SAP Knowledge Base Article - Public

2688533 - SAP SuccessFactors Email Security - DKIM and SPF


  • What is DKIM?
  • What is SPF?
  • How to request/enable DKIM and SPF implementation?


SAP SuccessFactors HCM Suite


All e-mail notifications delivered from the SuccessFactors hosted solution would be securely encrypted over Sendmail\TLS. SuccessFactors uses Cisco IronPort e-mail appliances for encrypted e-mail distribution.

What is DKIM?

DKIM stands for Domain Key Identified Mail

  • It allows senders to associate a domain name with an e-mail message, thus allowing validation for its authenticity. Basically, it would be like creating a unique digital signature that is included on the e-mail header for each customer so that SF e-mail notifications can be validated by the customer’s network.

  • The IronPort mail clusters support both the old Domain Keys method and the newer DKIM method of signing.  This would need to be configured on a per domain basis on our IronPorts.  We would generate a private key and we would provide the customer the DKIM public key values & string that would need to add to their public DNS records.

  • Keep in mind that DKIM signing is not a replacement for actual e-mail signing though.  DKIM only ensures that the e-mail was really sent on behalf of a domain.

What is SPF?

SPF stands for Sender Policy Framework. From KBA 2292695:

  • It is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows Customer administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.

  • Adopting SPF verification on Customer mail servers will ensure that emails are being sent only from SuccessFactors.

How to request/enable DKIM and SPF implementation?

Please reach out to SAP Cloud Support team (under component LOD-SF-PLT-SEC) with the following information provided:

  • Company ID:
  • Datacenter:
  • Your mail domain details: 
    (Provide a full list of the email domains used by users - there may be more than one).
    e.g. and


DKIM, SPF, DMARC, e-mail security, mail domain, DNS, domain key identified mail, sender policy framework, enable DKIM , KBA , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-PLT-SEC , Security & Permissions , How To


SAP SuccessFactors HCM Suite all versions