Menu
Amazon Simple Email Service
Developer Guide

Sending Emails for the Identity Owner for Amazon SES Sending Authorization

As a delegate sender, you send emails the same way that other Amazon SES senders do, except that you provide the ARN of the identity that the identity owner has authorized you to use. When you call Amazon SES to send the email, Amazon SES checks to see if the identity that you specified has a policy that authorizes you to send for it.

There are different ways that you can specify the identity's ARN when you send an email. The method that you can use depends on whether you send the email by using the Amazon SES API operations or the Amazon SES SMTP interface.

Important

To successfully send an email from an identity owner's identity, you must connect to the Amazon SES endpoint of the AWS Region in which the identity is verified. The sending authorization policy that grants you permission must be attached to the identity in that region.

Using the Amazon SES API

As with any Amazon SES email sender, if you access Amazon SES through the Amazon SES API (either directly through HTTPS or indirectly through an AWS SDK), you can choose between one of two email-sending actions: SendEmail and SendRawEmail. The Amazon Simple Email Service API Reference describes the details of these APIs, but we provide an overview of the sending authorization parameters here.

SendRawEmail

If you want to use SendRawEmail so that you can control the format of your emails, you can specify the cross-account identity in one of two ways:

  • Pass optional parameters to the SendRawEmail API. The required parameters are described in the following table:

    Parameter

    Description

    SourceArn

    The ARN of the identity that is associated with the sending authorization policy that permits you to send for the email address specified in the Source parameter of SendRawEmail.

    Note

    For most use cases, we recommend that you specify the SourceArn and do not specify either the FromArn or ReturnPathArn. If you only specify the SourceArn, Amazon SES sets the "From" address and the "Return Path" addresses to the identity specified in SourceArn.

    FromArn

    The ARN of the identity that is associated with the sending authorization policy that permits you to specify a particular "From" address in the header of the raw email.

    ReturnPathArn

    The ARN of the identity that is associated with the sending authorization policy that permits you to use the email address specified in the ReturnPath parameter of SendRawEmail.

  • Include X-headers in the email. X-headers are custom headers that you can use in addition to standard email headers (such as the From, Reply-To, or Subject headers). Amazon SES recognizes three X-headers that you can use to specify sending authorization parameters:

    Important

    Do not include these X-headers in the DKIM signature, because they are removed by Amazon SES before sending the email.

    X-Header

    Description

    X-SES-SOURCE-ARN

    Corresponds to the SourceArn.

    X-SES-FROM-ARN

    Corresponds to the FromArn.

    X-SES-RETURN-PATH-ARN

    Corresponds to the ReturnPathArn.

    Amazon SES removes all X-headers from the email before sending it. If you include multiple instances of an X-header, Amazon SES only uses the first instance.

    The following example shows an email that includes sending authorization X-headers:

    X-SES-SOURCE-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com X-SES-FROM-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com X-SES-RETURN-PATH-ARN: arn:aws:ses:us-west-2:123456789012:identity/example.com From: sender@example.com To: recipient@example.com Return-Path: feedback@example.com Subject: subject Content-Type: multipart/alternative; boundary="----=_boundary" ------=_boundary Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit body ------=_boundary Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit body ------=_boundary--

SendEmail

If you use the SendEmail operation, you can specify the cross-account identity by passing in the optional parameters below. You cannot use the X-header method when you use the SendEmailoperation.

Parameter

Description

SourceArn

The ARN of the identity that is associated with the sending authorization policy that permits you to send for the email address specified in the Source parameter of SendRawEmail.

ReturnPathArn

The ARN of the identity that is associated with the sending authorization policy that permits you to use the email address specified in the ReturnPath parameter of SendRawEmail.

The following example shows how to send an email that includes the SourceArn and ReturnPathArn attributes using the SendEmail operation and the SDK for Python.

import boto3 from botocore.exceptions import ClientError # Create a new SES resource and specify a region. client = boto3.client('ses',region_name="us-west-2") # Try to send the email. try: #Provide the contents of the email. response = client.send_email( Destination={ 'ToAddresses': [ 'recipient@example.com', ], }, Message={ 'Body': { 'Html': { 'Charset': 'UTF-8', 'Data': 'This email was sent with Amazon SES.', }, }, 'Subject': { 'Charset': 'UTF-8', 'Data': 'Amazon SES Test', }, }, SourceArn='arn:aws:ses:us-west-2:123456789012:identity/example.com', ReturnPathArn='arn:aws:ses:us-west-2:123456789012:identity/example.com', Source='sender@example.com', ReturnPath='feedback@example.com' ) # Display an error if something goes wrong. except ClientError as e: print(e.response['Error']['Message']) else: print("Email sent! Message ID:"), print(response['ResponseMetadata']['RequestId'])

Using the Amazon SES SMTP interface

When you use the Amazon SES SMTP interface for cross-account sending, you have to include the X-SES-SOURCE-ARN, X-SES-FROM-ARN and X-SES-RETURN-PATH-ARN headers in your message. Pass these headers after you issue the DATA command in the SMTP conversation.