SAP Knowledge Base Article - Public

2688533 - DKIM and SPF | SAP SuccessFactors Email Security

Symptom

  • What is DKIM?
  • What is SPF?
  • How to request/enable DKIM and SPF implementation?

Environment

SAP SuccessFactors HXM Suite

Resolution

All e-mail notifications delivered from the SuccessFactors hosted solution would be securely encrypted over Sendmail\TLS. SuccessFactors uses Cisco IronPort e-mail appliances for encrypted e-mail distribution.

What is DKIM?

DKIM stands for Domain Key Identified Mail

  • It allows senders to associate a domain name with an e-mail message, thus allowing validation for its authenticity. Basically, it would be like creating a unique digital signature that is included on the e-mail header for each customer so that SF e-mail notifications can be validated by the customer’s network.

  • The IronPort mail clusters support both the old Domain Keys method and the newer DKIM method of signing.  This would need to be configured on a per domain basis on our IronPorts.  We would generate a private key and we would provide the customer the DKIM public key values & string that would need to add to their public DNS records.

  • Keep in mind that DKIM signing is not a replacement for actual e-mail signing though.  DKIM only ensures that the e-mail was really sent on behalf of a domain.

What is SPF?

SPF stands for Sender Policy Framework. From KBA 2292695:

  • It is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows Customer administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.

  • Adopting SPF verification on Customer mail servers will ensure that emails are being sent only from SuccessFactors.

How to request/enable DKIM and SPF implementation?

Please reach out to SAP Cloud Support team (under component LOD-SF-PLT-SEC) with the following information provided:

  • Company ID;
  • Datacenter;
  • Your mail domain details;
    • (Provide a full list of the email domains used by users - there may be more than one).
      e.g. @testcompany.com and @testcompany.org.

SuccessFactors mail notifications can integrate externally with a customer, e.g. can you relay mail through a customers’  mail servers?

Yes this is possible. We can forward outgoig emails to customer's own SMTP server(s). We only need:

  • the condition (recipient domain);
  • the customer's SMTP server's IP and port;
  • SMTP auth user and password if needed. 

 

 

Note: The DKIM and SPF enablement is done in the instance level. It is means that is needed separated requests for each instance.

See Also

Request DKIM Key for Sender Domains

Keywords

DKIM, SPF, DMARC, e-mail security, mail domain, DNS, domain key identified mail, sender policy framework, enable DKIM, relay mail, mail s erver, external server, notification , KBA , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-PLT-SEC , Security & Permissions , How To

Product

SAP SuccessFactors HXM Suite all versions