Oracle Cloud Infrastructure Documentation

Setting up an Email Domain with DKIM

Learn about the process to set up a sending domain with DKIM.

Here's the general process for setting up a sending domain with DKIM:

  1. Create the email domain, if it doesn't exist already: An email domain lets you set up important authentication measures for sending email, essential to ensure good email delivery reputation. See Creating Email Domain.
  2. Configure DKIM: Configure DKIM for this email domain. This is an important step to help ensure email is delivered and reaches the inbox. See Configuring DKIM.
  3. Add the DKIM record to customer's DNS setup: Provide the system generated CNAME record and value generated in step 2 to the customer's DNS administrator to publish them at the customer's DNS provider.

    To know which DNS system to use, consult the nameservers for the domain. OCI DNS (see Zones) would be used only if the domain's nameservers point to OCI. If your DNS setup resides with another provider, see their documentation for adding records to your domain. See the following documentation links for several common providers:

    The following diagram illustrates how a sender domain DNS server can be used to store the CNAME record that contains the DKIM key that points back to OCI DNS. This setup is preferred as it makes key rotation easier. However, if needed, you can request the key and directly store the key.

    This image shows a diagram that illustrates how a sender domain DNS server can be used to store the CNAME record that points back to OCI DNS.

    The following diagram illustrates how a DKIM key can be stored directly in a DNS setup.

    This image shows a diagram that illustrates how a DKIM key can be stored directly in a DNS setup.
  4. Set up approved senders: Approved senders must be set up for all "From:" addresses sending mail through Oracle Cloud Infrastructure, or mail is rejected. Setting up approved senders is essential to ensure good email delivery reputation. The DKIM key set up for the domain is automatically associated with ALL approved senders in that domain. Approved senders can use a DKIM-configured sending domain to become verified. See Managing Approved Senders for more information. Only approved senders with the exact domain including subdomain will be signed by your new key. For example, noreply@sample.com will not gain the dkim key associated with mysubdomain.sample.com.