Business Process Automation

Configuring a Custom Return Path

As mentioned in the Administration Guide, in addition to adding the proper SPF record to your email domain, and enabling DKIM support for the domain, it's necessary to enable a custom return path to monitor email delivery issues and enforce DMARC rules.

  • Mailboxes bounce back undeliverable or refused mail to a bounce-back address. This bounce-back address is specified in the SMTP envelope and defaults to an internal Oracle Mail Delivery subdomain. To monitor these bounce-backs in your domain, you need to redirect them to a custom return path.
  • DMARC rules monitor your domain’s response to mail security errors. Failures in SPF and DKIM checks are collected up and optional reports can be sent out daily to an email address specified in your DMARC rule. In addition, DMARC may enforce alignment. This checks whether the From address of the body of an email matches the from address in its envelope header. Enforcement of DMARC alignment rules requires a custom return path.

The use of a custom return path requires an extra CNAME record in your mail domain’s DNS. This ensures that emails routed out from Mail Delivery servers do not fail SPF checks against the custom return path.

Enabling a Custom Return Path

There are several steps to enabling a custom return path:

Register the Domain Name with the Mail Delivery Service

Go to the Mail Domains page and add your domain name. Provide a custom DKIM Selector Prefix if needed. It may take a few minutes to create DKIM keys and fully propagate the new domain record back to the Mail Domains screen. 

See Mail Domains for details on this step.

Fully Enable DKIM Records

Mail Delivery requires DKIM be fully active before adding a custom return path. Follow the steps on Configuring DKIM<link> and wait until Mail Validation on the domain confirms your DKIM records are ready for use.

Register a Custom Return Path with Mail Delivery

Go to the Mail Domains screen and click on the Return Path button to navigate to the Return Path screen for that domain. Choose a subdomain prefix for your custom return path by clicking the Add button. (Note that all return paths in Mail Delivery must be subdomains of the mail domain.) If you leave the subdomain blank, a custom return path will be added with a prefix of the form <region>sb, where <region> is an abbreviation for the region of your system installation.

Create a CNAME Record

Create a CNAME record in your DNS domain for the custom return path. Mail coming out of Oracle Mail Delivery services will fail if the mail subdomain does not have an additional SPF TXT record to allow Mail Delivery rights to send out mail on behalf of the return path. This TXT record is automatically added and maintained by Mail Delivery. The CNAME record ensures the return path subdomain maps to this TXT record for SPF.

To view the CNAME details for the custom return path, select the Return Path button on the Mail Domains page. This brings up the return path with corresponding CNAME Subdomain and CNAME value information. Add a CNAME record where the subdomain matches the CNAME Subdomain for the return path and the value matches the CNAME Value. Note the copy link allows these values to be copied to the clipboard for accurate cut and paste

It may take up to 24 hours for your DNS changes to propagate. Once they have, the return path can be validated using the Validate button on the Mail Domains page. You can also use an external tool such as dmarcanalyzer.

See Custom Return Path for details on this step.

Note:  Adding a CNAME record in your DNS domain requires contacting parties within your organization responsible for maintaining your organization’s domain name records.

Enabling DMARC Alignment Checks

Proper email security requires DMARC rules along with SPF and DKIM protections. These rules determine how to report and react to failures in SPF and DKIM. They also may add additional checks for alignment.

Alignment is a check that ensures the From address in the mail body matches the From address in the SMTP envelope header. It provides another layer of protection against mail phishing and spoofing. There are two types of alignment:

  • Strict: the From address domains in the body and envelope must exactly match.
  • Relaxed: the From address domain in the body and envelope must match at the organizational level.

Any DMARC alignment checks will fail when using the default return path and Mail Delivery. This is because the enveloper from address reflects the Oracle bounce-back subdomain.

This configuration is done in your DNS domain. Once you add a custom return path, relaxed DMARC alignment checks can be added to your DNS domain. Note that strict alignment checks are not allowed with Mail Delivery, though most mailboxes currently ignore strict alignment.  

Related Topics

Mail Domains

Custom Return Path

Mail Domain Migration 

Was this page helpful? Click to send feedback.How can we improve this page?What did you like about this page?Comments