1. Implementing Applications
  2. Configure Email Security

Configure Email Security

To ensure that spam filters don't block the email notifications sent by Oracle Fusion Cloud Applications on behalf of your company, the following internet standards are used to verify that incoming email notifications are originating from a trusted source.

  • Sender Policy Framework (SPF): Specifies the servers that can send email for a domain.

  • DomainKeys Identified Mail (DKIM): Verifies that message content is authentic and not changed.

  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): Specifies how your domain handles suspicious incoming emails.

If you have a requirement to change the default email From Address originating from Fusion Applications, for example, podname@workflow.mail.xyz.oraclecloud.com, to your company-specific From Address, you must set up SPF and DKIM.

DKIM uptake requires the pods to be in Oracle Fusion Cloud Infrastructure (OCI) to leverage the Oracle Fusion Cloud Notification Structure (CNS) that supports DKIM and DMARC functionalities required for your company-specific From Address.

Set Up Sender Policy Framework (SPF)

If you send an email from Oracle Applications Cloud and want the email to use your domain, you must set up Sender Policy Framework (SPF).

Setting up the framework ensures that your domain is protected and your messages are delivered correctly. By updating the SPF record, you authorize the Oracle email servers to send emails on behalf of your domain. When the recipient receives your email, the SPF record of your domain is validated to determine if it's a valid email. Only after validation, your message is delivered.

To set up SPF, do these tasks:

  • Have your IT Administrator update your SPF record with this statement:

    include:spf_c.oraclecloud.com

  • Validate your SPF record by using an SPF record checker tool. For example, you can use the SPF Surveyor tool to authenticate your domain.

    To use the SPF Surveyor tool, do these tasks:

    1. Go to https://dmarcian.com/spf-survey/.

    2. Enter the domain you are using for the email, such as oracle.com.

    3. Click Survey domain.

      A message is displayed indicating the validation results.

Set Up DomainKeys Identified Mail (DKIM)

Use DomainKeys Identified Mail (DKIM) to verify the authenticity of email messages sent from Oracle Fusion Cloud Applications.

DKIM is a cryptographic signature-based method to authenticate email senders. With DKIM, email senders generate public and private key pairs. The public key is published to DNS records, and the matching private keys are stored in a sender's outbound email servers.

When emails are sent, the private keys generate message-specific signatures that are added to the embedded email headers. ISPs that authenticate using DKIM look up the public key in the public DNS record. ISPs can then verify that the signature in the email header was generated by the matching private key. This method ensures that an authorized sender actually sent the message, and that the message headers and content were not altered during transit.

Enabling DKIM is a manual process. You must perform this task for each individual Fusion Applications environment for which you want to use DKIM. For example, if you have five Fusion Applications environments, then you must perform this task five times.

  1. Create a service request.

    See Contact My Oracle Support.

    Use the CSI number you received in the Welcome email when logging service requests. This number identifies your organization, product information and service level agreement with Oracle Support.

  2. Include the following information in the service request.
    • Name of your Fusion Applications environment
    • From email address
    • Key size (1024 or 2048)

    Also mention Doc ID 2702234.1 (DKIM Support for Fusion Applications on OCI) in the service request.

  3. Optional: Specify a DNS selector in the service request.

    The default generated DNS selector uses this format: <env-name>-<region-code>-<date>

    For example: mycompany-iad-20210127

    A DNS selector can contain only letters, digits, periods ("."), and dashes ("-").

  4. Submit the service request.

    Oracle Support responds to your service request with a DKIM-enabled DNS record.

  5. Add the CNAME DNS record to your domain configuration and then update the service request.

    It takes up to 24 hours for Oracle to detect your latest DNS configuration and to begin signing emails using DKIM.

  6. When prompted by the support engineer, verify that the signed email messages are delivered successfully, and then update the support request.

    Oracle Support changes the From email address in your Fusion Applications environment to the new DKIM-enabled address.

Set Up Domain-Based Message Authentication, Reporting, and Conformance (DMARC)

Domain-based Message Authentication, Reporting, and Conformance (DMARC) standardizes how email receivers perform email authentication using both of the well-known SPF and DKIM mechanisms.

It's highly recommended to configure DMARC so that you have better control over the verification of emails originating from your domain. You can check the DMARC configuration of your domain using a third-party service.

For more information on DMARC, see the DMARC specification or other publicly available documentation on the topic.