This blog is an answer to the above questions.
With the migration of customers from OIC Generation 1 to Generation 2, we have changed the underlying stack that sends email from Cloud Notification Service (CNS) to OCI Email Service. With this, the SPF and DKIM configuration previously done will not be valid anymore and these need to be reconfigured to increase the deliverability.
If you are willing to use your own "from" address like no-reply@oraclecloud.com. You have to follow the below 2 steps.
A simple yet effective way to validate emails, avoid spoofing, and reduce fraud attacks is configuring SPF and DKIM. Depending on email infra security, you may need to configure SPF and DKIM. More details are below.
SPF is an acronym for “Sender Policy Framework”. SPF is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. A domain administrator publishes the policy defining mail servers that are authorized to send email from that domain.
when an email is received the inbound SMTP server then compares the IP address of the mail sender with the authorized IP addresses defined in the SPF record.
An example of SPF record for oraclecloud.com is like below
v=spf1 include:spf_s.oracle.com include:spf_r.oracle.com include:spf_c.oraclecloud.com include:stspg-customer.com ~all
Where
Options |
Description |
-all (dash all) |
This is a hard fail. This means that servers that aren’t listed in the SPF record aren’t authorized to send an email for the domain, so the email should be rejected by the receiving server. |
~all (tilde all) |
This is a soft fail. Basically, that means that the server isn’t listed in the SPF record, but it should not be flat out rejected by the receiving server. Instead, the message will be marked as possible spam. |
+all (plus all) |
NOT RECOMMENDED. This tag essentially means any domain listed is authorized to send email, even if it’s not listed in the SPF record. |
The SPF value to be added is given below and depends on the email region which is being connected to.
Region | SPF Value |
---|---|
Americas | v=spf1 include:rp.oracleemaildelivery.com ~all |
Asia Pacific | v=spf1 include:ap.rp.oracleemaildelivery.com ~all |
Europe | v=spf1 include:eu.rp.oracleemaildelivery.com ~all |
All Commercial regions | v=spf1 include:rp.oracleemaildelivery.com include:ap.rp.oracleemaildelivery.com include:eu.rp.oracleemaildelivery.com ~all |
United Kingdom Government Cloud |
v=spf1 include:rp.oraclegovemaildelivery.uk ~all |
DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain.
DKIM works by adding a digital signature to the headers of an email message by sending/Outbound SMTP server. This signature can then be validated by the receiving/Inbound SMTP server against a public cryptographic key that is located in the from address domain's DNS record.
To configure DKIM keys for Oracle Integration Generation 2 instances, Customers should raise a Service Request in My Oracle Support. Include the following details:
Oracle provides customer with the details to add the CNAME DNS record for the sender's domain. The instructions to add the DNS record depend on the domain provider. The CNAME contains the location of the public key.
For example, for a selector name of me-yyz-20200502, a sending domain of mail.example.com, and an email region code of yyz, the CNAME looks like this:
me-yyz-20200502._domainkey.mail.example.com IN CNAME me-yyz-20200502.mail.example.com.dkim.yyz1.oracleemaildelivery.com
Once the DNS is updated, Customer should update the service request, and Oracle will activate the DKIM settings for your domain.
Below screen shots shows few changes that have be done to help customers detect whether SPF is configured for the from address domain. If the SPF is not configured, the SPF value which is to be added to DNS record is also provided in the same screen.
Also the customer can also track whether the DKIM is configured for the from address using the below screen.
Note: The UI will be available in future releases and is subjected to change.
Below screen shows the value of the SPF record to be configured in the DNS record.
Note: The UI is available in future releases and is subjected to change.
Avoid using no-reply@oracle.com as from address, also avoid using the oracle domain.