AWS News Blog

New – Sending Authorization for the Amazon Simple Email Service

The Amazon Simple Email Service (SES) makes it easy for you to send email with minimum setup and maximum scalability. SES focuses on deliverability (see my blog post, Introducing the Amazon Simple Email Service to learn more about this) so that the messages you send have a high probability of arriving in the intended inboxes rather than heading straight for the spam folder!

Today we are making SES even more useful by giving you the ability to grant “send” permission to other AWS accounts or IAM users. This allows you to loan out an identity (an email address or domain that you have verified) while retaining control over the identity. You can monitor SES usage (delivery, bounce, and complaint notifications) and fine-tune permissions at any time.

You can use this feature in many different ways. A new post (Announcing Sending Authorization) on the Amazon Simple Email Service Blog contains a pair of examples:

  • You run email marketing campaigns for an online retailer that is already using SES. They give you permission to send marketing emails under their domain name and authorize you as a sender. You don’t have to verify the domain under your AWS account. Both parties receive bounce and complaint notifications independently.
  • Your organization uses multiple AWS accounts spread across a variety of divisions and/or departments. You can verify the common identity once, relative to a single AWS account, and then grant permission for the other accounts to use it.

As you can see in the full blog post, you start by creating a sending authorization policy that authorizes another account or IAM user to make use of the SendEmail and/or SendRawEmail functions. This policy can also restrict usage based on the email address of the sender by adding a condition that checks the ses:FromAddress property.

The Policy Generator in the SES Console can be used to create the necessary policy with a couple of clicks. Here’s how you would use it to set up a policy that allowed AWS account 123456789012 to send from domain example.com using email address marketing@example.com:

To send an email on your behalf, the sender would pass the ARN of example.com in the call to the SES function or in an email header (see the SES Developer Guide for more information).

To learn more, read Announcing Sending Authorization on the Amazon SES Blog.

Jeff;