Symptom
- Email notifications are not being received
- Emails are being blocked. How can this be remedied?
- Emails generated by the SuccessFactors application are not delivered to users of the application.
- This KB article provides information on possible causes and solutions regarding how to make sure emails are delivered to end users.
Environment
SAP SuccessFactors HXM Suite
Cause
- The client's email servers detected email originated at a server other than one of their known internal servers and is blocking SuccessFactors emails.
- The client has a limitation as to how many emails that can be sent within a time period, also known as Bombing, E-mail bomb, and Mass Mail.
- The client uses a 3rd-party email provider that could be blocking traffic at a deeper level.
Resolution
- 1️⃣ - Allowlist SUCCESSFACTORS MAIL SERVERS
- SuccessFactors IP addresses need to be allowed into the customer network.
- Modify firewall/spam filters at the customer end to grant access to emails coming from SuccessFactors email relay IP addresses.
- Please find below a list of email server IP addresses.
- 2️⃣ - SPOOFING - MASQUERADING ISSUES
- Even if SuccessFactors servers are allow-listed, the customer may have an additional layer of security to prevent spoofing. Briefly, spoofing is the act of the SuccessFactors system sending an email to a person, say a notification to the manager saying a form is due. In the FROM address it says the email is from 'me@mycompany.com'. However, the recipient company 'knows' that the email did NOT originate FROM @mycompany.com (remember it is actually originated from @successfactors.com), so it blocks it, believing the message is spam, someone pretending to be 'me@mycompany.com'.
- This issue can be resolved by implementing Sender Policy Framework (SPF) or Domain Key Identified Mail (DKIM) as described below.
- 3️⃣ - SINGLE SENDER:
- The default system FROM address is always system@successfactors.com or system@successfactors.eu (depending on which Data Center the email originated from). However, if your business requires all emails to be sent from another email address, you may be using Single Sender or other module-specific sender settings to achieve this.
- If this is the case, your email server may think these emails are now spoofing emails as the FROM address domain will differ from the actual email originating domain.
- This issue can be resolved by implementing Sender Policy Framework (SPF) or Domain Key Identified Mail (DKIM) as described below.
- 4️⃣ - Do we support SENDER POLICY FRAMEWORK (SPF)?
- Consider adopting DNS SPF recording. SPF is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.
- SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS).
- Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.
- Adopting SPF verification on mail servers will ensure that emails are being sent from SuccessFactors.
- For more information, please view http://en.wikipedia.org/wiki/Sender_Policy_Framework
Example: A customer's mail administrator needs to add the proper SuccessFactors SPF entry to their sender domain's DNS SPF record with the 'include' parameter:
v=spf1 include:_spf-dc2.successfactors.com ~all (this example is DC2 SPF)
Note:We should add the specific SPF depending on the Data Center. Please find below a list of DC SPF entries.
- 5️⃣ Do we support Domain Keys or Domain Key Identified Mail (DKIM)?
- Yes, our email security filters support DKIM signing.
- This would need to be configured on a per domain basis.
- Please see KBA 2688533 - SAP SuccessFactors Email Security - DKIM and SPF.
***IMPORTANT NOTES***
- For customers who are using the single sender configuration or custom sender domains like @customerdomain.com, it is mandatory for them to update their SPF record with our email server IPs. All our mail server IP addresses and domains can be found in the See Also section of this KBA. All of our SPF records are also provided in the See Also section of this KBA.
- Customers who are using the third-party spam solutions (like Proof Point, Mimecast, Office 365 protections, etc...) need to update the respective exclusion or allow listing options list based on IP address or domain allow-listing and update the “Rate limit exclusion” section with our public IPs. All our mail server IP addresses and domains can be found in the See Also section of this KBA. **Please note we do not have visibility on these third-party spam filters, so we do not have technical steps to share on this. Kindly reach out to the technical support of these solutions for any assistance with the same.
See Also
- Point #1: - Email server IP addresses are available in the following KBA-> 2089448 - Successfactors Datacenter Name, Location, Production Login URL, Production Domain Name, External mail Server details and External mail Server IPs.
- Point #2: - 💡 As of 2H 2023 you can now monitor the delivery of email notifications using Stories in People Analytics. For more details see KBA -> 3387145 - Reporting on the delivery of System Email Notifications
- Point #3: - SuccessFactors DC SPF entries:
- ⚠️Do not use Big SPF entries (such as '_spf-sfdc.successfactors.com') including all Data Centers as it will cause an error due to too many records.
- ⚠️ Please use one or more of these 'include' mechanisms depending on the Data Center.
Data Center
|
SPF to add to the Customer's DNS
|
DC2/DC57 |
DC57: include:_spf-dc57.sapsf.eu Please use the above DC57 SPF record. While you can have both DC2 and DC57 there is no need to use both, it is recommened to use the DC57 SPF record which can be used on it's own. If you previously added the SPF record for this DC using the old DC2 record below - you should replace that with the above DC57 record. DC2: include:_spf-dc2.successfactors.com |
DC4/DC68 | include:_spf-dc4.sapsf.com |
DC8/DC70 | include:_spf-dc8.sapsf.com |
DC10/DC66 | include:_spf-dc10.sapsf.com |
DC11 | include:_spf-dc11.sapsf.com |
DC12/DC33 |
DC33: include:_spf-dc33.sapsf.eu Please use the above DC33 SPF record. While you can have both DC12 and DC33 there is no need to use both, it is recommened to use the DC33 SPF record which can be used on it's own. If you previously added the SPF record for this DC using the old DC12 record below - you should replace that with the above DC33 record. DC12: include:_spf-dc12.successfactors.com |
DC13 | n/a (decommissioned) |
DC15/DC30 | include:_spf-dc15.sapsf.cn |
DC16 | n/a (decommissioned) |
DC17/DC60 | include:_spf-dc17.sapsf.com |
DC18 | n/a (decommissioned) |
DC19/DC62 | include:_spf-dc19.sapsf.com |
DC22 | include:_spf-dc22.sapsf.com |
DC23 | include:_spf-dc23.sapsf.com |
DC25 | include:_spf-dc25.sapsf.com |
DC26 | include:_spf-dc26.sapsf.eu |
DC41 | include:_spf-dc41.sapsf.com |
DC43 | include:_spf-dc43.sapsf.com |
DC44/DC52 | include:_spf-dc44.sapsf.com |
DC47 | include:_spf-dc47.sapsf.com |
DC48 | include:_spf-dc48.sapsf.com |
DC49 | include:_spf-dc49.sapsf.com |
DC50 | include:_spf-dc50.sapsf.com |
DC51 | include:_spf-dc51.sapsf.com |
DC54 | include:_spf-dc54.sapsf.eu |
DC55 | include:_spf-dc55.sapsf.eu |
DC56 | include:_spf-dc56.sapsf.eu |
DC61 | include:_spf-dc61.sapsf.com |
DC74 | include: _spf-dc74.sapsf.eu |
DC95 | include:_spf-dc95.sapsf.com |
Keywords
sf success factors, LMS, RCM, PLT, PM, 360, goal, performance, recruiting, platform, BizX, bizx, SPF, Sender Policy Framework, DKIM, Domain Key Identified Mail, DMARC, authentication, security, spam, e-mail, exchange, smtp, firewall, fire wall, DNS, domain, single sender, recipient, bounced, block, fail, reporting on SuccessFactors email notifications and delivery , KBA , sf email notifications , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-GM-EML , Emails, Notifications & Alerts , LOD-SF-LMS-NOT , Notifications , LOD-SF-MTR-EML , Emails and Notifications , LOD-SF-RCM-EML , Recruiting Emails and Notifications , Problem