Configuring DKIM

Learn how to configure Domain Keys Identified Mail (DKIM) to verify that an email is sent and authorized by the owner of the sender's domain.

DKIM is set up within DNS records to verify digital signing of emails.


This procedure doesn't apply to OCI Classic services such as Fusion Apps, Cloud Notification Services, and classic IDCS. As these services don't use OCI Email Delivery, DKIM support for these services requires opening a support ticket to the service that generates the email. Note that if you set up a DKIM key for an OCI Classic service and a DKIM key for OCI Email Delivery in the same email domain, each of these keys must have a different selector. When opening a support ticket, mention the service that's generating the email so the support team can route your ticket correctly.

This procedure also doesn't apply to Oracle Integration Cloud Generation 2 (OIC) or Oracle Transportation and Global Trade Management (OTMGTM) services. Each of these services requires its own service-specific DKIM key that must have a different selector from other DKIM keys in your email domain. For the procedure for OIC, see Configure Email Authentication Settings for SPF and DKIM. For the procedure for OTMGTM, see Configure DKIM.

When opening a support ticket, mention the specific service (OIC or OTMGTM) so the support team can route your ticket correctly.

Using the Console

  1. Open the navigation menu and click Developer Services. Under Application Integration, click Email Delivery. Under Email Delivery, click Email Domains.
  2. Click the name of the email domain where you want to configure DKIM.
  3. Click Add DKIM.
  4. In the DKIM Selector field, enter a selector to be used for this particular DKIM key. All selectors need to be globally unique for your domain.

    We suggest using a regional indicator (region key or region identifier) and date part as part of the selector, such as 'prefix-region-YYYYMMDD'. For example, oracle-ap-sydney-1-20220331. The date is useful for future key rotation. The DKIM selector can contain only up to 63 lowercase alphanumeric characters (a-z, 0-9) with dashes, and needs to start with a lowercase letter.

    For more information about regional keys and region identifiers, see Regions and Availability Domains.

  5. Click Generate DKIM Record to generate the DKIM record. The system generates a CNAME record and value that can be used in your DNS set up for your email domain.
  6. Copy the CNAME record and CNAME value for your DNS set up.

    To add DNS records, the domain must be registered and available on the public Internet. DNS records must be added using the domain's registered DNS provider, which is the DNS system that the domain's nameservers point to.
  7. Click Done.

    Email Delivery supports a maximum of two DKIM keys per email domain, however, only one DKIM record will be used for signing for your domain at a time. We recommend that you rotate keys every six months.

  8. To verify SPF and DKIM are configured, go to the Email Domain Details page and use the SPF and DKIM verification feature to confirm your DNS is configured correctly. For more information, see Configuration of DKIM within OCI Email Delivery.