SAP Knowledge Base Article - Public

2688533 - DKIM and SPF | SAP SuccessFactors Email Security

Symptom

  • What is DKIM?
  • What is SPF?
  • How to request/enable DKIM and SPF implementation?

Environment

SAP SuccessFactors HXM Suite

Resolution

All e-mail notifications delivered from the SuccessFactors hosted solution would be securely encrypted over Sendmail\TLS. SuccessFactors uses Cisco IronPort e-mail appliances for encrypted e-mail distribution.

What is DKIM?

DKIM stands for Domain Key Identified Mail

  • It allows senders to associate a domain name with an e-mail message, thus allowing validation for its authenticity. Basically, it would be like creating a unique digital signature that is included on the e-mail header for each customer so that SF e-mail notifications can be validated by the customer’s network.

  • The IronPort mail clusters support both the old Domain Keys method and the newer DKIM method of signing.  This would need to be configured on a per domain basis on our IronPorts.  We would generate a private key and we would provide the customer the DKIM public key values & string that would need to add to their public DNS records.

  • Keep in mind that DKIM signing is not a replacement for actual e-mail signing though.  DKIM only ensures that the e-mail was really sent on behalf of a domain.

What is SPF?

SPF stands for Sender Policy Framework. From KBA 2292695:

  • It is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows Customer administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.

  • Adopting SPF verification on Customer mail servers will ensure that emails are being sent only from SuccessFactors.

How to request/enable DKIM and SPF implementation?

Please reach out to SAP Cloud Support team (under component LOD-SF-PLT-SEC) with the following information provided:

  • Company ID;
  • Datacenter;
  • Your mail domain details;
    • (Provide a full list of the email domains used by users - there may be more than one).
      e.g. @testcompany.com and @testcompany.org.

SuccessFactors mail notifications can integrate externally with a customer, e.g. can you relay mail through a customers’  mail servers?

Yes this is possible. We can forward outgoig emails to customer's own SMTP server(s). We only need:

  • the condition (recipient domain);
  • the customer's SMTP server's IP and port;
  • SMTP auth user and password if needed. 

 

Note: The DKIM and SPF enablement is done on a data center level. This means that separate requests would only be needed for instances using different domains or same domain on an instance which is hosted on a different data center.

See Also

Request DKIM Key for Sender Domains

Keywords

DKIM, SPF, DMARC, e-mail security, mail domain, DNS, domain key identified mail, sender policy framework, enable DKIM, relay mail, mail s erver, external server, notification , KBA , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-PLT-SEC , Security & Permissions , How To

Product

SAP SuccessFactors HXM Suite all versions