API_HOST_NAME=http://localhost:6011
+# REDIS_URL=redis://localhost:6379
+# REDIS_ENABLED=1
+# SQLALCHEMY_DATABASE_URI=postgresql://localhost:5432/notification_api
+# SQLALCHEMY_DATABASE_TEST_URI=postgresql://localhost:5432/test_notification_api
+
+#############################################################
+
 # Debug
 DEBUG=True
 ANTIVIRUS_ENABLED=0
@@ -10,10 +52,7 @@ NOTIFY_APP_NAME=api
 NOTIFY_EMAIL_DOMAIN=dispostable.com
 NOTIFY_LOG_PATH=/workspace/logs/app.log
 
-# secrets that internal apps, such as the admin app or document download, must use to authenticate with the API
-ADMIN_CLIENT_ID=notify-admin
-ADMIN_CLIENT_SECRET=dev-notify-secret-key
-GOVUK_ALERTS_CLIENT_ID=govuk-alerts
+#############################################################
 
 # Flask
 FLASK_APP=application.py
@@ -22,28 +61,7 @@ WERKZEUG_DEBUG_PIN=off
 SECRET_KEY=dev-notify-secret-key
 DANGEROUS_SALT=dev-notify-salt
 
-# URL of admin app, this is overriden on cloudfoundry
-ADMIN_BASE_URL=http://admin:6012
-
-# URL of api app, this is overriden on cloudfoundry
-API_HOST_NAME=http://dev:6011
-
-# URL of redis instance, this is overriden on cloudfoundry
-REDIS_URL=redis://redis:6380
-REDIS_ENABLED=1
-
-# DB connection string for local docker, overriden on remote with vcap env vars
-SQLALCHEMY_DATABASE_URI=postgresql://postgres:chummy@db:5432/notification_api
-
-# For testing in local docker
-SQLALCHEMY_DATABASE_TEST_URI=postgresql://postgres:chummy@db:5432/test_notification_api
-
-# DB connection string for local non-docker connection
-# SQLALCHEMY_DATABASE_URI=postgresql://user:password@localhost:5432/notification_api
-
-# AWS
-AWS_REGION=us-west-2
-AWS_ACCESS_KEY_ID="don't write secrets to the sample file"
-AWS_SECRET_ACCESS_KEY="don't write secrets to the sample file"
-AWS_PINPOINT_REGION=us-west-2
-AWS_US_TOLL_FREE_NUMBER=+18446120782
+# secrets that internal apps, such as the admin app or document download, must use to authenticate with the API
+ADMIN_CLIENT_ID=notify-admin
+ADMIN_CLIENT_SECRET=dev-notify-secret-key
+GOVUK_ALERTS_CLIENT_ID=govuk-alerts