Oracle Cloud Infrastructure Documentation

Managing DKIM

Manage email domains with Domain Keys Identified Mail (DKIM).

DKIM is an authentication framework that allows verification of the source and contents of messages by Mail Transfer Agents (MTAs). With DKIM, a signer can cryptographically sign an email message for a domain, claiming responsibility for its authenticity. The recipient verifies the signature by querying the signing domain for the public key to confirm that the signature was created with the matching private key.

DKIM-Signature is an email header field that contains all the signature and key-fetching data. This header value contains tags with specific details about the email message, such as the signing domain where the verifier can find the public key ("d") and the specific header fields as of signing ("h"). These tags protect the integrity of the email message, proving that it's from a legitimate source and that the signed contents haven't been tampered with. Thus, DKIM can protect a domain from being spoofed for the proliferation of spam or in a phishing attempt.

The following is an example of a DKIM-Signature:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=prod-fra-20191115;
 d=fra1.rp.oracleemaildelivery.com;
 h=Date:To:From:Subject:Message-Id:MIME-Version:Sender;
 bh=Rskt6Q/nZKmxgXkWUYP6cCBSDJhtkVT0PSrUEVGVgp4=;
 b=Waqhf3halToZeAlJzo4FwhQ3ypTfU/Ngo75g9nHEz8zMvumoyQq+GaynJVxLksvKtVpWyhOmiiFW
   YNO08pO/u6P7w2hrWKVK3J5PbeYjRTrtAUEHGX6LYBII82fUgMwgL8doAlWS/OLbL9gF8Leo2dB3
   LMKiP+BhWApLdZQfyzCl5rnKyXpyLmlKNMeeVrHJirY2Tgv56s2UT5pncNAh91/0LL7dd9z/UhgU
   ET+pGnmdTRxt626+ecNxPRpAeoI+ym+Bgt1iaNJKNUE8aq04Iuf/mpSbjwlLitR7PrGfHOLEAKe9
   FjBJTNvrUu1iauMAwZb3OTVPUvq4wrN8XK7h+g==

One DKIM key can be active for your email domain at a time. You can set up DKIM keys in the Console and denote one record to be the active DKIM key to sign your emails with.

For more information about DKIM, see:

Using the API

For information about using the API and signing requests, see REST API documentation and Security Credentials. For information about SDKs, see SDKs and the CLI.
Note

This procedure doesn't apply to OCI Classic services such as Fusion Apps, Cloud Notification Services, and classic IDCS. As these services don't use OCI Email Delivery, DKIM support for these services requires opening a support ticket to the service that generates the email. Note that if you set up a DKIM key for an OCI Classic service and a DKIM key for OCI Email Delivery in the same email domain, each of these keys must have a different selector. When opening a support ticket, mention the service that's generating the email so the support team can route your ticket correctly.
Note

This procedure also doesn't apply to Oracle Integration Cloud Generation 2 (OIC) or Oracle Transportation and Global Trade Management (OTMGTM) services. Each of these services requires its own service-specific DKIM key that must have a different selector from other DKIM keys in your email domain. For the procedure for OIC, see Configure Email Authentication Settings for SPF and DKIM. For the procedure for OTMGTM, see Configure DKIM.

When opening a support ticket, mention the specific service (OIC or OTMGTM) so the support team can route your ticket correctly.

Use the following operations to manage email domains: