This blog is an answer to the above questions.
With the migration of customers from OIC Generation 1 to Generation 2, we have changed the underlying stack that sends email from Cloud Notification Service (CNS) to OCI Email Service. With this, the SPF and DKIM configuration previously done will not be valid anymore and these need to be reconfigured to increase the deliverability.
If you are willing to use your own "from" address like no-reply@oraclecloud.com. You have to follow the below 2 steps.
SPF is an acronym for “Sender Policy Framework”. SPF is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. A domain administrator publishes the policy defining mail servers that are authorized to send email from that domain.
when an email is received the inbound SMTP server then compares the IP address of the mail sender with the authorized IP addresses defined in the SPF record.
An example of SPF record for oraclecloud.com is like below
v=spf1 include:spf_s.oracle.com include:spf_r.oracle.com include:spf_c.oraclecloud.com include:stspg-customer.com ~all
Where
Options |
Description |
-all (dash all) |
This is a hard fail. This means that servers that aren’t listed in the SPF record aren’t authorized to send an email for the domain, so the email should be rejected by the receiving server. |
~all (tilde all) |
This is a soft fail. Basically, that means that the server isn’t listed in the SPF record, but it should not be flat out rejected by the receiving server. Instead, the message will be marked as possible spam. |
+all (plus all) |
NOT RECOMMENDED. This tag essentially means any domain listed is authorized to send email, even if it’s not listed in the SPF record. |
The SPF value to be added is given below and depends on the email region which is being connected to.
Region | SPF Value |
Americas | v=spf1 include:rp.oracleemaildelivery.com ~all |
Asia Pacific | v=spf1 include:ap.rp.oracleemaildelivery.com ~all |
Europe | v=spf1 include:eu.rp.oracleemaildelivery.com ~all |
DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain.
DKIM works by adding a digital signature to the headers of an email message by sending/Outbound SMTP server. This signature can then be validated by the receiving/Inbound SMTP server against a public cryptographic key that is located in the from address domain's DNS record.
Customers should raise a SR ticket to get the public key and the customers should add the key to TXT record of sender's domain or DNS record.
Below screen shots shows few changes that have be done to help customers detect whether SPF is configured for the from address domain. If the SPF is not configured, the SPF value which is to be added to DNS record is also provided in the same screen.
Also the customer can also track whether the DKIM is configured for the from address using the below screen.
Note: The UI will be available in future releases and is subjected to change.
Below screen shows the value of the SPF record to be configured in the DNS record.
Note: The UI is available in future releases and is subjected to change.
Avoid using no-reply@oracle.com as from address, also avoid using the oracle domain.