Domain Management

Available in Classic and VPC

Cloud Outbound Mailer allows you to register, manage, and share domains with other users. By registering a domain and authenticating it with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), you can verify your sender credentials and prevent unauthorized users from sending emails from your domain.

Domain management interface

To access the Domain management menu, navigate to i_menu > Services > Application Services > Cloud Outbound Mailer > Domain management in the NAVER Cloud Platform console.

The domain management interface includes the following components:

cloudoutboundmailer-use-domain_screen_ko

Component	Description
① Menu name	Current menu name.
② Basic features	Features displayed when entering the Domain management menu for the first time: [Register domain]: Register a domain (see Register domain). [Learn more about the product]: Go to the Cloud Outbound Mailer overview page. [Refresh]: Reload the domain list.
③ Post-creation features	Features displayed after a domain list is generated: [Delete]: Delete the selected domain (see Delete domain). [Check project key]: Check the project key value for a domain sharing request (see Request domain sharing).
④ List of domains	View the list of registered domains and their details.

View domain

To view domain details:

In the NAVER Cloud Platform console, navigate to > Services > Application Services > Cloud Outbound Mailer.
Click the Domain management menu.
Click a domain from the domain list to view its details.
- Domain authentication token
  - Authentication token: Click [View] to check the authentication token value generated during domain registration.
  - Authentication date and time: Date and time when the domain's DNS ownership was authenticated.
    - The [Authenticate] button appears if the status is unauthenticated. Click [Authenticate] after registering the authentication token value in the domain DNS TXT record.
- SPF/DKIM authentication
  - SPF record: Check the signature value for SPF authentication and change its usage status.
    - [View]: View the SPF signature value.
    - [Enable]/[Disable]: Toggle the SPF authentication usage status.
  - Authentication date and time: Date and time the SPF signature value was authenticated.
    - The [Authenticate] button appears if the status is unauthenticated. Click [Authenticate] after entering the SPF signature value in the domain DNS TXT record.
  - DKIM: Check the signature value for DKIM authentication and change its usage status
    - [View]: View the DKIM signature value.
    - [Enable]/[Disable]: Toggle the DKIM authentication usage status.
  - Authentication date and time: Date and time the DKIM signature value was authenticated.
    - The [Authenticate] button appears if the status is unauthenticated. Click [Authenticate] after entering the DKIM signature value in the domain DNS TXT record.
- Domain sharing
  - Project key: List of account project keys received from the domain sharing requester.
    - Enter the project key value in the input field and click [Add] to share the domain.
  - Registration date: Date and time the project key value was registered.

Register domain

Domain registration involves adding a TXT record to the domain's DNS to authenticate ownership. To register a domain:

In the NAVER Cloud Platform console, navigate to > Services > Application Services > Cloud Outbound Mailer.
Click the Domain management menu.
Click [Register domain].
When the domain registration popup window appears, enter the domain address in Enter domain and click [Generate authentication token].
When the token value appears in Authentication token, click [Copy].
- You can check the generated authentication token value again from the domain list.
- Click [Generate authentication token] again to generate a new authentication token value.
Click [Register].
Visit your domain provider's website and register the copied authentication token in the DNS TXT record.
Return to the Domain management menu in the NAVER Cloud Platform console and click the domain from the domain list.
Click [Authenticate] for Authentication date and time under Domain authentication token.
- It may take some time for DNS changes to be applied.
- When authentication is successful, the authentication date and time are displayed.
- If authentication fails, the DNS lookup and verification failed, so check the DNS TXT record.

Caution

Domains such as naver.com, navercorp.com, and ncloud.com cannot be used, and message delivery may be blocked.

Domain security

You can apply authentication for the security of your registered domain. The types of authentication you can apply are as follows:

Sender Policy Framework (SPF) authentication: Verifies whether the mail sender information matches the mail server information registered in the DNS to check for sender spoofing.
DomainKeys Identified Mail (DKIM) authentication: Adds a digital signature to the mail header to verify whether the mail has been forged or altered.
Domain-based Message Authentication, Reporting, and Conformance (DMARC) authentication: You can set how to handle outgoing emails from domains that fail SPF and DKIM authentication. It works with SPF and DKIM to authenticate mail senders.

Caution

If all 3 authentication processes—SPF, DKIM, and DMARC—are not completed for specific domains among the recipient email addresses, email delivery to those domains may fail.

SPF authentication

Once domain registration is successfully completed, you can add SPF authentication. To add SPF authentication:

In the NAVER Cloud Platform console, navigate to > Services > Application Services > Cloud Outbound Mailer.
Click the Domain management menu.
From the domain list, select the domain to add SPF authentication.
In SPF/DKIM authentication, click [View] under SPF record and copy the SPF signature value.
Visit your domain provider's website and register the SPF signature value as a DNS TXT record.
Caution
Cautions for SPF record registration are as follows:
- There must be only one SPF record.
- If an SPF record is already registered, add include:email.ncloud.com to the existing record as shown in the examples below.
- Example: example.com txt = "v=spf1 ip4:192.168.0.1 include:spf.example.com include:email.ncloud.com ~all"
Return to the Domain management menu in the NAVER Cloud Platform console and click the domain from the domain list.
In SPF/DKIM authentication, click [Authenticate] under SPF record.
- When authentication is successful, the authentication date and time are displayed.
- If authentication fails, the DNS lookup and verification failed, so check the DNS TXT record.
Click [Enable] under SPF record.
- The SPF authentication status changes to Enabled, and the [Enable] button switches to [Disable].
Caution

If SPF authentication is enabled and you click [Disable] to change it to the Disabled status, it may affect the authentication of emails being delivered.
Send a test email using the domain to verify that the settings have been applied.
- Enter the domain in the sender's email address when sending the email.
- After you send the email, open the email in your inbox to check the SPF authentication information.
  - NAVER Mail: Click > Show original at the top of the email. In the show original popup window that appears, check the Authentication-Results header.
  - Gmail: Click > Show original at the top of the email. In the show original page that appears, check the SPF entry.
  - For other email services, contact the provider for instructions on how to check SPF.

DKIM authentication

Once domain registration is successfully completed, you can add DKIM authentication. To add DKIM authentication:

In the NAVER Cloud Platform console, navigate to > Services > Application Services > Cloud Outbound Mailer.
Click the Domain management menu.
From the domain list, select the domain to add DKIM authentication.
In SPF/DKIM authentication, click [View] under DKIM and copy the DKIM signature value.
Visit your domain provider's website and register the DKIM signature value as a DNS TXT record.
- Cloud Outbound Mailer provides selector values for each environment and region. Check the selector displayed on the console.
  Note
  Selectors by environment and Region are as follows: For domains registered before November 7, 2024, the selector is mailer.
  - Private environment
    
    Korea Region: ncpcompubkr
    
    Japan Region: ncpcompubjpn
    
    Singapore Region: ncpcompubsgn
  - Financial environment: ncpcomfin
  - Public environment: ncpcomgov
- The DKIM signature value must be registered in the following format:
```
<selector>._domainkey.<domain> IN TXT "<DKIM signature value>"
```
- Registration examples by environment and region:
```
Private environment - Korea Region: ncpcompubkr._domainkey.domain.com
Private environment - Japan Region: ncpcompubjpn._domainkey.domain.com
Private environment - Singapore Region: ncpcompubsgn._domainkey.domain.com
Financial environment: ncpcomfin._domainkey.domain.com
Public environment: ncpcomgov._domainkey.domain.com
```
- When registering the DKIM signature value, ensure you check and configure the following:
  Caution
  Cautions for the length of TXT records are as follows:
  - Cloud Outbound Mailer supports only 2,048-bit DKIM signatures for enhanced security.
  - The DKIM signature value (public key) of Cloud Outbound Mailer is 392 characters long, exceeding the standard DNS TXT record limit of 255 characters. Therefore, you must split the syntax using double quotes and enter it across multiple lines.
  - For Global DNS, TXT records exceeding 255 characters are automatically wrapped, allowing you to register the signature value as is. For more information, see Global DNS.
  - Contact your domain service provider to check for support and instructions on how to split and register TXT records exceeding 255 characters.
- Refer to the following command examples to verify that the DKIM signature value is properly registered and retrieved:
```
nslookup -q=txt ncpcompubkr._domainkey.domain.com
```
- It must be displayed in a multi-line format consisting of 2 string blocks for successful authentication:
```
ncpcompubkr._domainkey.domain.com text =
"v=DKIM1;k=rsa;p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA25Dh71cXQ243vpAdU86jFbn14U8+VlWz28m6C7XVs/XLu80mDBksJOYiIpqU+je5XjdPA0AwCHRg+gtiJhoAlVI4mgQQnL7oV7f3IFlFeraHKxukSeVo1q082AeMymv2LHqU967F+P3yggyOSv4T6n29BrG5ODB9V/lnu8Py6ONUaWLX8nLOqJ5EZ"
"9f5PPyFIa11u9KIG49+pM6Gp2Wd/F/EYsWGyaGtxZ4gg67D5CLzcqh63M0DwUNJX+qPVdojv33veexQcJw1N+vpa4gQ7U963Zf3kcEaMhcXb3KqXyYLh2CIT3D1c3PUbfWwMlPfL5ADhFLvD342r4skPTUmKQIDAQAB"
```
Return to the Domain management menu in the NAVER Cloud Platform console and click the domain from the domain list.
In SPF/DKIM authentication, click [Authenticate] under DKIM.
- When authentication is successful, the authentication date and time are displayed.
- If authentication fails, the DNS lookup and verification failed, so check the DNS TXT record.
Click [Enable] under DKIM.
- The DKIM authentication status changes to Enabled, and the [Enable] button switches to [Disable].
Caution

If DKIM authentication is enabled and you click [Disable] to change it to the Disabled status, it may affect the authentication of emails being delivered.
Send a test email using the domain to verify that the settings have been applied.
- Enter the domain in the sender's email address when sending the email.
- After you send the email, open the email in your inbox to check the DKIM authentication information.
  - NAVER Mail: Click > Show original at the top of the email. In the show original popup window that appears, check the Authentication-Results header.
  - Gmail: Click > Show original at the top of the email. In the show original page that appears, check the DKIM entry.
  - For other email services, contact the provider for instructions on how to check DKIM.

Look up DNS records

To look up DNS records:

# Look up TXT records
$ nslookup -q=txt ncpcompubkr._domainkey.example.com
$ nslookup -q=txt example.com

To check the records from the console:

Access the Cloud Outbound Mailer console.
Click the Domain management menu.
Verify the DKIM authentication status for the domain.
After authentication is complete, ensure that the [Enable] button is activated.

Caution

After authentication is complete, clicking [Enable] for activation changes the button to [Disable] and displays the "Enabled" status.

DMARC authentication

Once domain registration is successfully completed, you can add DMARC authentication. To add DMARC authentication:

Note

As DMARC authentication works based on SPF and DKIM authentication, it is recommended that you proceed with SPF and DKIM authentication as well as DMARC authentication.

Visit your domain provider's website and register the DMARC signature value as a DNS TXT record.

For the DMARC record name, _dmarc must be entered before the domain.
Example: _dmarc.domain.com
The DMARC record value is structured as follows:
Example: v=DMARC1; p=none; aspf=r; adkim=r; rua=mailto:report@example.com

Each item is organized as follows:

Item	Value and description	Required
v	Indicates the version. Enter as `DMARC1`.	Required
p	How the receiving server handles emails that fail DMARC authentication: `none`: Deliver the email without taking any action. `quarantine`: Deliver the email to the spam folder. `reject`: Reject the delivery and bounce the email back to the sender.	Required
sp	Policy for emails sent from subdomains: `none`: Deliver the email without taking any action. `quarantine`: Deliver the email to the spam folder. `reject`: Reject the delivery and bounce the email back to the sender.	Optional
aspf	String matching settings for SPF signatures and mail information: `s`: Strict match. `r` (default): Relaxed match (allows subdomains).	Optional
adkim	String matching settings for DKIM signatures and mail information: `s`: Strict match. `r` (default): Relaxed match (allows subdomains).	Optional
rua	Email address to receive DMARC processing reports for the domain. Enter `mailto:` before the email address. Multiple email addresses can be specified by separating them with commas (,).	Optional

Note

For more information about DMARC records, see RFC 7489 document.

In the NAVER Cloud Platform console, navigate to > Services > Application Services > Cloud Outbound Mailer.
Click the Domain management menu.
Select a domain to proceed with DMARC authentication from the domain list.
In DMARC authentication, click [Authenticate] under DMARC.
- When authentication is successful, the authentication date and time are displayed.
- If authentication fails, the DNS lookup and verification failed, so check the DNS TXT record.
Send a test email using the domain to verify that the settings have been applied.
- Enter the domain in the sender's email address when sending the email.
- After you send the email, open the email in your inbox to check the DMARC authentication information.
  - NAVER Mail: Click > Show original at the top of the email. In the show original popup window that appears, check the Authentication-Results header.
  - Gmail: Click > Show original at the top of the email. In the show original page that appears, check the DMARC entry.
  - For other email services, contact the provider for instructions on how to check DMARC.

Domain sharing

You can share or unshare an authenticated domain so that other users can use it. Domain sharing is performed in a way that the requester requests sharing and the domain owner approves it.

Request domain sharing (domain sharing requester)

To request domain sharing from a domain owner as a requester:

In the NAVER Cloud Platform console, navigate to > Services > Application Services > Cloud Outbound Mailer.
Click the Domain management menu.
Click [Check project key].
When the view project key popup window appears, click [Copy] and forward the project key to the domain owner.
- The domain owner must register the project key to complete domain sharing.
- When domain sharing is completed, the shared domain is automatically added to the domain list.

Note

Users who have been shared a domain do not have permissions to set up and enable/disable SPF/DKIM authentication for that domain. If the domain owner disables SPF/DKIM, authentication will also be disabled for shared users.

Approve domain sharing (domain owner)

To approve domain sharing as a domain owner:

In the NAVER Cloud Platform console, navigate to > Services > Application Services > Cloud Outbound Mailer.
Click the Domain management menu.
Click the domain you want to share from the domain list.
Enter the project key value received from the domain sharing requester in the project key input field in the details component, and then click [Add].
- The project key is added to the list, and domain sharing is completed.
- The domain is automatically added to the requester's domain list.

Unshare domain

Only the domain owner can unshare a domain. To unshare a domain:

In the NAVER Cloud Platform console, navigate to > Services > Application Services > Cloud Outbound Mailer.
Click the Domain management menu.
Click the domain you want to unshare from the domain list.
In the Domain sharing list, find the project key of the account to unshare and click [Delete].
- Accounts using that project key will no longer be able to use the domain.

Delete domain

To delete a registered domain:

Note

Deleting a domain may affect emails currently being delivered.
If you re-register a domain after deletion, you must perform the authentication and security process again as authentication tokens and SPF/DKIM signature values change even for the same domain.

In the NAVER Cloud Platform console, navigate to > Services > Application Services > Cloud Outbound Mailer.
Click the Domain management menu.
Select the domain to delete from the domain list and click [Delete].
When the delete domain popup window appears, click [Delete].