Symptom
- What is DKIM?
- What is SPF?
- How to request/enable DKIM or SPF implementation?
Environment
SAP SuccessFactors HXM Suite
Resolution
All e-mail notifications delivered from the SuccessFactors hosted solution would be securely encrypted over Sendmail\TLS. SuccessFactors uses Cisco IronPort e-mail appliances for encrypted e-mail distribution.
What is DKIM?
DKIM stands for Domain Key Identified Mail
- It allows senders to associate a domain name with an e-mail message, thus allowing validation for its authenticity. Basically, it would be like creating a unique digital signature that is included on the e-mail header for each customer so that SF e-mail notifications can be validated by the customer’s network.
- The IronPort mail clusters support both the old Domain Keys method and the newer DKIM method of signing. This would need to be configured on a per domain basis on our IronPorts. We would generate a private key and we would provide the customer the DKIM public key values & string that would need to add to their public DNS records.
- Keep in mind that DKIM signing is not a replacement for actual e-mail signing though. DKIM only ensures that the e-mail was really sent on behalf of a domain.
What is SPF?
SPF stands for Sender Policy Framework. From KBA 2292695:
- It is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows Customer administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.
- Adopting SPF verification on Customer mail servers will ensure that emails are being sent only from SuccessFactors.
How to request/enable DKIM or SPF implementation?
SPF is enabled by default & you can contact your internal mail administrator to enable SPF record (See KBA 2087468).
For DKIM, Please reach out to SAP Cloud Support team (under component LOD-SF-PLT-SEC) with the following information provided:
- Company ID;
- Datacenter;
- Your mail domain details;
- (Provide a full list of the email domains used by users - there may be more than one).
e.g. @testcompany.com and @testcompany.org.
SuccessFactors mail notifications can integrate externally with a customer, e.g. can you relay mail through a customers’ mail servers?
Yes this is possible. We can forward outgoig emails to customer's own SMTP server(s). We only need:
- the condition (recipient domain);
- the customer's SMTP server's IP and port;
- SMTP auth user and password if needed.
Note: The DKIM or SPF enablement is done on a data center level. This means that separate requests would only be needed for instances using different domains or same domain on an instance which is hosted on a different data center. Also, the domain is checked by the operations team before being added to SPF/DKIM, to ensure that it is from the respective customer and that the domain of one customer cannot be used by another customer.
See Also
Keywords
DKIM, SPF, DMARC, e-mail security, mail domain, DNS, domain key identified mail, sender policy framework, enable DKIM, relay mail, mail s erver, external server, notification , KBA , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-PLT-SEC , Security Reports , How To