Amazon SES Sending Authorization Policy Examples - Amazon Simple Email Service Classic

This is the user guide for Amazon SES Classic. Updates and new features are only being documented in the new Amazon SES Developer Guide which we recommend to use.

Amazon SES Sending Authorization Policy Examples

Sending authorization enables you to specify the fine-grained conditions under which you allow delegate senders to send on your behalf.

Specifying the Delegate Sender

The principal, which is the entity to which you are granting permission, can be an AWS account, an AWS Identity and Access Management (IAM) user, or an AWS service.

The following example shows a simple policy that allows AWS ID 123456789012 to send email from the verified identity (which is owned by AWS account 888888888888). The Condition statement in this policy only allows the delegate (that is, AWS ID 123456789012) to send email from the address marketing+.*, where .* is any string that the sender wants to add after marketing+.

{ "Id":"SampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeMarketer", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringLike":{ "ses:FromAddress":"marketing+.*" } } } ] }

The following example policy grants permission to two IAM users to send from identity IAM users are specified by their Amazon Resource Name (ARN).

{ "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeIAMUser", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "arn:aws:iam::111122223333:user/John", "arn:aws:iam::444455556666:user/Jane" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ] } ] }

The following example policy grants permission to Amazon Cognito to send from identity

{ "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeService", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "Service":[ "" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition": { "StringEquals": { "aws:SourceAccount": "888888888888", "aws:SourceArn": "arn:aws:cognito-idp:us-east-1:888888888888:userpool/your-user-pool-id-goes-here" } } } ] }

The following example policy grants permission to all accounts within an AWS Organization to send from identity The AWS Organization is specified using the PrincipalOrgID global condition key.

{ "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeOrg", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":"*", "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringEquals":{ "aws:PrincipalOrgID":"o-xxxxxxxxxxx" } } } ] }

Restricting the "From" Address

If you use a verified domain, you may want to create a policy that only allows the delegate sender to send from a specified email address. To restrict the "From" address, you set a condition on the key called ses:FromAddress. The following policy enables AWS account ID 123456789012 to send from the identity, but only from the email address

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeFromAddress", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringEquals":{ "ses:FromAddress":"" } } } ] }

Restricting the Time at which the Delegate can Send Email

You can also configure your sender authorization policy so that a delegate sender can only send email at a certain time of day, or within a certain date range. For example, if you plan to send an email campaign during the month of September 2018, you can use the following policy to restrict the delegate's ability to send email to that month only.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"ControlTimePeriod", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "DateGreaterThan":{ "aws:CurrentTime":"2018-08-31T12:00Z" }, "DateLessThan":{ "aws:CurrentTime":"2018-10-01T12:00Z" } } } ] }

Restricting the Email Sending Action

There are two actions that senders can use to send an email with Amazon SES: SendEmail and SendRawEmail, depending on how much control the sender wants over the format of the email. Sending authorization policies enable you to restrict the delegate sender to one of those two actions. However, many identity owners leave the details of the email sending calls up to the delegate sender by enabling both actions in their policies.


If you want to enable the delegate sender to access Amazon SES through the SMTP interface, you must choose SendRawEmail at a minimum.

If your use case is such that you want to restrict the action, you can do so by including only one of the actions in your sending authorization policy. The following example shows you how to restrict the action to SendRawEmail.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"ControlAction", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendRawEmail" ] } ] }

Restricting the Display Name of the Email Sender

Some email clients display the "friendly" name of the email sender (if the email header provides it), rather than the actual "From" address. For example, the display name of "John Doe <>" is John Doe. For instance, you might send emails from, but you prefer that recipients see that the email is from Marketing rather than from The following policy enables AWS account ID 123456789012 to send from identity, but only if the display name of the "From" address includes Marketing.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeFromAddress", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringLike":{ "ses:FromDisplayName":"Marketing" } } } ] }

Using Multiple Statements

Your sending authorization policy can include multiple statements. The following example policy has two statements. The first statement authorizes two AWS accounts to send from as long as the "From" address and the feedback address both use the domain The second statement authorizes an IAM user to send email from as long as the recipient's email address is under the domain.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeAWS", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:999999999999:identity/", "Principal":{ "AWS":[ "111111111111", "222222222222" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "StringLike":{ "ses:FromAddress":"*", "ses:FeedbackAddress":"*" } } }, { "Sid":"AuthorizeInternal", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:999999999999:identity/", "Principal":{ "AWS":"arn:aws:iam::333333333333:user/Jane" }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ], "Condition":{ "ForAllValues:StringLike":{ "ses:Recipients":"*" } } } ] }