OCI-GovCloud Migration: Sending Email
Objective – Send Email from Oracle APEX
Our applications send email to users. Hey, here is your new password, and you’ve got a task. Boring, routine activities. Our email come from our own domain, a domain that we own and host the DNS for. The domain is a dot-COM address given we are not a government entity but a vendor selling software services to federal and state entities. We are not entitled to a dot-GOV address.
Our objective is to send email from Oracle APEX within OCI-GovCloud using our domain.
The Normal Way
We learned in correspondence with Oracle that they refer to GovCloud as “OC2” (likely because the sub-domain for GovCloud started oc2.cloud.oracle.com). Therefore, “OC1” is the commercial cloud service that the civilian and normal kids get to play in.
There are fine and functioning articles about this process for OCI-Commercial. This article is perfect, accurate, and functional for commercial OCI. We were successful within our “commercial” environment.
Required Steps
DNS Hosting
You own the domain. You host the DNS records. Your choices are numerous. But given we are migrating from AWS, obviously, we host our long-held and well-known domain at AWS on their Route 53 product. You’ll need access to the DNS host to configure new records.
DKIM Setup
The normal process for setting up involves a series of steps to prove that you own the domain and that you are therefore authorized to send email from XXX location. This requires setting up DomainKey Identified Mail (DKIM).
Email sending is found under “Application Integration”. When stepping through, OCI-GovCloud does provide the public endpoint, SMTP Port (587), and informs you that DLS is required. Excellent. Then you create an email domain (or edit the domain).
When you create your domain and save (then return to edit it), you will get a record similar to the one below.
The basic instructions have you creating 2 DNS records.
- CNAME
- TEXT
DNS Records
CNAME
Create a CNAME with the CNAME provided and the Value. The lovely copy buttons help.
Text Record Value
The Text record value include a key for the DKIM. When you copy this, paste it into your favorite text editor. The text value is too long for a lot of DNS entries including AWS Route 53. I believe the maximum line length for AWS R53 is 255 characters. So using a text edit, add a “hard quote” at the beginning, then slide to character 200 or 250 and add a hard quote, hit space, add a “hard quote” again. We got a lot of errors until we got this right.
"v=DKIM1;h=sha256;p=MIIBIjANBgkqxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp6bHWQZWBaWJCoA7JwT6p05+" "6x8EqgVBg0hnBc4DXGOgn6GLBALek5exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxy4yILb/EyRDw9aCe6jDEtind" "oiCPFFx+HsLeshwq7Z/vUtrR4Uhqa+5xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/S3nZ/6AbJg5QiLmtsf3pW2N" "CAnJqTADRbvFumwJvl43IzoYMALwPyxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxQAB"When done well, you get a happy check mark (not shown)
OCI-GovCloud DNS
The GovCloud DNS permits creating private DNS entries only. Therefore, we were not able to use OCI-GovCloud’s internal DNS to support DKIM. Oh well.
November 2023 Service Request with Oracle
Guided by this article:
https://docs.oracle.com/en-us/iaas/Content/Email/Tasks/configuredkim.htm
It does seem that a key issue is that we can not get our DKIM to validate. I am uploading images from OCI and AWS to demonstrate the DNS settings. We have a CNAME in AWS Route 53 and a TXT record. Our settings show as “inactive” and “needs attention”. Further reading indicates we need to have an IAM policy.
https://docs.oracle.com/en-us/iaas/Content/Email/Tasks/managing_dkim-required_iam_policy.htm
This tells use to create a policy for our group to manage email-family in tenancy. We do have but we had to create it for the root not sub compartment. We do not have DKIM recognized
Opening Support Request with Oracle
November 2023We did try all of the common features with Oracle email including creating an access control list and sending email within APEX and from the Oracle PL/SQL command line using Oracle utilities. We got error messages such as ORA-29019: The protocol version is incorrect. We provided screen shots and specifics about our configuration.
12 DEC 2023 Response
We got the following message from the support team:
Hello Christina –
I did hear an update from the service team:
Hello Christina -
I did hear an update from the service team:
DKIM should work fine in OC2, it just needs to be set up more manually for now due to limitations in OCI DNS. (Possible good news is that they are preparing for a migration that should open up DNSSEC support and allow us to fully automate our DKIM implementation like we already have it in OC1.)
So with that, we'll close out the ticket for now. It appears that in the future it will be the same process as our Commercial region but for now it does require extra steps that may not be fully documented. If you have anything further please feel free to open a new SR to our next available engineer and you can reference this ticket. 3-34805249501
Thanks! sorry we weren't able to fully get this functioning for you.We’ve observed that OC2 is their code phrase for “OCI-GovCloud”. And OC1 is code for “OCI-Commercial”.
It seems that we cannot configure email for Oracle APEX until:
- The “more manual process” is resolved
- Limitations to OCI DNS are resolved
- And DNSEC support is available
- Documentation for DKIM configuration within OCI-GovCloud is written
- DKIM works reliably in GovCloud
We stand by ready and willing to help and test this for the team at Oracle. We have noticed that the GovCloud support team does not have access to the standard Oracle Service Request system. This make communication with that team very very remote and extraordinarily slow.
Oracle wants to close this ticket and asks us to open an identical ticket. Given it is 6 weeks old, maybe somebody’s boss is yelling about a gray-bearded ticket messing up statistics.
