Restrict FROM address with AWS SES domain identities

If you are working with an application that sends email, you’ve probably come across “DKIM” which is cryptographic signing of emails to prevent impersonation of people within an organisation.

Unfortunately AWS SES only supports DKIM signing for domain identities - not single-address identities.

This means even if your application only sends email from a single address such as contact@example.com - to set up DKIM you need the entire example.com domain verified. If the SES SMTP credentials were leaked, an attacker could use them to impersonate anyone in your organisation and it would be detected as legitimate. This could have tangible financial and reputational impacts to your organisation - imagine your finance department getting an email from the CEO requesting a (fake) invoice be paid immediately.

In order to mitigate this risk you should lock down your sender IAM policy to include an list of valid email addresses that your app can send mail from.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": [
                "ses:SendRawEmail",
                "ses:SendEmail"
            ],
            "Resource": "arn:aws:ses:REGION:ACCOUNT_ID:identity/example.com",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "ses:FromAddress": [
                        "contact@example.com",
                        "noreply@example.com"
                    ]
                }
            }
        }
    ]
}

With this in place you can be sure that exposed SMTP credentials can’t be used to impersonate your colleagues.

More resources

• SES condition keys shows other fields that can be used for similar checks on recipients, return-path, and more.
• Match the client IP address making the request to lock down email operations to your infrastructure.