Menu
Amazon Simple Email Service
Developer Guide (API Version 2010-12-01)

Sending Emails for the Identity Owner for Amazon SES Sending Authorization

As a delegate sender, you send emails the same way that other Amazon SES senders do, except that you provide the ARN of the identity that the identity owner has authorized you to use. When you call Amazon SES to send the email, Amazon SES checks to see if the identity that you specified has a policy that authorizes you to send for it.

There are different ways that you can specify the identity's ARN when you send an email. The method that you can use depends on whether you send the email by using the Amazon SES API (SendEmail or SendRawEmail) or the Amazon SES SMTP interface.

Important

To successfully send an email on behalf of an identity owner's identity, you must connect to the Amazon SES endpoint of the AWS region in which the identity is verified. The sending authorization policy that grants you permission must be attached to the identity in that region.

Using the Amazon SES API

As with any Amazon SES email sender, if you access Amazon SES through the Amazon SES API (either directly through HTTPS or indirectly through an AWS SDK), you can choose between one of two email-sending actions: SendEmail and SendRawEmail. The Amazon Simple Email Service API Reference describes the details of these APIs, but we provide an overview of the sending authorization parameters here.

SendRawEmail

If you want to use SendRawEmail so that you can control the format of your emails, you can specify the cross-account identity in one of two ways:

  • Pass optional parameters to the SendRawEmail API— These parameters are as follows:

    Parameter

    Description

    SourceArn

    The ARN of the identity that is associated with the sending authorization policy that permits you to send for the email address specified in the Source parameter of SendRawEmail.

    Note

    For the most common use case, we recommend that you specify the SourceArn and do not specify either the FromArn or ReturnPathArn. If you only specify the SourceArn, Amazon SES will simply set the "From" address and the "Return Path" addresses to the identity specified in SourceArn.

    FromArn

    The ARN of the identity that is associated with the sending authorization policy that permits you to specify a particular "From" address in the header of the raw email.

    ReturnPathArn

    The ARN of the identity that is associated with the sending authorization policy that permits you to use the email address specified in the ReturnPath parameter of SendRawEmail.

  • Include X-headers in the email— X-headers are custom headers that you can use in addition to standard email headers. Amazon SES has three X-headers that you can use to specify sending authorization parameters. If you include multiple instances of any of the X-headers, Amazon SES will use the first instance. In all cases, Amazon SES removes all X-headers from the email before sending it. The following table shows you the three X-headers that you can use with Amazon SES for sending authorization.

    Important

    Do not include these X-headers in the DKIM signature, because they are removed by Amazon SES before sending the email.

    X-Header

    Description

    X-SES-SOURCE-ARN

    Corresponds to the SourceArn.

    X-SES-FROM-ARN

    Corresponds to the FromArn.

    X-SES-RETURN-PATH-ARN

    Corresponds to the ReturnPathArn.

    The following example shows an email that includes sending authorization X-headers:

    Copy
    X-SES-SOURCE-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com X-SES-FROM-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com X-SES-RETURN-PATH-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com From: sender@example.com To: recipient@example.com Return-Path: feedback@example.com Subject: subject Content-Type: multipart/alternative; boundary="----=_boundary" ------=_boundary Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit body ------=_boundary Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit body ------=_boundary--

SendEmail

If you want to use SendEmail so that Amazon SES formats your emails for you, you can specify the cross-account identity by passing in the optional parameters below. You cannot use the X-header method because when you use SendEmail, Amazon SES assembles the message for you.

Parameter

Description

SourceArn

The ARN of the identity that is associated with the sending authorization policy that permits you to send for the email address specified in the Source parameter of SendRawEmail.

ReturnPathArn

The ARN of the identity that is associated with the sending authorization policy that permits you to use the email address specified in the ReturnPath parameter of SendRawEmail.

Using the Amazon SES SMTP interface

If you are using the Amazon SES SMTP interface for cross-account sending, the only method you can use is to include the X-headers as SendRawEmail described earlier.