The Integration blog covers the latest in product updates, best practices, customer stories, and more.

An Advanced Guide to OIC Notification via Emails


  • Do you know how SMTP servers detect spoofs or detect the forging of the visible sender?
  • Do you know how SMTP servers detect sender is legitimate?

This blog is an answer to the above questions.

With the migration of customers from OIC Generation 1 to Generation 2, we have changed the underlying stack that sends email from Cloud Notification Service (CNS) to OCI Email Service. With this, the SPF and DKIM configuration previously done will not be valid anymore and these need to be reconfigured to increase the deliverability.

Using your own from address for Gen2

If you are willing to use your own "from" address like no-reply@oraclecloud.com. You have to follow the below 2 steps.

  • You have to register the from address in Settings->Notification Screen.
  • You have to configure SPF and DKIM on the sender domain i.e oraclecloud.com. More information on SPF and DKIM is below.

A simple yet effective way to validate emails, avoid spoofing, and reduce fraud attacks is configuring SPF and DKIM. Depending on email infra security, you may need to configure SPF and DKIM. More details are below.


SPF is an acronym for “Sender Policy Framework”. SPF is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. A domain administrator publishes the policy defining mail servers that are authorized to send email from that domain.

when an email is received the inbound SMTP server then compares the IP address of the mail sender with the authorized IP addresses defined in the SPF record.

An example of SPF record for oraclecloud.com is like below

v=spf1 include:spf_s.oracle.com include:spf_r.oracle.com include:spf_c.oraclecloud.com include:stspg-customer.com ~all


  • v=spf1 is the version
  • include:spf_s.oracle.com is one of the domain which is authorized to use the from address.
  • all -- The “all” tag basically tells the receiving server how it should handle all messages sent from a domain if it sees a domain in the header that’s not listed in the SPF record. There are a few options below, and these options are dictated by the character that precedes the “all” tag. 




(dash all)

  This is a hard fail. This means that servers that aren’t listed in the SPF record aren’t authorized to send an email for the domain, so the email should be rejected by the receiving server.


(tilde all)

  This is a soft fail. Basically, that means that the server isn’t listed in the SPF record, but it should not be flat out rejected by the receiving server. Instead, the message will be marked as possible spam.


(plus all)

  NOT RECOMMENDED. This tag essentially means any domain listed is authorized to send email, even if it’s not listed in the SPF record.


The SPF value to be added is given below and depends on the email region which is being connected to.

  Region  SPF Value
  Americas    v=spf1 include:rp.oracleemaildelivery.com ~all
  Asia Pacific    v=spf1 include:ap.rp.oracleemaildelivery.com ~all
  Europe    v=spf1 include:eu.rp.oracleemaildelivery.com ~all
  All Commercial regions    v=spf1 include:rp.oracleemaildelivery.com  include:ap.rp.oracleemaildelivery.com include:eu.rp.oracleemaildelivery.com ~all
  United Kingdom Government Cloud
  v=spf1 include:rp.oraclegovemaildelivery.uk ~all


DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain. 

DKIM works by adding a digital signature to the headers of an email message by sending/Outbound SMTP server. This signature can then be validated by the receiving/Inbound SMTP server against a public cryptographic key that is located in the from address domain's DNS record.

To configure DKIM keys for Oracle Integration Generation 2 instances, Customers should raise a Service Request in My Oracle Support. Include the following details:

  • selector name
  • key size
  • from address that will be used to send emails

Oracle provides customer with the details to add the CNAME DNS record for the sender's domain. The instructions to add the DNS record depend on the domain provider. The CNAME contains the location of the public key.

For example, for a selector name of me-yyz-20200502, a sending domain of mail.example.com, and an email region code of yyz, the CNAME looks like this:

me-yyz-20200502._domainkey.mail.example.com IN CNAME me-yyz-20200502.mail.example.com.dkim.yyz1.oracleemaildelivery.com

Once the DNS is updated, Customer should update the service request, and Oracle will activate the DKIM settings for your domain.


User Interface Improvements to detect SPF Configuration

Below screen shots shows few changes that have be done to help customers detect whether SPF is configured for the from address domain. If the SPF is not configured, the SPF value which is to be added to DNS record is also provided in the same screen.

Also the customer can also track whether the DKIM is configured for the from address using the below screen.

Note: The UI will be available in future releases and is subjected to change.

Below screen shows the value of the SPF record to be configured in the DNS record.

Note: The UI is available in future releases and is subjected to change.

Default From Address


Suppression List

  • "To" addresses are added to suppression list based on a lot of reasons.
  • As of now recipient addresses with hard bounce, soft bounce and a large number of emails are some of the reasons for adding "To" address to a suppression list.
  • If DKIM and SPF are not configured for the from address domain, the likelihood of having a bounce, or messages being silently dropped by the receiving infrastructure is higher.
  • As of now, the suppression list cannot be viewed in the OIC and customers should raise an SR ticket for removing the emails from the suppression list.


Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.