SAP Knowledge Base Article - Public

2087468 - Emails Blocked or Not Delivered Due to Spam Filters, Spoofing, Bombing (mass mail), IP Address Allowlists

Symptom

  • Email notifications are not being received
  • Emails are being blocked. How can this be remedied?
  • Emails generated by the SuccessFactors application are not delivered to users of the application.
  • This KB article provides information on possible causes and solutions regarding how to make sure emails are delivered to end users.

Environment

SAP SuccessFactors HXM Suite

Cause

  1. The client's email servers detected email originated at a server other than one of their known internal servers and is blocking SuccessFactors emails.
  2. The client has a limitation as to how many emails that can be sent within a time period, also known as Bombing, E-mail bomb, and Mass Mail.
  3. The client uses a 3rd-party email provider that could be blocking traffic at a deeper level.

Resolution

 1️⃣ - Allowlist SUCCESSFACTORS MAIL SERVERS 

  • SuccessFactors IP addresses need to be allowed into the customer network.
  • Modify firewall/spam filters at the customer end to grant access to emails coming from SuccessFactors email relay IP addresses.
  • Please find below a list of email server IP addresses.

2️⃣ - SPOOFING - MASQUERADING ISSUES 

  • Even if SuccessFactors servers are allow-listed, the customer may have an additional layer of security to prevent spoofing. Briefly, spoofing is the act of the SuccessFactors system sending an email to a person, say a notification to the manager saying a form is due. In the FROM address it says the email is from 'me@mycompany.com'. However, the recipient company 'knows' that the email did NOT originate FROM @mycompany.com (remember it is actually originated from @successfactors.com), so it blocks it, believing the message is spam, someone pretending to be 'me@mycompany.com'.
  • This issue can be resolved by implementing Sender Policy Framework (SPF) or Domain Key Identified Mail (DKIM) as described below.

 3️⃣ - SINGLE SENDER:

  • The default system FROM address is always system@successfactors.com or system@successfactors.eu (depending on which Data Center the email originated from). However, if your business requires all emails to be sent from another email address, you may be using Single Sender or other module-specific sender settings to achieve this.
  • If this is the case, your email server may think these emails are now spoofing emails as the FROM address domain will differ from the actual email originating domain. 
  • This issue can be resolved by implementing Sender Policy Framework (SPF) or Domain Key Identified Mail (DKIM) as described below.

 4️⃣ - Do we support SENDER POLICY FRAMEWORK (SPF)? 

  • Consider adopting DNS SPF recording. SPF is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.
  • SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS).
  • Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.
  • Adopting SPF verification on mail servers will ensure that emails are being sent from SuccessFactors. 
  • For more information, please view http://en.wikipedia.org/wiki/Sender_Policy_Framework

Example: A customer's mail administrator needs to add the proper SuccessFactors SPF entry to their sender domain's DNS SPF record with the 'include' parameter:

          v=spf1 include:_spf-dc2.successfactors.com ~all    (this example is DC2 SPF)

Note:We should add the specific SPF depending on the Data Center. Please find below a list of DC SPF entries.

-  5️⃣ Do we support Domain Keys or Domain Key Identified Mail (DKIM)?

  • Yes, our email security filters support DKIM signing.
  • This would need to be configured on a per domain basis.
  • Please see KBA 2688533 - SAP SuccessFactors Email Security - DKIM and SPF.

 

***IMPORTANT NOTES***

  1. For customers who are using the single sender configuration or custom sender domains like @customerdomain.com, it is mandatory for them to update their SPF record with our email server IPs. All our mail server IP addresses and domains can be found in the See Also section of this KBA. All of our SPF records are also provided in the See Also section of this KBA.
  2. Customers who are using the third-party spam solutions (like Proof Point, Mimecast, Office 365 protections, etc...) need to update the respective exclusion or allow listing options list based on IP address or domain allow-listing and update the “Rate limit exclusion” section with our public IPs. All our mail server IP addresses and domains can be found in the See Also section of this KBA. **Please note we do not have visibility on these third-party spam filters, so we do not have technical steps to share on this. Kindly reach out to the technical support of these solutions for any assistance with the same.

 

See Also

Point #1: - Email server IP addresses are available in the following KBA-> 2089448 - Successfactors Datacenter Name, Location, Production Login URL, Production Domain Name, External mail Server details and External mail Server IPs.

Point #2: - 💡 As of 2H 2023 you can now monitor the delivery of email notifications using Stories in People Analytics. For more details see KBA -> 3387145 - Reporting on the delivery of System Email Notifications

Point #3: - SuccessFactors DC SPF entries:

*⚠️Do not use Big SPF entries (such as '_spf-sfdc.successfactors.com') including all Data Centers as it will cause an error due to too many records.
*⚠️ Please use one or more of these 'include' mechanisms depending on the Data Center.

Data Center
SPF to add to the Customer's DNS
DC2/DC57 include:_spf-dc2.successfactors.com
DC4/DC68 include:_spf-dc4.sapsf.com
DC8/DC70 include:_spf-dc8.sapsf.com
DC10/DC66 include:_spf-dc10.sapsf.com
DC11 include:_spf-dc11.sapsf.com
DC12/DC33

include:

DC12:

_spf-dc12.successfactors.com

DC33:

_spf-dc33.sapsf.eu
DC13 n/a (decommissioned)
DC15/DC30 include:_spf-dc15.sapsf.cn
DC16 n/a (decommissioned)
DC17/DC60 include:_spf-dc17.sapsf.com
DC18 n/a (decommissioned)
DC19/DC62 include:_spf-dc19.sapsf.com
DC22 include:_spf-dc22.sapsf.com
DC23 include:_spf-dc23.sapsf.com
DC25 include:_spf-dc25.sapsf.com
DC26 include:_spf-dc26.sapsf.eu
DC41 include:_spf-dc41.sapsf.com
DC43 include:_spf-dc43.sapsf.com
DC44/DC52 include:_spf-dc44.sapsf.com
DC47 include:_spf-dc47.sapsf.com
DC48 include:_spf-dc48.sapsf.com
DC49 include:_spf-dc49.sapsf.com
DC50 include:_spf-dc50.sapsf.com
DC51 include:_spf-dc51.sapsf.com
DC54 include:_spf-dc54.sapsf.eu
DC55 include:_spf-dc55.sapsf.eu
DC56 include:_spf-dc56.sapsf.eu
DC61 include:_spf-dc61.sapsf.com
DC74 include: _spf-dc74.sapsf.eu
DC95 include:_spf-dc95.sapsf.com

 

Keywords

sf success factors, LMS, RCM, PLT, PM, 360, goal, performance, recruiting, platform, BizX, bizx, SPF, Sender Policy Framework, DKIM, Domain Key Identified Mail, DMARC, authentication, security, spam, e-mail, exchange, smtp, firewall, fire wall, DNS, domain, single sender, recipient, bounced, block, fail, reporting on SuccessFactors email notifications and delivery , KBA , sf email notifications , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-GM-EML , Emails, Notifications & Alerts , LOD-SF-LMS-NOT , Notifications , LOD-SF-MTR-EML , Emails and Notifications , LOD-SF-RCM-EML , Recruiting Emails and Notifications , How To

Product

SAP SuccessFactors Compensation all versions ; SAP SuccessFactors HCM all versions ; SAP SuccessFactors Learning all versions ; SAP SuccessFactors Performance & Goals all versions ; SAP SuccessFactors Recruiting all versions