Sending emails for the identity owner for Amazon SES sending authorization - Amazon Simple Email Service

Sending emails for the identity owner for Amazon SES sending authorization

As a delegate sender, you send emails the same way that other Amazon SES senders do, except that you provide the Amazon Resource Name (ARN) of the identity that the identity owner has authorized you to use. When you call Amazon SES to send the email, Amazon SES checks to see if the identity that you specified has a policy that authorizes you to send for it.

There are different ways that you can specify the identity's ARN when you send an email. The method that you use depends on whether you send the email by using the Amazon SES API operations or the Amazon SES SMTP interface.

Important

To successfully send an email, you have to connect to the Amazon SES endpoint in the AWS Region that the identity owner verified the identity in.

Additionally, the AWS accounts of both the identity owner and the delegate sender have to be removed from the sandbox before either account can send email to non-verified addresses. For more information, see Request production access (Moving out of the Amazon SES sandbox).

Using the Amazon SES API

As with any Amazon SES email sender, if you access Amazon SES through the Amazon SES API (either directly through HTTPS or indirectly through an AWS SDK), you can choose between one of three email-sending actions: SendEmail, SendTemplatedEmail, and SendRawEmail. The Amazon Simple Email Service API Reference describes the details of these APIs, but we provide an overview of the sending authorization parameters here.

SendRawEmail

If you want to use SendRawEmail so that you can control the format of your emails, you can specify the delegated authorized identity in one of two ways:

  • Pass optional parameters to the SendRawEmail API. The required parameters are described in the following table:

    Parameter

    Description

    SourceArn

    The ARN of the identity that is associated with the sending authorization policy that permits you to send for the email address specified in the Source parameter of SendRawEmail.

    Note

    If you only specify the SourceArn, Amazon SES sets the "From" address and the "Return Path" addresses to the identity that you specified in SourceArn.

    FromArn

    The ARN of the identity that is associated with the sending authorization policy that permits you to specify a particular "From" address in the header of the raw email.

    ReturnPathArn

    The ARN of the identity that is associated with the sending authorization policy that permits you to use the email address specified in the ReturnPath parameter of SendRawEmail.

  • Include X-headers in the email. X-headers are custom headers that you can use in addition to standard email headers (such as the From, Reply-To, or Subject headers). Amazon SES recognizes three X-headers that you can use to specify sending authorization parameters:

    Important

    Do not include these X-headers in the DKIM signature, because they are removed by Amazon SES before sending the email.

    X-Header

    Description

    X-SES-SOURCE-ARN

    Corresponds to the SourceArn.

    X-SES-FROM-ARN

    Corresponds to the FromArn.

    X-SES-RETURN-PATH-ARN

    Corresponds to the ReturnPathArn.

    Amazon SES removes all X-headers from the email before sending it. If you include multiple instances of an X-header, Amazon SES uses only the first instance.

    The following example shows an email that includes sending authorization X-headers:

    X-SES-SOURCE-ARN: arn:aws:ses:us-east-1:123456789012:identity/example.com X-SES-FROM-ARN: arn:aws:ses:us-east-1:123456789012:identity/example.com X-SES-RETURN-PATH-ARN: arn:aws:ses:us-east-1:123456789012:identity/example.com From: sender@example.com To: recipient@example.com Return-Path: feedback@example.com Subject: subject Content-Type: multipart/alternative; boundary="----=_boundary" ------=_boundary Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit body ------=_boundary Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit body ------=_boundary--

SendEmail and SendTemplatedEmail

If you use the SendEmail or SendTemplatedEmail operation, you can specify the delegated authorized identity by passing in the optional parameters below. You can't use the X-header method when you use the SendEmail or SendTemplatedEmail operation.

Parameter

Description

SourceArn

The ARN of the identity that is associated with the sending authorization policy that permits you to send for the email address specified in the Source parameter of either SendEmail or SendTemplatedEmail.

ReturnPathArn

The ARN of the identity that is associated with the sending authorization policy that permits you to use the email address specified in the ReturnPath parameter of either SendEmail or SendTemplatedEmail.

The following example shows how to send an email that includes the SourceArn and ReturnPathArn attributes using either the SendEmail or SendTemplatedEmail operation and the SDK for Python.

import boto3 from botocore.exceptions import ClientError # Create a new SES resource and specify a region. client = boto3.client('ses',region_name="us-east-1") # Try to send the email. try: #Provide the contents of the email. response = client.send_email( Destination={ 'ToAddresses': [ 'recipient@example.com', ], }, Message={ 'Body': { 'Html': { 'Charset': 'UTF-8', 'Data': 'This email was sent with Amazon SES.', }, }, 'Subject': { 'Charset': 'UTF-8', 'Data': 'Amazon SES Test', }, }, SourceArn='arn:aws:ses:us-east-1:123456789012:identity/example.com', ReturnPathArn='arn:aws:ses:us-east-1:123456789012:identity/example.com', Source='sender@example.com', ReturnPath='feedback@example.com' ) # Display an error if something goes wrong. except ClientError as e: print(e.response['Error']['Message']) else: print("Email sent! Message ID:"), print(response['ResponseMetadata']['RequestId'])

Using the Amazon SES SMTP interface

When you use the Amazon SES SMTP interface for delegate sending, you have to include the X-SES-SOURCE-ARN, X-SES-FROM-ARN, and X-SES-RETURN-PATH-ARN headers in your message. Pass these headers after you issue the DATA command in the SMTP conversation.