SAP Knowledge Base Article - Public

2087468 - Emails Blocked or Not Delivered Due to Spam Filters, Spoofing, Bombing (mass mail), IP Address Whitelists

Symptom

  • Email notifications are not being received
  • Emails are being blocked. How can this be remedied?
  • Emails generated by the SuccessFactors application are not delivered to users of the application.
  • This KB article provides information on possible causes and solutions regarding how to make sure emails are delivered to end users.

Environment

  • SAP SuccessFactors HCM Suite
  • SAP SuccessFactors Learning Management System
  • SAP SuccessFactors Recruiting Management

Cause

  1. The client's email servers detected email originated at a server other than one of their known internal servers and is blocking SF emails.
  2. Client has a limitation as to how many emails that can be sent within a time period, also known as Bombing, E-mail bomb, and Mass Mail.
  3. The client uses a 3rd party email provider that could be blocking traffic at a deeper level.

Resolution

WHITELIST SUCCESSFACTORS MAIL SERVERS

  • SF IP addresses need to be allowed into the customer network.
  • Modify firewall/spam filter etc at the customer end to grant access to emails coming from SuccessFactors email relay IP addresses.

SPOOFING - MASQUERADING ISSUES 

  1. Even if SF servers are white-listed, the customer may have an additional layer of security to prevent spoofing. Briefly, spoofing is the act of the SuccessFactors system sending an email to a person, say a notification to the manager saying a form is due. In the FROM address it says the email is from me@mycompany.com. However, the recipient company 'knows' that the email did NOT originate FROM @mycompany.com (remember it is actually originated from @successfactors.com) so it blocks it believing the message is spam, someone pretending to be me@mycompany.com.
  2. This issue can be resolved by implementing Single Sender as described below.

SINGLE SENDER:

  • The single sender solution is no longer used to resolve spoofing issues, as the default system FROM address changed in recent releases to always be system@successfactors.eu or system@successfactors.com (depending on which datacenter the email originated from).
  • Therefore there can be no spoofing detected on the receiving email server as the email originating domain and FROM address domains match.
  • However, if your business requires all emails to be sent from another email than system@successfactors.eu or system@successfactors.com, you may be using single sender to achieve this.
  • If this is the case, your email server may think these emails are now spoofing emails as the FROM address domain will differ from the actual email originating domain.
  • In this scenario your IT Department will have to perform additional security changes on the receiving email server end to make sure these emails are accepted and delivered to end-users, using the referenced solutions in this article.

SENDER POLICY FRAMEWORK (SPF)

  • Consider adopting DNS SPF recording. SPF is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.
  • SPF allows administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS).
  • Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.
  • Adopting SPF verification on mail servers will ensure that emails are being sent from SF. 

Example: A customer's mail administrator needs to add SF outgoing IP list to their spf record with the included parameter:

v=spf1 include:_spf-sfdc.successfactors.com ~all (or successfactors.eu depending)

Note: For more information please view http://en.wikipedia.org/wiki/Sender_Policy_Framework

Do we support Domain Keys or Domain Key Identified Mail (DKIM)?

  • Yes, our email security filters support DKIM signing.
  • This would need to be configured on a per domain basis.
  • Please see KBA 2688533 - SAP SuccessFactors Email Security - DKIM and SPF

See Also

These are subject to change and would require Operations to provide IPs for temporary white-listing:

DC8 U.S. Ashburn Data Center

  • 65.221.8.13 [prodmailb8.successfactors.com]
  • 65.221.12.128 [prodmail8c.successfactors.com]
  • 65.221.12.148 [prodmail8d.successfactors.com]
  • 65.221.8.29 [ironport.notifications.plateau.com]

DC4 U.S. Arizona Data Center

  • 70.42.227.151 [prodmail4a.successfactors.com]
  • 70.42.227.152 [prodmail4b.successfactors.com]

DC2 EU Amsterdam Data Center

  • 213.52.186.141[prodmail2a.successfactors.eu]
  • 213.52.186.142 [prodmail2b.successfactors.eu]
  • 188.95.96.121 [successfactors.eu/performancemanager5]
  • Note: These must be added to ALL servers. (Primary mail server and any secondary mail servers.)

DC10 Sydney Data Center

  • 210.80.140.141 [prodmail10a.successfactors.com]
  • 210.80.140.142 [prodmail10b.successfactors.com]

DC12 EU Rot Data Center

  • 155.56.221.13 [prodmail012a.successfactors.eu]
  • 155.56.221.14 [prodmail012b.successfactors.eu]

DC15 Data Center

  • 180.153.153.112 [ mail15a.sapsf.cn ]
  • 180.153.153.113 [ mail15b.sapsf.cn ]

DC16 Data Center

  • 46.29.102.130 [prodmail16a.sapsf.eu]
  • 46.29.102.131 [prodmail16b.sapsf.eu]

DC17 Data Center

  • 157.133.48.19 [mail17a.sapsf.com]
  • 157.133.48.20 [mail17b.sapsf.com]

DC18 Data Center

  • 157.133.1.19 [mail18a.sapsf.com] 
  • 157.133.1.20 [mail18a.sapsf.com]

DC19 Data Center

  • 157.133.241.19 [mail19a.sapsf.com]
  • 157.133.241.20 [mail19b.sapsf.com]

DC22 Data Center

  • 130.214.250.241 [prodmail022a.sapsf.com]
  • 130.214.250.239 [prodmail022b.sapsf.com]

DC23 Data Center

  • 130.214.222.200 [prodmail023a.sapsf.com]
  • 130.214.222.201 [prodmail023b.sapsf.com]

DC42 Data Center

  • 40.114.119.86 [prodmail42a.sapsf.com]
  • 40.76.77.34 [prodmail42b.sapsf.com]

DC44 Data Center

  • 27.111.213.243 [prodmail44a.sapsf.com]
  • 27.111.213.244 [prodmail44b.sapsf.com]

Keywords

sf success factors, LMS, RCM, PLT, platform, BizX, biz x, SPF, e-mail, exchange, smtp, white list, firewall, fire wall , KBA , sf email notifications , whitelist , ip address , ips , LOD-SF-PLT , Platform Foundational Capabilities , LOD-SF-LMS , Learning Management System , LOD-SF-LMS-ADM , Admin Tools , LOD-SF-LMS-NOT , Notifications , LOD-SF-RCM-EML , Recruiting Emails and Notifications , How To

Product

SAP SuccessFactors HCM Suite all versions ; SAP SuccessFactors Learning all versions ; SAP SuccessFactors Recruiting all versions