By default, any email notification sent from an Oracle Fusion Cloud environment will usually have From email address as <your pod>.fa.sender@workflow.mail.<your data center>.cloud.oracle.com
There are several use cases where Oracle Fusion subscribers would want to modify the 'From' email address in emails that get sent from Fusion Cloud applications.
Specifically, one would normally want to change the sending address in these emails to one that reflects their organization’s identity, instead of sticking to the default Oracle managed 'From' address that may expose the use of Oracle’s cloud infrastructure to their customers and contacts.
Although this change may seem simple. it comes with the need of implementing correct email authentication measures to avoid any possibility of phishing attacks and email spam.
Email authentication comprises a variety of measures that are designed to help recipients validate whether an email has really been sent from a particular sender. The right use of email authentication methods provides an increased level of security for both senders as well as recipients.
Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) are two common forms of authentication. By adding this to our DNS entries, we're telling the recipients that we have authorized Oracle to send emails on behalf of our company's domain.
Sender Policy Framework (SPF):
Sender Policy Framework (SPF) and Domain Key Identified Mail (DKIM) are two common forms of authentication. By adding this to our DNS entries, we're telling the recipients that we have authorized Oracle to send emails on behalf of our company's domain.
Sender Policy Framework (SPF):
SPF makes it possible to differentiate between the justified use of emails sent from an alternate domain versus using spoofing for malicious purposes. SPF utilizes the Domain Name System (DNS) infrastructure to register external servers that are authorized to send email on behalf of our company's domain. Once this configuration is in place, the email relay servers anywhere on the web can check emails sent with a custom From address and check DNS to see if the source servers are on the SPF list and therefore valid.
In short, SPF lets custom domain owners identify the servers they have approved to send emails on behalf of their domain.
DomainKeys Identified Mail (DKIM):
DKIM is used to verify the authenticity of email messages sent from Oracle Fusion cloud applications. DKIM authenticates emails through a pair of cryptographic keys. Email senders generate public and private key pairs. The public key is published to DNS records, and the matching private keys are stored in a sender's outbound email servers. The private keys generate message-specific signatures that are added to the embedded email headers. ISPs that authenticate using DKIM look up the public key in the public DNS record. This way they verify that the signature in the email header was actually generated by the matching private key. DKIM ensures that an authorized sender actually sent the message, and that the message headers and content were not altered during transit.
Process to configure SPF and DKIM in Oracle Fusion Cloud:
- Create a service request on the Oracle Support portal asking for SPF and DKIM configurations on the specific Pod of your choice. Please note that you will need to create a separate SR for each Pod in order to configure SPF and DKIM.
- Oracle will respond with SPF configuration details.
- Add a new SPF record to the domain of the from address to include the Oracle Cloud email delivery domain.
The SPF record statement is: include:spf_c.oraclecloud.com
- Add a new SPF record to the domain of the from address to include the Oracle Cloud email delivery domain.
The SPF record statement is: include:spf_c.oraclecloud.com
- Validate the SPF record by using an SPF record checker tool. e.g. we can use the SPF Surveyor tool to authenticate our domain.
How to use the SPF Surveyor tool:
Navigate to https://dmarcian.com/spf-survey/
Here, we enter the domain we are using for the email, e.g. ourcompany.com
Click Survey domain.
A message is displayed indicating the validation results as shown below:
If there's a problem with the SPF configuration or if it's not been configured properly then we will see message as shown below:
If there's a problem with the SPF configuration or if it's not been configured properly then we will see message as shown below:
- For DKIM configuration, we need to provide the below information in the SR:
Oracle Fusion environment Pod Name
The new custom domain based 'From' email address e.g. noreply@ourcompany.com
Key size: Default is 1024. One can change this to 2048, if desired.
DNS Selector name: Oracle generates this by default but one can specify a custom value, if desired. The default generated DNS selector uses this format: <env-name>-<region-code>-<date>
Sample DKIM-enabled DNS record:
"key": "ORACLEABC1._domainkey.ourcompany.com",
"type": "TXT",
"value":"v=DKIM1;k=rsa;p=MIIGIjEQWgkdkjgwdkjbnksjbnkwjnHnEGZXcJAHDBAB"
- We need to add this DNS record to our domain configuration and then update the service request confirming the changes we've made.
- At this stage, we have to wait for some time because Oracle has a process that runs every fifteen minutes to detect the DKIM stored in the customer DNS. After this step, Oracle (CNS) will start signing the emails. It usually takes somewhere between fifteen minutes to 24 hours for the DNS information to be detected by Oracle and for the DKIM process to therefore be successfully enabled. Once this process is completed, Oracle support engineer will respond on the SR.
- Once Oracle support responds, we need to verify that the signed email messages are delivered successfully. Once confirmed, we update the support request with confirmation.
- At this stage, Oracle support will change the 'From' email address in your Fusion Cloud environment to the new custom domain based DKIM-enabled address e.g noreply@ourcompany.com
- At this stage, Oracle support will change the 'From' email address in your Fusion Cloud environment to the new custom domain based DKIM-enabled address e.g noreply@ourcompany.com
Note: Please note that one needs to repeat these steps for each Pod by creating a separate SR for each Oracle Fusion Pod where the custom From email is required to be configured using SPF and DKIM.
Conclusion:
SPF and DKIM are critical components of email authentication and security in Oracle Fusion cloud. They prevent email spoofing and enhance the deliverability of enterprise emails.
These methods ensure that business communications remain trustworthy and secure. Organizations leveraging Oracle Fusion cloud and wishing to use custom domain based From email addresses, need to implement SPF and DKIM to safeguard their email ecosystem and enhance overall enterprise security.
0 comments:
Post a Comment