Business Process Automation

Configuring DKIM

As mentioned in the Administration Guide, In addition to adding the proper SPF record to your email domain, it's necessary to enable DKIM (Domain Keys Identified Mail) to ensure reliable delivery of your mail via Oracle Cloud Infrastructure. Technically speaking, DKIM provides a method for validating a domain name identity that's associated with a mail message through cryptographic authentication. The identity is independent of other email identities, such as the Email's From Address.

DKIM requires creation of a private key for use by your approved sender and provisioning that key in DNS so that your email signature can be verified by recipients.

Enabling DKIM

There are several steps to enabling DKIM:

Register the Domain Name with the Mail Delivery Service

Go to the Mail Domains page and add your domain name. Provide a custom DKIM Selector Prefix if needed. It may take a few minutes to create DKIM keys and fully propagate the new domain record back to the Mail Domains screen. 

See Mail Domains for details on this step.

Select a DKIM Selector Prefix

When you register your domain with Mail Delivery, up to two DKIM keys are created for it (see Support for Automatic Key Rotation below). These keys are associated with DKIM selectors of the form:

otmgtm-<prefix>-yyyyMMdd-<index>

By default, the prefix is simply the full domain name (e.g. example.com). To better manage keys across an organization with multiple Oracle Transportation Management accounts, you can override this to be some identifier of your organization as a whole.

Enter the DKIM Selector Prefix on the Mail Domains page by clicking the Add button and entering a DKIM Selector Prefix.

Create a CNAME Record

Create a CNAME record in your DNS domain for each DKIM record created for the domain. Signed mail coming out of Oracle Transportation is tagged with the active DKIM Selector. Mailboxes use this selector to access your CNAME record for that DKIM, pointing back to an Oracle DNS record holding the public key. In this way, your DNS records have no need to manage the public key for DKIM.

To view the CNAME details for DKIM records, select the DKIM button on the Mail Domains page. This brings up a list of DKIM selectors with corresponding CNAME Subdomain and CNAME value information. For each, add a CNAME record where the subdomain matches the CNAME Subdomain for the DKIM and the hostname matches the CNAME Value. Note the copy link allows these values to be copied to the clipboard for accurate cut and paste.

It may take up to 24 hours for your DNS changes to propagate. Once they have, DKIM can be validated using the Validate button on the Mail Domains page. You can also use an external tool such as dmarcanalyzer.

See DKIM Entries for details on this step.

Note:  Adding a CNAME record in your DNS domain requires contacting parties within your organization responsible for maintaining your organization’s domain name records.

Legacy TXT DKIM Support

It’s strongly recommended you use CNAME records to register DKIM keys with your DNS. This allows Oracle to manage and protect public keys. You can, however, use the legacy support of DKIM via TXT records. For this, add a TXT record in the Subdomain rather than a CNAME record. The subdomain should match the CNAME Subdomain shown on the DKIM list; the Text can be copied from the TXT value.

Support for Automatic Key Rotation

The Mail Delivery service plans to support automatic DKIM key rotation in the near future. This better protects outgoing email by periodically cycling the public keys stored in the Oracle DNS. To prepare for this feature, you need to add two DKIM records for each registered domain. One of these records will be active; one inactive. But both have registered CNAME records in your company’s DNS.

At periodic intervals, Mail Delivery will determine keys should be rotated. This will:

  • Set the inactive DKIM to active; the active DKIM to inactive.
  • Wait 24 hours for all enroute mail, using the previously active key, to be delivered.
  • Assign a new public/private key to the inactive DKIM.

This will be transparent to your organization.

To avoid Mail Validation failures for 23C customers migrating to 24A, support for this functionality is tied to the SUPPORT DKIM ROTATION optional feature. When opted out, only one DKIM record is generated per Mail Domain and automatic rotation is not supported. When opted in, two DKIM records are generated and automatic rotation is supported. 

Mail Domain Migration

If you have only one DKIM, you may want to migrate to the two DKIM model to support DKIM rotation. To do so, you would opt into the SUPPORT DKIM ROTATION optional feature. At that point, your Mail Validations will fail until you've add the second DKIM to each domain and add it to their DNS. Use the Mail Domain Migration to automatically add the second DKIM to each domain. DNS additions will then need to be done domain by domain.

Related Topics

Mail Domains

DKIM Entries

Mail Domain Migration 

Copyright © 2001, 2023, Oracle and/or its affiliates.

For the latest installation and reference guides, go to the online library. For the additional materials, see Knowledge Document 796594.1 on My Oracle Support.

For questions about Oracle Transportation Management or Global Trade Management, contact Support or find the Support phone number for your region.

If you have any questions or comments about this documentation page, please Contact Oracle DocumentationWas this page helpful? Click to send feedback.How can we improve this page?What did you like about this page?Comments