Menu
Amazon Simple Email Service
Developer Guide

Amazon SES Sending Authorization Policy Examples

Sending authorization enables you to specify the fine-grained conditions under which you allow delegate senders to send on your behalf. The following examples show you how to write policies to control different aspects of sending:

Specifying the Delegate Sender

The principal, which is the entity to which you are granting permission, can be an AWS account, an AWS Identity and Access Management (IAM) user, or an AWS service.

The following example shows a simple policy that allows AWS ID 123456789012 to send email from the verified identity example.com (which is owned by AWS account 888888888888). The Condition statement in this policy only allows the delegate (that is, AWS ID 123456789012) to send email from the address marketing+.*@example.com, where .* is any string that the sender wants to add after marketing+.

{ "Id":"SampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeMarketer", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringLike":{ "ses:FromAddress":"marketing+.*@example.com" } } } ] }

The following example policy grants permission to two IAM users to send from identity example.com. IAM users are specified by their Amazon Resource Name (ARN).

{ "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeIAMUser", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal":{ "AWS":[ "arn:aws:iam::111122223333:user/John", "arn:aws:iam::444455556666:user/Jane" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ] } ] }

The following example policy grants permission to Amazon Cognito to send from identity example.com.

{ "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeService", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal":{ "Service":[ "cognito-idp.amazonaws.com" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ] } ] }

Restricting the "From" Address

If you use a verified domain, you may want to create a policy that only allows the delegate sender to send from a specified email address. To restrict the "From" address, you set a condition on the key called ses:FromAddress. The following policy enables AWS account ID 123456789012 to send from the identity example.com, but only from the email address sender@example.com.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeFromAddress", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringEquals":{ "ses:FromAddress":"sender@example.com" } } } ] }

Restricting the Destination of Bounce and Complaint Feedback

If a delegate sender is sending on your behalf and you want to ensure that bounce and complaint notifications are forwarded to you by email, you need to do two things: you must enable email feedback forwarding for the identity by using the procedure in Amazon SES Notifications Through Email, and you must restrict the "Return Path" of the emails to an email address that you own by setting a condition on the ses:FeedbackAddress key.

The following sending authorization policy enables AWS account ID 123456789012 to send from the identity example.com as long as the "Return Path" of the email is set to feedback@example.com.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"ControlReturnPath", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringEquals":{ "ses:FeedbackAddress":"feedback@example.com" } } } ] }

Restricting the Time at which the Delegate can Send Email

You can also configure your sender authorization policy so that a delegate sender can only send email at a certain time of day, or within a certain date range. For example, if you plan to send an email campaign during the month of September 2018, you can use the following policy to limit the delegate's ability to send email to that month only.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"ControlTimePeriod", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "DateGreaterThan":{ "aws:CurrentTime":"2018-08-31T12:00Z" }, "DateLessThan":{ "aws:CurrentTime":"2018-10-01T12:00Z" } } } ] }

Restricting the Email-Sending Action

There are two actions that senders can use to send an email with Amazon SES: SendEmail and SendRawEmail, depending on how much control the sender wants over the format of the email. Sending authorization policies enable you to restrict the delegate sender to one of those two actions. However, many identity owners leave the details of the email-sending calls up to the delegate sender by enabling both actions in their policies.

Note

If you want to enable the delegate sender to access Amazon SES through the SMTP interface, you must choose SendRawEmail at a minimum.

If your use case is such that you want to restrict the action, you can do so by including only one of the actions in your sending authorization policy. The following example shows you how to restrict the action to SendRawEmail.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"ControlAction", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendRawEmail" ] } ] }

Restricting the Display Name of the Email Sender

Some email clients display the "friendly" name of the email sender (if the email header provides it), rather than the actual "From" address. For example, the display name of "John Doe <johndoe@example.com>" is John Doe. For instance, you might send emails from user@example.com, but you prefer that recipients see that the email is from Marketing rather than from user@example.com. The following policy enables AWS account ID 123456789012 to send from identity example.com, but only if the display name of the "From" address includes Marketing.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeFromAddress", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/example.com", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringLike":{ "ses:FromDisplayName":"Marketing" } } } ] }

Using Multiple Statements

Your sending authorization policy can include multiple statements. The following example policy has two statements. The first statement authorizes two AWS accounts to send from sender@example.com as long as the "From" address and the feedback address both use the domain example.com. The second statement authorizes an IAM user to send email from sender@example.com as long as the recipient's email address is under the example.com domain.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeAWS", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:999999999999:identity/sender@example.com", "Principal":{ "AWS":[ "111111111111", "222222222222" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringLike":{ "ses:FromAddress":"*@example.com", "ses:FeedbackAddress":"*@example.com" } } }, { "Sid":"AuthorizeInternal", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:999999999999:identity/sender@example.com", "Principal":{ "AWS":"arn:aws:iam::333333333333:user/Jane" }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "ForAllValues:StringLike":{ "ses:Recipients":"*@example.com" } } } ] }