Managing Approved Senders

An approved sender must be set up for all “From:” addresses sending mail through Oracle Cloud Infrastructure, or mail is rejected. An approved sender is associated with a compartment and only exists in the region where the approved sender was configured. That is, if you create an approved sender in the US West (Phoenix) region, you cannot send email through the US East (Ashburn) region with that sender.

Use of multiple addresses in the email From header is discouraged. If you use multiple addresses, it increases the possibility that your mail is placed in a spam folder or discarded (because of DMARC From alignment rules). The performance of your emails is reduced because all addresses have to be authorized as approved senders. A best practice for the SMTP envelope From address is to match the header From address when you submit mail to Email Delivery. If you use mismatched addresses, it reduces the performance of your emails because both addresses need to be authorized as approved senders. Certain future platform features will not be available if you use mismatched addresses.

The approved senders that you add must use a domain name that you own and control. The following sending domains cannot be used to create approved senders:

  • @oracle.com - This sending domain name is reserved for Oracle employee and corporate system use.
  • @*.oraclevcn.com - This domain name is reserved for private use within an Oracle Cloud Infrastructure VCN. Email sending domains must have SPF and DKIM records that can be resolved on the public internet, and oraclevcn.com is only reachable within private Oracle Cloud Infrastructure networks. Use of this sending domain results in delivery delays, failures, and a possible blocklist addition.
  • @gmail.com, @hotmail.com, @yahoo.com, and other public mailbox service providers - You cannot use a sending domain from a public mailbox service provider such as gmail, hotmail, icloud, yahoo, and so on. These providers tend to have restrictive DMARC records and will not delegate permission to third-party Email Delivery services (through SPF and DKIM records). Use of these sending domains results in delivery delays, failures, and a possible blocklist addition.

The following sending domain is problematic for use as an approved sender:

  • @oraclecloud.com - This sending domain name is reserved for Oracle Cloud system use.

Approved senders should not be created in the root compartment. If approved senders exist in the root compartment, you are required to create a policy to manage approved senders in the entire tenant. Creating approved senders in a compartment other than the root allows the policy to be specific to that compartment.

Required IAM Policy

Permissions are required for managing approved senders. For example, to manage approved senders, use the following policy:

Allow group <sender admins group> to manage email-family in tenancy

Using the email-family policy ensures that the user has the necessary access to all Email Delivery resources and not just approved senders. In addition, the user whose credentials will be used to send email from the approved sender must have the right policies. For more information, see Generate SMTP Credentials for a User.

If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for Email Delivery, see Details for the Email Delivery Service.

Moving Approved Senders to a Different Compartment

You can move approved senders from one compartment to another. To manage approved senders and use approved senders to send mail, user groups must have an associated identity policy in the new compartment. For more information, see Managing Compartments.

Using the Console

To create an approved sender
  1. Open the navigation menu and click Developer Services. Under Application Integration, click Email Delivery. In the Resources menu, click Approved Senders. Ensure that you are in the correct compartment. Your user must be in a group with permissions to manage approved-senders in this compartment.
  2. Click Create Approved Sender within the Approved Senders view.
  3. Enter the email address you want to list as an approved sender in the Create Approved Sender dialog box.

    Tags: If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure whether to apply tags, skip this option (you can apply tags later) or ask your administrator.

  4. Click Create Approved Sender. The email address is added to your Approved Senders list.
    Tip

    Approved senders are unique to tenancies. If an attempt is made to create a duplicate approved sender within a tenancy, the service will return a 409 Conflict error.
To delete an approved sender
  1. Open the navigation menu and click Developer Services. Under Application Integration, click Email Delivery. In the Resources menu, click Approved Senders.
  2. Find the approved sender you're interested in, click the Actions icon (three dots), and then click Delete.

  3. In the confirmation dialog box, click Confirm. The email address is removed from the Approved Senders list.

To move an approved sender to a different compartment
  1. Open the navigation menu and click Developer Services. Under Application Integration, click Email Delivery. In the Resources menu, click Approved Senders.
  2. In the List Scope section, select a compartment.
  3. Find the approved sender in the list, click the the Actions menu, and then click Choose New Compartment.
  4. Choose the destination compartment from the list.
  5. Click Move Approved Sender.

    For more information, see Managing Compartments.

To manage tags for an approved sender
  1. Open the navigation menu and click Developer Services. Under Application Integration, click Email Delivery. In the Resources menu, click Approved Senders.
  2. Find the approved sender you're interested in, click the Actions icon (three dots), and then click View Tags to view or edit existing tags. Or click Apply tag(s) to add new ones.

    For more information, see Resource Tags.