Instructions and FAQs related to SPF cleanup
(Doc ID 2879363.1)
Last updated on JULY 01, 2022
Applies to:Oracle Fusion Application Toolkit Cloud Service - Version 11.13.22.01.0 and later
Information in this document applies to any platform.
Instructions to Update SPF Record
What to update:
Update the SPF record to include record "spf_c.oraclecloud.com”.
How to add/update SPF record:
This can vary, depending on what is used to manage your Domain Name System (DNS) . Customers who utilize OCI for DNS can set up this feature in the Console. Regardless, this process is easy, but ask your support personnel for help if it’s not clear in their documentation.
Work with support personnel to add the TXT record of include:spf_c.oraclecloud.com ~all to the DNS record of sending domain or subdomain. That inclusion tells receiving mailbox providers that email coming from sending domain or subdomain through your fusion application is authenticated.
Sending domains can use multiple SPF records because senders can use one provider for bulk email, one for support software, one for billing software, and so on. Using our example, if this is the first SPF record on that sending domain, add v=spf1 before the include. Otherwise, you don’t have to include v=spf1 for every include.
*If you wish to log a Service Request, then please state “Question on Doc Doc ID 2879363.1" in the problem summary
What is SPF?
Sender Policy Framework (SPF) is used by email receivers to detect email spoofing. Using SPF, an email receiver can check if the Internet Protocol (IP) is explicitly authorized to send for that domain. Receiving mail servers check the SPF records of sending domains to verify that the email's source IP address is authorized to send from that domain. Without SPF, a spam or phishing email can be “spoofed” to appear that the email comes from a legitimate domain. Domains that implement SPF are much more likely to block emails attempting to spoof your domain.
What is the purpose of SPF?
At a high level, SPF’s initial purpose was to stop spamming in the early days of bulk and transactional sending. While a few different varieties of spamming exist, SPF provides proof to mailbox providers that the IPs used to send the email are authorized to send an email on the sender’s behalf.
How is SPF implemented?
SPF is implemented by publishing a special TXT record to a domain's DNS records. The TXT record declares which hosts are allowed to send mail on behalf of this domain.
Why is Oracle asking the Customer to change the DNS text record?
Oracle is making an infrastructure change/improvement for Message Transfer Agent (MTA) servers used by Fusion applications, which will result in new IP addresses. Customers who have added IP addresses/subnet of the SMTP Servers to the DNS TXT record will be impacted when MTA IP addresses change. So, we request you to update sending domain's DNX TXT record to include record "spf_c.oraclecloud.com"
Can Oracle make this change for the Customer?
No, Oracle cannot make this change as the configuration is on the customer end in the DNS text record.
What if the customer's sending domain is at the 10 DNS lookups limit for SPF already?
If the customer sending domain is already at the 10 DNS lookups limit for SPF, Oracle strongly recommends using subdomains if senders use a multivendor approach. Subdomains need their own authentication for SPF, their value is independent from the main domain.
Will making this change have any impact on the customer's ability to send email?
No, but please verify that your new SPF record is set up correctly. You can verify with the Terminal command, nslookup -type=txt example.com, or through a third-party source such as https://dmarcian.com/spf-survey/
Enter your sending domain name and validate your spf record.
Can Oracle provide a new IP address to the customer?
It is best practice to use include record "spf_c.oraclecloud.com" since IP addresses can change and when that happens, we add new IP addresses to our include record i.e "spf_c.oraclecloud.com"
Is the customer required to replace the current SPF records with the new SPF record, or do they need to completely remove old records and add new records?
No action is required if customers have already added include record spf_c.oraclecloud.com to DNS TXT record. But if the customers added IP addresses/subnet of the SMTP Servers, then need to update TXT record with include record "spf_c.oraclecloud.com".
Is this the final SPF record or will there be any further changes to these to introduce new SPF records when new data centers with new domain are added?
This is intended to be the single SPF record (unless the scaling of SMTP servers meets the SPF depth limitation).
Does this change require restarts of Email Infrastructure on the customer side?
No, restart is not required. DNS changes are dynamic. However Postmasters (ISP or in-house) should be able to provide information based on their setup.
How can a customer validate if they have ever configured Oracle's SPF record that requires the new SPF record to be replaced?
Browse to https://stopemailfraud.proofpoint.com/spf/, input the customer email domain under SPF check Tab and click Check. Verify if there is spf_c.oracle.com listed under SPF RECORD FOR <CUSTOMER DOMAIN>.COM.
How can a customer validate if the emails are delivered fine after adding new SPF records. Does this require any emails to be triggered from the Fusion Cloud to check if the emails are delivered to the customer users?
Emails will have to be triggered from OPC to the customer domain to check successful email delivery. If there is an issue relating to SPF, then their Inbound mail logs would report SPF related errors (errors logged vary based on service providers).
Who can be contacted if the customer has configured the new SPF record correctly and if the emails are still not delivered?
Support can open a ticket with Server Ops Team.
How does the Oracle Support team identify the email delivery issues, if the customer reports email issues due to SPF failures (Assume a case where the customer did not configure the new SPF record and Oracle decommissioned the old SPF record)?
By mining SMTP server logs.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document