Authorizing senders using the Amazon SES API and the Amazon SDK for PHP Version 3 - Amazon SDK for PHP
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authorizing senders using the Amazon SES API and the Amazon SDK for PHP Version 3

To enable another Amazon Web Services account, Amazon Identity and Access Management user, or Amazon service to send email through Amazon Simple Email Service (Amazon SES) on your behalf, you create a sending authorization policy. This is a JSON document that you attach to an identity that you own.

The policy expressly lists who you are allowing to send for that identity, and under which conditions. All senders, other than you and the entities you explicitly grant permissions to in the policy, are not allowed to send emails. An identity can have no policy, one policy, or multiple policies attached to it. You can also have one policy with multiple statements to achieve the effect of multiple policies.

For more information, see Using Sending Authorization with Amazon SES.

The following examples show how to:

All the example code for the Amazon SDK for PHP is available here on GitHub.


Before running the example code, configure your Amazon credentials, as described in Credentials. Then import the Amazon SDK for PHP, as described in Basic usage.

For more information about using Amazon SES, see the Amazon SES Developer Guide.

Create an authorized sender

To authorize another Amazon Web Services account to send emails on your behalf, use an identity policy to add or update authorization to send emails from your verified email addresses or domains. To create an identity policy, use the PutIdentityPolicy operation.


require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Ses\SesClient;

Sample Code

$SesClient = new SesClient([ 'profile' => 'default', 'version' => '2010-12-01', 'region' => 'us-east-1' ]); $identity = "arn:aws:ses:us-east-1:123456789012:identity/"; $other_aws_account = "0123456789"; $policy = <<<EOT { "Id":"ExampleAuthorizationPolicy", "Version":"2012-10-17", "Statement":[ { "Sid":"AuthorizeAccount", "Effect":"Allow", "Resource":"$identity", "Principal":{ "AWS":[ "$other_aws_account" ] }, "Action":[ "SES:SendEmail", "SES:SendRawEmail" ] } ] } EOT; $name = "policyName"; try { $result = $SesClient->putIdentityPolicy([ 'Identity' => $identity, 'Policy' => $policy, 'PolicyName' => $name, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Retrieve polices for an authorized sender

Return the sending authorization policies that are associated with a specific email identity or domain identity. To get the sending authorization for a given email address or domain, use the GetIdentityPolicy operation.


require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Ses\SesClient;

Sample Code

$SesClient = new SesClient([ 'profile' => 'default', 'version' => '2010-12-01', 'region' => 'us-east-1' ]); $identity = "arn:aws:ses:us-east-1:123456789012:identity/"; $policies = ["policyName"]; try { $result = $SesClient->getIdentityPolicies([ 'Identity' => $identity, 'PolicyNames' => $policies, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

List authorized senders

To list the sending authorization policies that are associated with a specific email identity or domain identity in the current Amazon Region, use the ListIdentityPolicies operation.


require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Ses\SesClient;

Sample Code

$SesClient = new SesClient([ 'profile' => 'default', 'version' => '2010-12-01', 'region' => 'us-east-1' ]); $identity = "arn:aws:ses:us-east-1:123456789012:identity/"; try { $result = $SesClient->listIdentityPolicies([ 'Identity' => $identity, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }

Revoke permission for an authorized sender

Remove sending authorization for another Amazon Web Services account to send emails with an email identity or domain identity by deleting the associated identity policy with the DeleteIdentityPolicy operation.


require 'vendor/autoload.php'; use Aws\Exception\AwsException; use Aws\Ses\SesClient;

Sample Code

$SesClient = new SesClient([ 'profile' => 'default', 'version' => '2010-12-01', 'region' => 'us-east-1' ]); $identity = "arn:aws:ses:us-east-1:123456789012:identity/"; $name = "policyName"; try { $result = $SesClient->deleteIdentityPolicy([ 'Identity' => $identity, 'PolicyName' => $name, ]); var_dump($result); } catch (AwsException $e) { // output error message if fails echo $e->getMessage(); echo "\n"; }