SAP Knowledge Base Article - Public

2688533 - DKIM or SPF | SAP SuccessFactors Email Security

Symptom

  • What is DKIM?
  • What is SPF?
  • How to request/enable DKIM or SPF implementation?

Environment

SAP SuccessFactors HXM Suite

Resolution

All e-mail notifications delivered from the SuccessFactors hosted solution would be securely encrypted over Sendmail\TLS. SuccessFactors uses Cisco IronPort e-mail appliances for encrypted e-mail distribution.

What is DKIM?

DKIM stands for Domain Key Identified Mail

  • It allows senders to associate a domain name with an e-mail message, thus allowing validation for its authenticity. Basically, it would be like creating a unique digital signature that is included on the e-mail header for each customer so that SF e-mail notifications can be validated by the customer’s network.

  • The IronPort mail clusters support both the old Domain Keys method and the newer DKIM method of signing.  This would need to be configured on a per domain basis on our IronPorts.  We would generate a private key and we would provide the customer the DKIM public key values & string that would need to add to their public DNS records.

  • Keep in mind that DKIM signing is not a replacement for actual e-mail signing though.  DKIM only ensures that the e-mail was really sent on behalf of a domain.

What is SPF?

SPF stands for Sender Policy Framework. From KBA 2292695:

  • It is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows Customer administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.

  • Adopting SPF verification on Customer mail servers will ensure that emails are being sent only from SuccessFactors.

How to request/enable DKIM or SPF implementation?

SPF is enabled by default & you can contact your internal mail administrator to enable SPF record (See KBA 2087468).
For DKIM, Please reach out to SAP Cloud Support team (under component LOD-SF-PLT-SEC) with the following information provided:

  • Company ID;
  • Datacenter;
  • Your mail domain details;
    • (Provide a full list of the email domains used by users - there may be more than one).
      e.g. @testcompany.com and @testcompany.org.

SuccessFactors mail notifications can integrate externally with a customer, e.g. can you relay mail through a customers’  mail servers?

Yes this is possible. We can forward outgoig emails to customer's own SMTP server(s). We only need:

  • the condition (recipient domain);
  • the customer's SMTP server's IP and port;
  • SMTP auth user and password if needed. 

 

Note: The DKIM or SPF enablement is done on a data center level. This means that separate requests would only be needed for instances using different domains or same domain on an instance which is hosted on a different data center. Also,  the domain is checked by the operations team before being added to SPF/DKIM, to ensure that it is from the respective customer and that the domain of one customer cannot be used by another customer.

See Also

Request DKIM Key for Sender Domains

Keywords

DKIM, SPF, DMARC, e-mail security, mail domain, DNS, domain key identified mail, sender policy framework, enable DKIM, relay mail, mail s erver, external server, notification , KBA , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-PLT-SEC , Security Reports , How To

Product

SAP SuccessFactors HXM Suite all versions