3433341 - Resolving Outbound Email Blocking Issues in Service Cloud V2

• Emails sent from a custom MAIL FROM domain are being marked as spam or not delivered. 
• Users sending emails from Service Cloud V2.
• Emails go directly to SPAM or are not delivered to the end recipient.
• User may receive bounce back emails (depending on the return path).

• SAP Service Cloud Version 2 1.0
• SAP Sales Cloud Version 2 1.0

• The domain health and DNS configuration may be incorrect.
• SPF not configured or fails.
• DKIM signature missing or fails.
• DMARC not set or fails (e.g., DKIM/SPF misalignment).
• DMARC (Domain-based Message Authentication, Reporting, and Conformance) policies are configured to enforce strict email authentication measures.
• When emails are sent from Amazon SES using a custom domain, they fail to meet the DMARC policy requirements.
• The DMARC policy settings result in the blocking of emails sent from the custom domain via Amazon SES.
• Below are generally technical, configuration, or policy-based issues:
  1. Invalid Recipient Address
     • Typos in the email address.
     • Address no longer exists (SMTP 5.1.1 – "user unknown").
  2. Mailbox Full
     • The recipient’s mailbox has exceeded its quota.
  3. Blocked by Recipient Server
     • Your IP/domain is blacklisted or blocked.
     • Recipient server uses spam filters (e.g., Barracuda, Proofpoint).
  4. SPF/DKIM/DMARC Failures
     • DMARC Fail can cause bounces if policy is p=reject.
  5. Policy Restrictions
     • Sender not allowed to relay messages (SMTP 5.7.1).
     • Restrictions like SMTP 5.7.26 (unauthorized sender) or 5.7.509 (mail not permitted for policy reasons).
  6. Misconfigured DNS or Email Infrastructure
     • Incorrect Mail-From setup.
     • Missing or incorrect MX records.
  7. Attachment or Size Issues
     • File types blocked by server.
     • Email exceeds size limits.

Follow the steps below to verify and troubleshoot your custom MAIL FROM domain configuration:

1. Refer to KBA 3502829 - Outbound Email Delivery from Service Cloud going to SPAM
2. Verify DNS Configuration
   • Refer to the SAP Help Portal documentation on Support for Custom MAIL FROM Domain for instructions to configure your domain.
   • Ensure all required DNS records (such as SPF, DKIM, and DMARC) are correctly created in your DNS server. Administrative access to the domain/sub-domain is required.
   • High level steps for the DNS Administrators
     1. Log into your DNS provider's management console
        • Examples include GoDaddy, Cloudflare, AWS Route 53, etc.
     2. Identify the subdomain provided by SAP
        • You will receive a subdomain such as sapcrmemail<region>.yourdomain.com.
     3. Add the following two DNS records for that subdomain:
        • MX Record
          • Type: MX
          • Name / Host: sapcrmemail<region> (or full: sapcrmemail<region>.yourdomain.com) 
          • Priority: 10 
          • Value: feedback-smtp.<region>.amazonses.com
        • TXT Record (SPF)
          • Type: TXT
          • Name / Host: sapcrmemail<region>
          • Value: v=spf1 include:amazonses.com ~all
     4. Save the records and wait for DNS propagation
        • While it may take up to 72 hours for the Mail Transfer Agent (MTA) to verify and enable custom mail-from, it is often completed more quickly. 
        • Note:
          • In most DNS providers, adding records for a new subdomain (e.g., sapcrmemail<region>.yourdomain.example) automatically creates the subdomain as part of the record creation process. 
          • You typically do not need to explicitly create the subdomain beforehand. 
3. Verify the changes and Domain Health using Online Tools
   • Tools like MXToolbox and Google Postmaster Tools can help evaluate the health of your domain.
     • DNS Lookup Example
       1. Go to MXToolbox
       2. Select DNS Lookup
       3. Enter the MAIL FROM sub-domain, e.g., sapcrmemail<region>.yourdomain.com
       4. Click DNS Lookup
       5. The result should show the DNS hosting provider, e.g., "Your DNS hosting provider is XYZ"
     • SPF Record Check
       1. Go to MXToolbox
       2. Select DNS Lookup
       3. Enter the sub-domain, e.g., sapcrmemail<region>.yourdomain.com
       4. Click DNS Lookup
       5. Click the arrow next to DNS Lookup and select SPF Record Lookup
       6. The expected SPF record should resemble: v=spf1 include:amazonses.com -all
     • Analyze Bounce/Spam Issues. Review full MIME headers of impacted messages to check:
       • SPF, DKIM, DMARC results
       • SMTP error codes, such as:
       • 5.1.1 (recipient address rejected)
       • 5.7.1 (delivery not authorized)
       • 5.3.0 (other mailbox errors)
       • Routing information and spam score
4. If there are still issues (emails going to spam), then:
   
   1. Deactivate the channel.
   2. Reactivate the channel (the two-step verification process will be required before the channel is activated, per standard process).
   3. Perform the Mail-From steps again.
      • The system may or may not provide new MX and TXT records
      • If there the MX and TXT records are the same, then no DNS action is required
      • If the MX and TXT regenerated records are different; then your DNS Administrator must update your DNS records accordingly, within 72 hours of the Mail-From steps.

• 3576906 - Unable to Activate DKIM for SAP Sales and Service Cloud Version 2
• 3498096 - MTA Configuration and MTA Provider Configuration Not Displayed in V2 Settings
• 3502829 - Outbound Email Delivery from Service Cloud going to SPAM 

MAIL FROM, custom domain, SPF record, DKIM, DMARC, email bounce, SMTP error, email deliverability, domain health, DNS lookup, SAP CRM email , KBA , CEC-CRM-EML , Emails for SAP Sales/Service Cloud , Problem