Symptom
- What is DKIM?
- What is SPF?
- How to request/enable DKIM or SPF implementation?
Environment
SAP SuccessFactors HCM Suite
Resolution
All e-mail notifications delivered from the SuccessFactors-hosted solution is securely encrypted over Sendmail\TLS. SuccessFactors uses Cisco IronPort e-mail appliances for encrypted e-mail distribution.
What is DKIM (Domain Key Identified Mail)?
- It allows senders to associate a domain name with an e-mail message, thus allowing validation for its authenticity. It would be like creating a unique digital signature that is included on the e-mail header for each customer so that SF e-mail notifications can be validated by the customer’s network.
- IronPort mail clusters support both the old Domain Keys method and the newer DKIM method of signing. This would need to be configured on a per-domain basis on our IronPorts. We would generate a private key, and we would provide the customer the DKIM public key values and string that would need to be added to their public DNS records.
- Keep in mind that DKIM signing is not a replacement for actual e-mail signing, though. DKIM only ensures that the e-mail was really sent on behalf of a domain.
What is SPF (Sender Policy Framework)?
- It is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows Customer administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.
- Adopting SPF verification on Customer mail servers will ensure that emails are being sent only from SuccessFactors.
How to request/enable DKIM or SPF implementation?
SPF is enabled by default. You can contact your internal mail administrator to enable SPF records. (See KBA 2087468.)
For DKIM, please reach out to the SAP Cloud Support team (under component LOD-SF-PLT-NOT) with the following information provided:
- Company ID;
- Datacenter;
- Your mail domain details - provide a full list of the email domains used by users (there may be more than one), e.g., @testcompany.com and @testcompany.org.
- Confirm that you have all the key requirements checked (such as a DNS "A" Record), as described below in this KBA.
Relay mail through a customer's mail servers:
SuccessFactors mail notifications can integrate externally with a customer. We can forward outgoing emails to a customer's own SMTP server(s). We only need:
- the condition (recipient domain);
- the customer's SMTP server's IP and port;
- SMTP auth user and password if needed. (please use Customer Remote Logon Depot for sharing credentials)
Customers can also request Support to update the password when using SMTP method. SAP Operations team will be engaged to proceed.
Notes:
- Mail Relay and DKIM or SPF enablement is done on a data center level. This means that separate requests would only be needed for instances using different domains or the same domain on an instance which is hosted on a different data center. Also, the domain is checked by the operations team before being added to SPF/DKIM to ensure that it is from the respective customer and that the domain of one customer cannot be used by another customer.
- Customer can only have one Mail Relay at a time, it can be changed, however, we need to delete the existing one first and then add the new. Customer approval is required for that.
- Only basic authentication is supported, if other kind of authentication methods are enabled (e.g. oAuth), make sure those are not taking precedence over basic username/password Auth.
- After adding a DKIM key, it can take up to 48 hours for DKIM authentication to start working
Email Sending Requirements and Guidelines
It's important to understand that the rules we follow are not arbitrary; they are the established guidelines of the mail service used by everyone on the internet. These rules are in place to maintain the integrity of email communications and prevent spam.
Here are the key requirements for sending emails through our service:
- Existing DNS "A" Record: Your domain must have a valid DNS "A" record in place.
- SPF Record: You need to have an SPF record configured for your domain. This record lists all the IP addresses authorized to send emails on behalf of your domain.
- MX Record: MX record is mandatory as per SAP Standards to send email to recipient.
These are the only options available. If these prerequisites are not met, emails sent from your mail server may be flagged as spam. SAP Support cannot provide assistance with the configuration of the above three settings on your domain/mail server, please contact your IT team.
Even if you were to install a DKIM key, it would not resolve the issue if these requirements outlined are not followed. DKIM serves the purpose of verifying whether an email has been tampered with from the moment it was sent and helps ensure the integrity of the email's content during transit. However, while DKIM can detect tampering, the recipient's mail server may still apply additional rules or checks on the email.
If you find it challenging to adhere to these rules or prefer not to follow them, we recommend considering alternative options. One such option is mail relaying. With mail relaying, you can send your emails directly to recipients without going through our system. This way, you have more control over the email process, but it also means any issues or rule violations become solely your responsibility, sparing other customers from potential disruptions.
Anti-virus technology
SuccessFactors has an Email Security Gateway that manages and filters all inbound and outbound email traffic to protect organisations from email-borne threats and data leaks. It lets organizations encrypt messages and leverage the cloud to spool email if mail servers become unavailable.
Is it possible to use the same key on different data centers?
Yes, is possible to use the same key, for example, DC33 and DC57
Is it possible to route SuccessFactors emails to a Microsoft Graph API/Microsoft Exchange account?
At the moment this is not currently possible to perform. The services above are the only means of authentication provided at this time.
See Also
Keywords
DKIM, SPF, SMTP, DMARC, relay server, e-mail security, mail domain, DNS, domain key identified mail, sender policy framework, enable DKIM, relay mail, mail s erver, external server, notification, microsoft, exchange, graph, API , KBA , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-PLT-SEC , Security Reports , How To