SAP Knowledge Base Article - Public

2688533 - SAP SuccessFactors Email Security - DKIM and SPF

Symptom

  • What is DKIM?
  • What is SPF?
  • How to request DKIM and SPF implementation?

Environment

SAP SuccessFactors Platform / BizX.

Resolution

All e-mail notifications delivered from the SuccessFactors hosted solution would be securely encrypted over Sendmail\TLS. SuccessFactors uses Cisco IronPort e-mail appliances for encrypted e-mail distribution.

What is DKIM?

DKIM stands for Domain Key Identified Mail

  • It allows senders to associate a domain name with an e-mail message, thus allowing validation for its authenticity. Basically, it would be like creating a unique digital signature that is included on the e-mail header for each customer so that SF e-mail notifications can be validated by the customer’s network.

  • The IronPort mail clusters support both the old Domain Keys method and the newer DKIM method of signing.  This would need to be configured on a per domain basis on our IronPorts.  We would generate a private key and we would provide the customer the DKIM public key values & string that would need to add to their public DNS records.

  • Keep in mind that DKIM signing is not a replacement for actual e-mail signing though.  DKIM only ensures that the e-mail was really sent on behalf of a domain.

What is SPF?

SPF stands for Sender Policy Framework. From KBA 2292695:

  • It is an e-mail validation system designed to prevent e-mail spam by detecting e-mail spoofing, a common vulnerability, by verifying sender IP addresses. SPF allows Customer administrators to specify which hosts are allowed to send mail from a given domain by creating a specific SPF record (or TXT record) in the Domain Name System (DNS). Mail exchangers use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.

  • Adopting SPF verification on Customer mail servers will ensure that emails are being sent only from SuccessFactors.

How to request DKIM and SPF implementation?

Please reach out to SAP Cloud Support team (under component LOD-SF-PLT-SEC) with the following information provided:

  • Company id:
  • Datacenter:
  • Your mail domain details: 

See Also

INTERNAL: Example of JIRA COSR-136530.

Keywords

DKIM, SPF, DMARC, e-mail security, mail domain, DNS, domain key identified mail, sender policy framework. , KBA , LOD-SF-PLT-NOT , Email Notifications , LOD-SF-PLT-SEC , Security & Permissions , How To

Product

SAP SuccessFactors HCM Core all versions