Sending Emails from SAP SuccessFactors
Candidates not receiving your emails during the Recruiting process? Or onboardees telling you they can't access their paperwork? This could be why.
To counter the growing amount of spam emails that are sent across the world, mail providers are increasingly protective of what systems are allowed to send emails. Two main protections have been built, implemented by SAP, and are used by mail providers today. These are SPF and DKIM. They are wrapped and used together via a specification called DMARC. All these tools rely on a technology that is at the heart of the internet called DNS.
DNS – Domain Name System
This is a way that your company can store pieces of information (DNS records) about your company’s domain (the bit after the @ in your email addresses). When your company registers your company’s domain (e.g. discoveryconsulting.com.au) they will specify which names servers should be used by your company’s domain.
These domain name servers then can store lots of small pieces of information that can be read quickly by any computer connected to the internet. Information like the IP address of the server that hosts your company’s web site, or details of which servers accept emails sent to email addresses for your company’s domain.
Generally, your company will not host their own DNS servers but will rely on a DNS hosting service (like those provided by Telstra, Microsoft, etc.) Your company’s IT team are very unlikely to give you access to maintain DNS entries yourself as almost all critical IT software in your company depends on the DNS entries being correct.
SPF – Sender Policy Framework
This is used to list the IP address (internet server addresses) of the systems that are allowed to send emails on behalf of a specific internet domain. The list of IP addresses (SPF allow list) is maintained against your company’s DNS record.
When a receiving mail server (e.g. Gmail) gets an email sent to it, it checks the IP address of the sender and compares it to the list of IP addresses in the SPF DNS entry for the sender’s email domain (the bit after the @). If the sender’s IP address matches one of the entries in the SPF allow list, then the mail “Passes” the SPF check.
SAP provides an SPF “include” that lists the IP addresses used by the Sydney SAP SuccessFactors data centres. By including this entry in your company’s SPF list, you enable SAP SuccessFactors to send emails on your behalf from this IP address.
NB. after the recent DC move, the updates to the SPF include to reflect the new DC IP addresses did not happen immediately, SAP have done this now, but those customers that had added this include into their SPF records have had issues with emails not being sent.
There are some complexities and limitations with SPF. Firstly, there are a limited number of include entries that can be added to any domain’s SPF list. Your company may already have hit this limit. Additionally, SPF allows any emails from the IP address to be sent, so some IT Security departments are wary of allow listing the IP address as any SAP SuccessFactors customer could potentially then send validated emails from your company’s domain.
DKIM – Domain Keys Identified Mail
This solution is a little more modern and secure than SPF, it uses public-key cryptography to cryptographically sign any email messages. The public key is stored in a DNS record associated with the sender email domain. When an email provider receives an email that has been signed with a DKIM signature, it checks the DNS record of the email sender domain for a DKIM public key. It decrypts the signature with the public key. If the signature then matches the sender domain and email details, the email has been verified as being sent by the holder of the matching private key.
SAP provides the ability to generate DKIM keys for your SAP SuccessFactors instance and have all outbound emails signed with this key. Each DKIM key is for a specific SAP SuccessFactors instance, so there is no risk of another SAP SuccessFactors instance sending emails that would be signed with a valid DKIM for your company’s email domain.
DKIM public keys (SAP do not provide you with the private key) need to be requested from SAP and take a couple of days to be provided. There is no limit to the number of DKIM entries that a given domain can have maintained against it (unlike SPF entries).
DMARC – Domain-Based Message Authentication Reporting and Conformance
This is tooling that may or may not be implemented in your company. It allows you to specify to services that receive emails from you whether you are using SPF and DKIM and whether they should accept any emails that don’t pass SPF and DKIM checks.
They also allow for those email providers to send back details to you if they find any emails that are failing and details of the email. This closes the loop to ensure that only valid email senders should be allowed and gives your company visibility over whether any emails are being rejected as spam emails.
SAP do not provide any tooling for DMARC as part of SAP SuccessFactors. This tooling would be something that your company would implement but that ties in with the SPF and DKIM setups that SAP SuccessFactors allows.
Takeaways On Recent DC Move
The recent data centre move has changed the IP address used by SAP SuccessFactors to send emails. It is possible that the old IP address were listed in your company’s SPF record, but not the new ones. It is also possible that the new IP addresses have not been added to any internal IP allow lists associated with your company’s mail servers.
You may not have implemented DKIM with SAP SuccessFactors because testing with the old data centre sending emails worked, so you didn’t need to do anything. All these things may mean that after the data centre move your SAP SuccessFactors instance is not successfully sending emails to your employees and recruitment candidates and onboardees.
What To Do?
Implement SPF and DKIM. It may be that your company has hit the limits of what they can implement with SPF, but this limit does not exist with DKIM. Unless your company has DMARC setup that fails unless both SPF and DKIM pass it is likely that a pass from DKIM will stop emails from going into spam folders or not being delivered.
If your company uses multiple domain names, you may need to set up SPF and DKIM for all of your domains.
Questions?
That’s what we’re here for. Please get back to us and we’ll help and advise your way to a secure working system.