"As an end user I would like to receive email notifications from mycompanydomain.com, so that I can trust the sender and I am not confused or irritated."
While this is a nice to have feature in ITSM, for CSM projects or any other projects where external users are involved this becomes mandatory.
Easy, right? You just set the "reply_to" and "from" fields of your notifications like this, for example:
- reply_to = "<no-reply@mycompanydomain.com>"
- from = "Customer Support <support@mycompanydomain.com>"
...and everything works fine. It does, providing you configure your own SMTP server (Email Account, type = smtp) that sits in "mycompanydomain.com".
What if you decided to use ServiceNow's SMTP? Nice and easy, no additional work on your side. Cool.
This was the situation in my recent project and we were wondering why email sending (?) did not seem to work. Actually we had following results:
- Some recipients did not receive anything
- For some the emails were quarantined
- For some they were received in the spam folder
What happened? After checking the relevant tables we were sure email sending from the platform worked. We searched the internet, ServiceNow KB and later also opened a Hi case. We realized the key to solving our problem was "Email Sender authentication".
Setting the "from" address to a different domain than the SMTP server is Email spoofing and that's why the email was not trusted and ignored (our "from" domain did not match the smtp server's domain - which is "service-now.com"). This might have worked 20 years ago though...
Today, in order to solve this issue there are several mechanisms available, which are
- SPF (Sender Policy Framework)
- DKIM (Domain Key Identified Mail)
- DMARC (Domain-based Message Authentication, Reporting and Conformance)
To make this work with ServiceNow we need to configure SPF and DKIM on the domain "mycompanydomain.com".
Following steps you need to take in this order (you wanna do this for your non-prod instance(s) and a non-prod domain(s) first):
- Get a DKIM selector and public key
- Configure DKIM and also a SPF record in "mycompanydomain.com"
- Reprovision email on your instance
This KB article describes it nicely.
Just to show you an example of what this looks like, see below screenshot. I randomly picked one of my own emails from my private email account and found the DKIM in the header. Here the selector is just "mail" and the domain is "forum.blocktrainer.de". With this information everyone can look up the public key:
Now, to verify whether the signature is valid, this requires some programming skills and a deep understanding of how RSA encryption works. I won't go into more detail in this article, but you can find it online.
And, a SPF record will look like this (some email servers will require SPF besides DKIM):
The world works with ServiceNow!
Let me know if the article was helpful for you by clicking below. Thanks!
PS: Make sure you test email sending and receiving in non-PROD so that you have this ready and setup PRIOR to your Go Live. I can't stress this enough!
9 Comments
