2688533 - DKIM or SPF | SAP SuccessFactors Email Security

• What is DKIM?
• What is SPF?
• How to request/enable DKIM or SPF implementation?

SAP SuccessFactors HXM Suite

All e-mail notifications delivered from the SuccessFactors hosted solution would be securely encrypted over Sendmail\TLS. SuccessFactors uses Cisco IronPort e-mail appliances for encrypted e-mail distribution.

What is DKIM?

DKIM stands for Domain Key Identified Mail

• It allows senders to associate a domain name with an e-mail message, thus allowing validation for its authenticity. Basically, it would be like creating a unique digital signature that is included on the e-mail header for each customer so that SF e-mail notifications can be validated by the customer’s network.
  
  
• The IronPort mail clusters support both the old Domain Keys method and the newer DKIM method of signing.  This would need to be configured on a per domain basis on our IronPorts.  We would generate a private key and we would provide the customer the DKIM public key values & string that would need to add to their public DNS records.
  
  
• Keep in mind that DKIM signing is not a replacement for actual e-mail signing though.  DKIM only ensures that the e-mail was really sent on behalf of a domain.

What is SPF?

SPF stands for Sender Policy Framework. From KBA 2292695:

• It is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows Customer administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.
  
  
• Adopting SPF verification on Customer mail servers will ensure that emails are being sent only from SuccessFactors.

How to request/enable DKIM or SPF implementation?

SPF is enabled by default & you can contact your internal mail administrator to enable SPF record (See KBA 2087468).
For DKIM, Please reach out to SAP Cloud Support team (under component LOD-SF-PLT-SEC) with the following information provided:

• Company ID;
• Datacenter;
• Your mail domain details;
• (Provide a full list of the email domains used by users - there may be more than one).
  e.g. @testcompany.com and @testcompany.org.

SuccessFactors mail notifications can integrate externally with a customer, e.g. can you relay mail through a customers’  mail servers?

Yes this is possible. We can forward outgoig emails to customer's own SMTP server(s). We only need:

• the condition (recipient domain);
• the customer's SMTP server's IP and port;
• SMTP auth user and password if needed. 

Note: The DKIM or SPF enablement is done on a data center level. This means that separate requests would only be needed for instances using different domains or same domain on an instance which is hosted on a different data center. Also,  the domain is checked by the operations team before being added to SPF/DKIM, to ensure that it is from the respective customer and that the domain of one customer cannot be used by another customer.

Request DKIM Key for Sender Domains

DKIM, SPF, DMARC, e-mail security, mail domain, DNS, domain key identified mail, sender policy framework, enable DKIM, relay mail, mail s erver, external server, notification , KBA , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-PLT-SEC , Security Reports , How To