Nowhere in this documentation does it mention that BYODKIM requires a PKCS#1 formatted private key.

I've just lost a day fighting with this because OpenSSL after 3.0 (which was released in 2021) generates PKCS#8 RSA keys by default.

The SES console silently accepts them (because we are forced to strip off the header and footer and reformat the key material without whitespace -- which is also dumb) and happily creates the sending identity which then NEVER VALIDATES.

It would be very helpful if this guide could mention that users of OpenSSL from 3.0 onwards need to provide the -traditional flag when generating the key to get a PKCS#1 private key

For example:

$ openssl genrsa -f4 -traditional -out private-key.pem 2048

When adding a batch to the suppression list, the S3 region where the list of addresses is uploaded must be the same as the SES region, or an error will occur.

Please add this note as it is not included in the documentation.

https://github.com/awsdocs/amazon-ses-developer-guide/blob/master/doc-source/sending-email-suppression-list.md?plain=1#L175

Below code is not showing any error when run, but it is still not sending/receiving email with attachment:

import email
from email.mime.multipart import MIMEMultipart
from email.mime.text import MIMEText
from email import header
from email.mime.application import MIMEApplication

def email_from_S3(self,S3,senderFile):
        print('Sending Email...')
        Sender = '[email protected]'
        Recipient ='[email protected]'
        Attachment = 'C:/Users/mittas1/Downloads/'+senderFile
        S3.s3_client.download_file(S3.bucket,'output/'+senderFile,Attachment)
        msg = MIMEMultipart()   
        msg['Subject'] = 'CRD_Extract'
        msg['From'] =  Sender
        msg['To'] = Recipient
        textpart = MIMEText('The output file was downloaded from S3')
        msg.attach(textpart)
        att = MIMEApplication(open(Attachment, 'rb').read())
        att.add_header('Content-Disposition','attachment',filename=Attachment)
        msg.attach(att)
        try:
            response = S3.ses_client.send_raw_email(
            Source=Sender,
            Destinations=[Recipient],
            RawMessage={"Data":msg.as_string()}
        )
        except ClientError as e:
            print(e.response['Error']['Message'])
        else:
            print("Email sent! Message ID:",response['MessageId'])

Seems an example aws ses describe-configuration-set --configuration-set-name ConfigSet --region us-west-2 command at https://docs.aws.amazon.com/ses/latest/DeveloperGuide/monitoring-sender-reputation-pausing-configuration-set.html#monitoring-sender-reputation-pausing-configuration-set-part-4 doesn't return ReputationOptions for a configuration set which is potentially confusing

Likely it should be replaced with aws ses describe-configuration-set --configuration-set-name ConfigSet --configuration-set-attribute-names reputationOptions --region us-west-2

Hello,

There is a small capitalization issue on the side bar of the documentation.

I attempted to find the issue within the md documents but I was unable to find it.

In the documentation page on sending authorization policies, the policy evaluation behavior is described as follows:

Each statement includes the core information about a single permission. If a policy includes multiple statements, Amazon SES applies a logical OR across the statements at evaluation time. Similarly, if an identity has multiple policies attached to it, Amazon SES applies a logical OR across the policies at evaluation time.

This doesn't seem correct based on IAM behavior elsewhere and a couple of experiments I ran, and could lead to user confusion. In general, in IAM, statements aren't simply ORed together because Deny statements win over any Allow statements, so the more correct way to describe the overall behavior of a policy is to OR the allows together AND NOT any of the deny statements, or something like this. It seems simpler to refer people back to the central IAM evaluation behavior documentation, however, than to try to explain it again.

More confusing for me was the "logical OR across the policies at evaluation time", which suggested that the policies were considered in isolation and the evaluation results ORed together. The distinction would be if I had an identity policy containing only a matching Allow, and another containing only a matching Deny, would the two interfere with one another? Logically ORing the two policy evaluations means the Allow would grant me access, but "stacking" the policies (as is more common in the IAM world), I'd be thwarted by the Deny. I experimented a bit and the stacking behavior seems to be what actually happens, so it's not really a logical OR across the policies.

Can this page be clarified a bit?

Hello,

Related AWS case id : 5339866351

I pulled my hair for a long time after seeing this part of the doc : https://github.com/awsdocs/amazon-ses-developer-guide/blob/723822f311b6f310763e290a2d8c5e7d863cc9c0/doc-source/sending-authorization-delegate-sender-tasks-email.md#using-the-amazon-ses-smtp-interface

(note that this is the only hit for "X-SES-SOURCE-ARN" in the complete documentation).

It would be great to have an exemple on the example page so this detail don't get overlooked : https://docs.aws.amazon.com/ses/latest/DeveloperGuide/sending-authorization-policy-examples.html

I also did the PR #7 to clear up how important this thing is ...

Thanks

I'm trying to use the Python script on the guide page and running into a syntax error:

$ python3 ./smtp_creds.py wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY us-east-1
  File "./smtp_creds.py", line 39
    raise ValueError(f"The {region} Region doesn't have an SMTP endpoint.")
                                                                         ^
SyntaxError: invalid syntax

In this documentation page, there's the following snippet:

Policies attached to email address identities override policies attached to the corresponding domain identities. For example, say that you have verified example.com and [email protected]. If you create a policy for example.com that disallows a delegate sender, and you create a policy for [email protected] that allows that delegate sender, the delegate sender will be able to send from [email protected] if they specify the ARN of [email protected] in the request to send the email.

The use of the word override there was confusing to me, because it makes it sound like the email identity policy wins over the corresponding domain identity policy. But if I have this scenario:

1. Domain identity policy for example.com allows ses:SendEmail
2. Email identity policy for [email protected] has an explicit Deny for any calls to ses:SendEmail

Now, if someone invokes SendEmail with a SourceArn of identity/example.com with a sender of [email protected], only the domain identity policy seems to apply, because that's the policy attached to the SourceArn specified.

In many ways, that makes sense, and has less "non-local" behavior than the behavior implied by the documentation today. It seems more correct and succinct to say that the policies attached to the SourceArn specified are the only ones that will apply, so if you specify the domain ARN, you get the domain's identity policies. If you specify the email's ARN, you get the email's identity policies. And there's no (as far as I've been able to observe) interaction between the two.

Have I misunderstood the behavior?

Update Version language for Identity Policy. Current phrasing is misleading and there are only 2 policy versions that are valid.:

Hi i am using aws ses for emails but when i sent 200 emails it sent only 90 email and remaining email not sent.. it show this error
exception 'Aws\Ses\Exception\SesException' with message 'Error executing "SendEmail" on "https://email.us-east-1.amazonaws.com"; AWS HTTP error: Client error: POST https://email.us-east-1.amazonaws.com resulted in a 400 Bad Request response:


Sender
Throttling< (truncated...)
Throttling (client): Maximum sending rate exceeded. -

Sender
Throttling
Maximum sending rate exceeded.

8f23e6e6-b4f2-4572-b426-343b370cb32c


The Sample Incoming Email Event doesn't make any mention of the fact that with events provided by the SNS action, the Message attribute will contain JSON-encoded data (i.e., a string). In fact, the way it presents the example event and example message, it looks like the message will be an object.

I realize this is true of all SNS event messages, but it would be helpful if the docs explicitly stated that the Message attribute were a string of JSON that needs to be decoded.

Add example for sendRawEmail for nodejs which includes attachment

On the guide pages Using reputation metrics and Reputation metrics messages, several status values are listed for the Bounce and Complaint rate sections, but one of my metrics pages displays "Warning" for the complaint rate, a value which is not on the documented list.

While I'm not confused about what "Warning" is telling me, it'd be nice to see the documentation in sync with the values possible in the current dashboard code. I'm not sure if "Warning" replaced "Almost healed" or "Under review," for instance. Thanks in advance for considering this!

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-credentials.html is missing everything in https://github.com/awsdocs/amazon-ses-developer-guide/blob/master/doc-source/smtp-credentials.md from "Obtaining Amazon SES SMTP Credentials by Converting AWS Credentials" onwards.

This is really important information and I am bemused that (somehow) it is no longer appearing on the public web site. The information used to be there …

On Q10:

The following text is automatically added to the end of every custom verification email and cannot be removed:

*If you did not request to verify this email address, please disregard this message. If you have any concerns, please forward this message to the following email address along with your questions or comments. *

The email address link in this text refers to [email protected], an inbox that is actively monitored by the Amazon SES team.

It is not described how to set the position of the verification link, which is movable after Q10 and also added to the end of every custom verification email.

"If you use Amazon CloudFront as your CDN, complete the following procedures:

On the CloudFront Distributions page, choose the distribution that corresponds with your CDN.

On the Behaviors tab, choose the default behavior, and then choose Edit.

For Cache Based on Selected Request Headers, choose All.

For Query String Forwarding and Caching, choose Forward all, cache based on all.

"

What should be the origin?
Tried creating a new s3 bucket to use as origin but the " For Cache Based on Selected Request Headers, choose All." cant be applied to buckets with s3 origin.

This is the document:
https://github.com/awsdocs/amazon-ses-developer-guide/blob/master/doc-source/configure-custom-open-click-domains.md

https://github.com/awsdocs/amazon-ses-developer-guide/blob/master/doc-source/example_ses_VerifyEmailIdentity_section.md

Current only have python example, please add Java example

I believe there's a small issue in the documentation, would definitely like feedback.

URI:
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/monitor-sending-activity.html
shows Console SES "calculated rate" for "Bounce and complaint rates"
though Amazon CloudWatch console shows "count only" for "bounces, complaints"

The Cloudwatch should be "calculated rate" for bounces and complaints, as described in this other page:
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/reputationdashboard-cloudwatch-alarm.html

In this page, the following snippet of IAM is recommended:

"Condition": {
    "StringLike": {
      "ses:FromAddress": "invoicing+.*@example.com"
    }
}

Which is described in text as specifying "that the delegate sender can only send from a "From" address that starts with invoicing and ends with example.com".

Unless StringLike behaves very differently on SES policies than elsewhere, it seems like the correct translation of that description wouldn't include the +. characters, so it's a bit unclear.

Wouldn't it be less confusing to call it something like SEED or SEEDMSG?