The Integration blog covers the latest in product updates, best practices, customer stories, and more.
-
Integration
September 3, 2020
An Advanced Guide to OIC Notification via Emails
Introduction:
- Do you know how SMTP servers detect spoofs or detect the forging of the visible sender?
- Do you know how SMTP servers detect sender is legitimate?
This blog is an answer to the above questions.
With the migration of customers from OIC Generation 1 to Generation 2, we have changed the underlying stack that sends email from Cloud Notification Service (CNS) to OCI Email Service. With this, the SPF and DKIM configuration previously done will not be valid anymore and these need to be reconfigured to increase the deliverability.
Using your own from address for Gen2
If you are willing to use your own "from" address like no-reply@oraclecloud.com. You have to follow the below 2 steps.
- You have to register the from address in Settings->Notification Screen.
- You have to configure SPF and DKIM on the sender domain i.e oraclecloud.com. More information on SPF and DKIM is below.
A simple yet effective way to validate emails, avoid spoofing, and reduce fraud attacks is configuring SPF and DKIM. Depending on email infra security, you may need to configure SPF and DKIM. More details are below.
SPF
SPF is an acronym for “Sender Policy Framework”. SPF is a DNS TXT record that specifies which IP addresses and/or servers are allowed to send email “from” that particular domain. A domain administrator publishes the policy defining mail servers that are authorized to send email from that domain.
when an email is received the inbound SMTP server then compares the IP address of the mail sender with the authorized IP addresses defined in the SPF record.
An example of SPF record for oraclecloud.com is like below
v=spf1 include:spf_s.oracle.com include:spf_r.oracle.com include:spf_c.oraclecloud.com include:stspg-customer.com ~all
Where
- v=spf1 is the version
- include:spf_s.oracle.com is one of the domain which is authorized to use the from address.
- all -- The “all” tag basically tells the receiving server how it should handle all messages sent from a domain if it sees a domain in the header that’s not listed in the SPF record. There are a few options below, and these options are dictated by the character that precedes the “all” tag.
|
Options |
Description |
|
-all (dash all) |
This is a hard fail. This means that servers that aren’t listed in the SPF record aren’t authorized to send an email for the domain, so the email should be rejected by the receiving server. |
|
~all (tilde all) |
This is a soft fail. Basically, that means that the server isn’t listed in the SPF record, but it should not be flat out rejected by the receiving server. Instead, the message will be marked as possible spam. |
|
+all (plus all) |
NOT RECOMMENDED. This tag essentially means any domain listed is authorized to send email, even if it’s not listed in the SPF record. |
The SPF value to be added is given below and depends on the email region which is being connected to.
| Region | SPF Value |
|---|---|
| Americas | v=spf1 include:rp.oracleemaildelivery.com ~all |
| Asia Pacific | v=spf1 include:ap.rp.oracleemaildelivery.com ~all |
| Europe | v=spf1 include:eu.rp.oracleemaildelivery.com ~all |
| All Commercial regions | v=spf1 include:rp.oracleemaildelivery.com include:ap.rp.oracleemaildelivery.com include:eu.rp.oracleemaildelivery.com ~all |
| United Kingdom Government Cloud |
v=spf1 include:rp.oraclegovemaildelivery.uk ~all |
DKIM
DKIM (Domain Keys Identified Mail) is an email authentication technique that allows the receiver to check that an email was indeed sent and authorized by the owner of that domain.
DKIM works by adding a digital signature to the headers of an email message by sending/Outbound SMTP server. This signature can then be validated by the receiving/Inbound SMTP server against a public cryptographic key that is located in the from address domain's DNS record.
To configure DKIM keys for Oracle Integration Generation 2 instances, Customers should raise a Service Request in My Oracle Support. Include the following details:
- selector name
- key size
- from address that will be used to send emails
Oracle provides customer with the details to add the CNAME DNS record for the sender's domain. The instructions to add the DNS record depend on the domain provider. The CNAME contains the location of the public key.
For example, for a selector name of me-yyz-20200502, a sending domain of mail.example.com, and an email region code of yyz, the CNAME looks like this:
me-yyz-20200502._domainkey.mail.example.com IN CNAME me-yyz-20200502.mail.example.com.dkim.yyz1.oracleemaildelivery.com
Once the DNS is updated, Customer should update the service request, and Oracle will activate the DKIM settings for your domain.
User Interface Improvements to detect SPF Configuration
Below screen shots shows few changes that have be done to help customers detect whether SPF is configured for the from address domain. If the SPF is not configured, the SPF value which is to be added to DNS record is also provided in the same screen.
Also the customer can also track whether the DKIM is configured for the from address using the below screen.
Note: The UI will be available in future releases and is subjected to change.
Below screen shows the value of the SPF record to be configured in the DNS record.
Note: The UI is available in future releases and is subjected to change.
Default From Address
-
Avoid using no-reply@oracle.com as from address, also avoid using the oracle domain.
- The default from address has be changed from "no-reply@oracle.com" to "no-reply@mail.integration.<region>.ocp.oraclecloud.com".
- Customers should change the from address in their integrations from no-reply@oracle.com to "no-reply@mail.integration.<region>.ocp.oraclecloud.com", region attribute will be provided by OIC.
Suppression List
- "To" addresses are added to suppression list based on a lot of reasons.
- As of now recipient addresses with hard bounce, soft bounce and a large number of emails are some of the reasons for adding "To" address to a suppression list.
- If DKIM and SPF are not configured for the from address domain, the likelihood of having a bounce, or messages being silently dropped by the receiving infrastructure is higher.
- As of now, the suppression list cannot be viewed in the OIC and customers should raise an SR ticket for removing the emails from the suppression list.