Looks like your initial goal with header_checks is preserving original sender and replace it with allowed sender of Amazon SES.
The problem of your approach above is the From: header become non-standard because of multiple quotes in there.
From: " "User" <user@gmail.com>" <root@example.com>
Daniel R. Tobias mentioned this issue in his article: Dan's Mail Format Site | Headers | From/To/CC/BCC
One thing that will put you at risk of having your mail program inflict nonstandard header lines on your messages is to attempt to include quotation marks within your name, like Jesse "The Body" Ventura. If inserted directly into the header, within double quotes, you'd get "Jesse "The Body" Ventura", which actually parses into two quoted strings, "Jesse " and " Ventura", with The Body sitting in the middle with uncertain purpose.
So you can rely on this nonstandard header to bypass Amazon SES checker.
One approach to solve this problem is split the two goals above in two header_checks, header_checks and smtp_header_checks. The first header_checks will preserve the original sender in another custom header (for example X-Original-From). The second one will replace the From: header.
#main.cf
header_checks = pcre:/etc/postfix/first_header_checks
smtp_header_checks = pcre:/etc/postfix/second_header_checks
#first_header_checks
/^From:(.*)/ PREPEND X-Original-From: $1
#second_header_checks
/^From:(.*)/ REPLACE From: <root@example.com>
Because of this schema, X-Original-From: header will be added in every incoming email. But replacing action will be executed on outgoing email only.
Another way is using pcre to exclude quote in the original From: header. Unfortunately, I don't have any time to test some ideas right now. Maybe later... I'll update this answer with other workaround.
The envelope sender address rewriting
The above parts is still half-journey. To pass amazon SES, you need rewrite the envelope sender address too.
With the exception of addresses containing labels (see below), you must verify each email address (or the domain of the email address) that you will use as a "From" or "Return-Path" address for your messages. Until your account is out of the Amazon SES sandbox, you must also verify the email address of every recipient except for the recipients provided by the Amazon SES mailbox simulator.
See the differences between Envelope Address vs. Message Header Address in this article.
I've explained some steps to rewrite the sender in this similar threads: AWS SES: "Email address is not verified" error with Postfix relay. Basically you need put this parameter in main.cf
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
sender_canonical_classes = envelope_sender
smtpd_data_restrictions = check_sender_access pcre:/etc/postfix/sender_access
In /etc/postfix/sender_canonical, add
/.*/ mysenderaddress@example.com
In /etc/postfix/sender_access, add
/(.*)/ prepend X-Envelope-MailFrom: <$1>
The /etc/postfix/sender_access is used to preserved the original envelope sender address.
Best Answer
This is a normal setup for both transactional and marketing email, and other providers who handle such email will also have similar requirements. The point is primarily to isolate email reputation for this stream of mail from that of your domain. People will mark your email as spam despite having knowingly signed up to receive it, and you really do not want this to affect email for your domain name.