Sending policy examples - Amazon Simple Email Service

Sending policy examples

Sending authorization enables you to specify the fine-grained conditions under which you allow delegate senders to send on your behalf.

Conditions specific to sending authorization

A condition is any restriction about the permission in the statement. The part of the statement that specifies the conditions can be the most detailed of all the parts. A key is the specific characteristic that's the basis for access restriction, such as the date and time of the request.

You use both conditions and keys together to express the restriction. For example, if you want to restrict the delegate sender from making requests to Amazon SES on your behalf after July 30, 2019, you use the condition called DateLessThan. You use the key called aws:CurrentTime and set it to the value 2019-07-30T00:00:00Z.

You can use any of the AWS-wide keys listed at Available Keys in the IAM User Guide, or you can use one of the following keys specific to SES that are useful in sending authorization policies:

Condition key



Restricts the recipient addresses, which include the To:, "CC", and "BCC" addresses.


Restricts the "From" address.


Restricts the contents of the string that is used as the "From" display name (sometimes called "friendly from"). For example, the display name of "John Doe <>" is John Doe.


Restricts the "Return Path" address, which is the address where bounce and complaints can be sent to you by email feedback forwarding. For information about email feedback forwarding, see Receiving Amazon SES notifications through email.

You can use the StringEquals and StringLike conditions with Amazon SES keys. These conditions are for case-sensitive string matching. For StringLike, the values can include a multi-character match wildcard (*) or a single-character match wildcard (?) anywhere in the string. For example, the following condition specifies that the delegate sender can only send from a "From" address that starts with invoicing and ends with

"Condition": { "StringLike": { "ses:FromAddress": "invoicing*" } }

You can also use the StringNotLike condition to prevent delegate senders from sending email from certain email addresses. For example, you can disallow sending from, and also similar addresses such as "admin",, or, by including the following condition in your policy statement:

"Condition": { "StringNotLike": { "ses:FromAddress": "*admin*" } }

For more information about how to specify conditions, see IAM JSON Policy Elements: Condition in the IAM User Guide.

Specifying the delegate sender

The principal, which is the entity to which you are granting permission, can be an AWS account, an AWS Identity and Access Management (IAM) user, or an AWS service.

The following example shows a simple policy that allows AWS ID 123456789012 to send email from the verified identity (which is owned by AWS account 888888888888). The Condition statement in this policy only allows the delegate (that is, AWS ID 123456789012) to send email from the address marketing+.*, where * is any string that the sender wants to add after marketing+..

{ "Id":"SampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeMarketer", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Condition":{ "StringLike":{ "ses:FromAddress":"marketing+.*" } } } ] }

The following example policy grants permission to two IAM users to send from identity IAM users are specified by their Amazon Resource Name (ARN).

{ "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeIAMUser", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "arn:aws:iam::111122223333:user/John", "arn:aws:iam::444455556666:user/Jane" ] }, "Action":[ "ses:SendEmail", "ses:SendRawEmail" ] } ] }

The following example policy grants permission to Amazon Cognito to send from identity

{ "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeService", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "Service":[ "" ] }, "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Condition": { "StringEquals": { "aws:SourceAccount": "888888888888", "aws:SourceArn": "arn:aws:cognito-idp:us-east-1:888888888888:userpool/your-user-pool-id-goes-here" } } } ] }

The following example policy grants permission to all accounts within an AWS Organization to send from identity The AWS Organization is specified using the PrincipalOrgID global condition key.

{ "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeOrg", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":"*", "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Condition":{ "StringEquals":{ "aws:PrincipalOrgID":"o-xxxxxxxxxxx" } } } ] }

Restricting the "From" address

If you use a verified domain, you may want to create a policy that allows only the delegate sender to send from a specified email address. To restrict the "From" address, you set a condition on the key called ses:FromAddress. The following policy enables AWS account ID 123456789012 to send from the identity, but only from the email address

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeFromAddress", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Condition":{ "StringEquals":{ "ses:FromAddress":"" } } } ] }

Restricting the time at which the delegate can send email

You can also configure your sender authorization policy so that a delegate sender can send email only at a certain time of day, or within a certain date range. For example, if you plan to send an email campaign during the month of September 2021, you can use the following policy to restrict the delegate's ability to send email to that month only.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"ControlTimePeriod", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Condition":{ "DateGreaterThan":{ "aws:CurrentTime":"2021-08-31T12:00Z" }, "DateLessThan":{ "aws:CurrentTime":"2021-10-01T12:00Z" } } } ] }

Restricting the email sending action

There are two actions that senders can use to send an email with Amazon SES: SendEmail and SendRawEmail, depending on how much control the sender wants over the format of the email. Sending authorization policies enable you to restrict the delegate sender to one of those two actions. However, many identity owners leave the details of the email sending calls up to the delegate sender by enabling both actions in their policies.


If you want to enable the delegate sender to access Amazon SES through the SMTP interface, you must choose SendRawEmail at a minimum.

If your use case is such that you want to restrict the action, you can do so by including only one of the actions in your sending authorization policy. The following example shows you how to restrict the action to SendRawEmail.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"ControlAction", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "ses:SendRawEmail" ] } ] }

Restricting the display name of the email sender

Some email clients display the "friendly" name of the email sender (if the email header provides it), rather than the actual "From" address. For example, the display name of "John Doe <>" is John Doe. For instance, you might send emails from, but you prefer that recipients see that the email is from Marketing rather than from The following policy enables AWS account ID 123456789012 to send from identity, but only if the display name of the "From" address includes Marketing.

{ "Id":"ExamplePolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeFromAddress", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:888888888888:identity/", "Principal":{ "AWS":[ "123456789012" ] }, "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Condition":{ "StringLike":{ "ses:FromDisplayName":"Marketing" } } } ] }

Using multiple statements

Your sending authorization policy can include multiple statements. The following example policy has two statements. The first statement authorizes two AWS accounts to send from as long as the "From" address and the feedback address both use the domain The second statement authorizes an IAM user to send email from as long as the recipient's email address is under the domain.

{ "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeAWS", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:999999999999:identity/", "Principal":{ "AWS":[ "111111111111", "222222222222" ] }, "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Condition":{ "StringLike":{ "ses:FromAddress":"*", "ses:FeedbackAddress":"*" } } }, { "Sid":"AuthorizeInternal", "Effect":"Allow", "Resource":"arn:aws:ses:us-east-1:999999999999:identity/", "Principal":{ "AWS":"arn:aws:iam::333333333333:user/Jane" }, "Action":[ "ses:SendEmail", "ses:SendRawEmail" ], "Condition":{ "ForAllValues:StringLike":{ "ses:Recipients":"*" } } } ] }