This guide brings you through the basic steps to migrate your Dyn Email Delivery service or Dyn Email Delivery Express service to Oracle Cloud Infrastructure (OCI)’s Email Delivery Service. The guide covers initial setup of Oracle Cloud tenancy and accounts, and configuration of email sending domains, SPF, DKIM, approved senders, and suppressions.
OCI is working on adding more features to OCI Email Delivery to match those in Dyn, for general availability in the immediate coming months. In addition to reputable email delivery, OCI currently offers other core features such as bounce and complaint collection, email authentication standards, deliverability performance including possible dedicated IP resources, detailed and summary activity reporting, and a host of other features offered through tight integration with other Oracle Cloud services.
As of this writing, we are working on features such as open and click engagement tracking, HTTPS sending, custom headers, approved (wildcard) domains, custom return path, and others. We are also working on tools to help migrate accounts with sizable approved sender and suppression lists. For more information on availability and timeline, please reach out to email@example.com.
To migrate from Dyn Email Delivery service or Dyn Email Delivery Express service to Oracle Cloud Infrastructure, follow these steps:
We recommend migrating both your Approved Senders and Suppression List. Any remaining configurations should be done fresh in Oracle Cloud.
Oracle Cloud Infrastructure requires an account (“tenancy”) be created to support setting up cloud services such as Email Delivery. In addition, since OCI utilizes a different means for authenticating web and SMTP users, these accounts must be configured fresh there. Existing Dyn credentials cannot be transferred from Dyn to OCI.
If you do not yet have an account, you can start with a free account. Oracle Cloud’s Free Tier includes a practical amount of infrastructure and services to get started, including allotment to send up to 100 emails a day to test out the service. You will have to enter a credit card, but it is not billed.
Before setting up Email Delivery, consider how best to logically separate your email configuration and activity, if needed. Dyn Email Delivery uses sub-accounts to segment email sending and reporting, and helps in controlling access. OCI uses “compartments” to do this, allowing you to organize and isolate your cloud resources such as approved senders. For more information and to create Oracle Cloud Infrastructure compartments, see Managing Compartments.
Unlike Dyn Email Delivery, Oracle Cloud Infrastructure provides a robust set of permission features that allow you to set up granular permission policies to manage access to various elements of the Email Delivery service, including sending and approved sender creation permissions. For more information, see Overview of Oracle Cloud Infrastructure Identity and Access Management. This includes the recommended use of Groups to help organize with similar access, and grant them appropriate access to manage resources.
Once you have your tenancy created, you have the option to set things up manually using the OCI web console, or you can look at scripts provided here to utilize Oracle Resource Manager and the Terraform CLI to automate setup and management.
Oracle Cloud offers a robust set of services and security control options to support even the most complex requirements. However, you can get started for reputable sending relatively quickly.
Below, we offer condensed steps for a minimal setup in OCI Email Delivery. You can also consult the Getting Started with Email Delivery guide for more detail.
A word about regions: Oracle Cloud is a region-based service, unlike Dyn Email Delivery which has a single set of global endpoints. You will want to consider which region(s) of Oracle Cloud to set up in, as each region requires its own setup. For now, you can just pick the region closest to where you are to get started.
The ideal way to think about this: where do your users reside in the world and are there restrictions within those countries as relates to where email comes from? If you have an Australian-based arm of your company, you could set up a region there and another one for U.S-based affairs, etc.
Minimum Requirements for OCI Email Delivery Configuration
SMTP credentials are added to a User within your tenancy for use in submitting emails to OCI for delivery. Credentials used to authenticate into the OCI web console are different and not used for email submission.
OCI uses Identity and Access Management (IAM) policies to help control access to cloud resource management. Email Delivery offers a single policy or more granular policies, depending on your needs. To enable all operations on all email resources for a specific user group, use the following policy:
Allow group [Your Group Name] to manage email-family in tenancy [Your Tenancy]
There are other policies you will want in place, especially when accessing logs and managing suppressions. See Creating User Permissions in the OCI Email Delivery documentation for more detail.
OCI uses Email Domains to help ensure good email delivery reputation using important, industry-standard authentication measures. For more information, see Managing Email Domains.
For each of the domains you will send email from:
DKIM (DomainKeys Identified Mail) is an important step to ensure email you send reaches the inbox and is considered reputable. It utilizes DNS records to help achieve cryptographic signing of emails, ensuring the email is seen by inbox providers as genuine.
Ideally, DKIM should be set up fresh with new signing keys especially if you are currently using less secure 1024-bit or less encryption strength; OCI Email Delivery defaults to using strong 2048-bit encryption. OCI also encourages the use of CNAME records for setting up DKIM (in contrast to the TXT record method used in Dyn), which will eventually allow for easy key rotation.
To set up fresh DKIM manually, see the guide to Setting up an Email Domain with DKIM for helpful steps, including links to documentation for several popular DNS providers. While you can attempt to send some test mail without DKIM set up, we highly recommend setting up DKIM right away to avoid delivery issues later.
SPF (Sender Policy Framework) is an important, industry-standard measure to let email inbox providers know that OCI Email Delivery is allowed to deliver emails on your behalf. Like DKIM, SPF uses DNS records. See the guide to Configuring SPF for easy steps to set up this important permission. Note that SPF is set up by region; so, using the Australia example above, you would want to use the includes for the specific regions you are sending from.
Like Dyn Email Delivery, OCI uses Approved Senders to help ensure good email delivery practices, segment sending activity and reporting, and strengthen use of other features. Each “From” address you plan to use must be added as an Approved Sender. See the guide to Creating an Approved Sender for more helpful information and steps.
Instead of adding Approved Senders manually, you can also use a host of Developer Tools and Resources including Terraform, SDKs, and the OCI CLI to programmatically add senders. This can be combined with the Dyn Email Delivery Approved Senders APIs to perform a seamless migration of all senders.
Email Suppression Lists are important to ensure good delivery reputation. You do not need to add suppressions in order to start sending but we recommend importing any existing suppression list you have, including ones from Dyn Email Delivery, to maintain your sending reputation.
You may have a large-enough suppression list that adding them one by one is simply not practical. You can use various Developer Tools and Resources in creating automation to add suppressions, and couple that with the Dyn Email Delivery Suppressions API or read from the CSV file you exported earlier.
To add an email address to the suppression list individually:
With your SMTP credentials, email domains, important authentication measures, and approved senders in place, you can start sending. See the guide to Configuring SMTP Connection for info on the region-based connection endpoints and TLS requirements, and Sending an Email for a review of the important setup pieces, and links to API and SDK documentation.
Aside from programmatic ways to send email, you can also use tools such as swaks to do very basic send tests using your new configuration.
To check the results of your sending:
data.recipient = firstname.lastname@example.org
OCI is constantly working on adding features to its services, including Email Delivery. See the OCI Email Delivery documentation for details.
The Return-Path address is located in every outbound message's header. By default, we use our own Return-Path address for all customers. We offer the ability to customize this for a few reasons:
We strongly recommend when migrating your Dyn account to OCI Email Delivery, to request this for any sending domain you are using. In OCI, we have the ability to match any sending domains with their corresponding custom Return-Path. Dyn could only achieve one per master account. Taking advantage of this feature will greatly help your domains deliverability.
Read more information and steps to get a custom Return-Path set up in OCI.
You can cancel your Dyn Email Delivery enterprise account by emailing email@example.com. Note this is not done automatically once you start sending through OCI Email Delivery. Once you are fully done with Dyn Email Delivery, let us know via that email address ASAP.
After you have fully moved over to OCI Email Delivery and are ready to cancel your Dyn Email Delivery Express service account, login to your account at account.dyn.com with your eCommerce username and password.