Copy link

Set the email server and sender

Profit can generate and sent email messages. The email application (installed on your own PC) is not used within this context. In Profit you record various settings, including the email server to be used.


Guidelines for emailing in relation to AFAS Online

Recommendations to successfully sending email messages through Profit.

Email addresses of those addressed

  • Ensure you have an email address file that is up-to-date and correct in Profit.

    If a large number of email messages are sent to invalid addresses from AFAS Online, this may lead to the AFAS Online mail server getting a bad reputation. The AFAS Online mail servers may even be blocked because these invalid addresses are identified as being spam. Invalid/refused email messages therefore not only have an impact on the environment, but also on other AFAS Online environments. In addition, it is also important from customer centricity that customer data is correct.

  • Examine refused email messages regularly and rectify incorrect addresses.

Your email address:

  • Use an existing sender for email.

    Send the emails from Profit on behalf of a valid domain (the section behind the @). You usually use a sender of the organisation for this such as It is important that you are the owner of this email address/domain. If this is not the case, the first step is to register a domain name. We cannot support you in this. You must arrange this outside Profit.

    An email address sender that does not exist is often rejected by the receiving party because it is deemed spam. A 'No-reply' address is a non-existing sender. If you want to use a no-reply address, at least ensure that the domain where the email comes from is valid.

    An additional disadvantage of a no-reply address is that, as the name already infers, you cannot receive replies to the messages. This means that you will not see which emails have arrived at the addressed parties. This means that you are missing out on the opportunity of rectifying incorrect email addresses.

  • Use a valid, existing domain

    Valid means that a relationship can be demonstrated between the domain and the sending server. The mail server of the receiving party compares the domain of the email address using the sending AFAS Online mail server. If they do not seem to be related, this is referred to as 'sender spoofing'. The receiving mail server will not accept the email in this case. You can prevent this by changing the SPF record.

Where in Profit do I configure the sender of an email message?

In Profit, you can configure a sender for emails that you send from Profit at three levels.

  1. In the properties of the environment (General / Environment / Management / Properties Email tab).
  2. In the administration properties (General / Administration / Management / Properties Issue tab).
  3. Deviating sender per message template (General / Management / Message / Message template).

Profit looks from the bottom to the top within this context. This means that, if a deviating email address has not been configured in the message template, the sender of the administration will be used. Has a sender not been specified in the properties of the administration? Profit will then check the email address in the environment's properties. When manually sending a report from the Report generator, a message template is not used. Here, therefore the sender from the administration is used for this.

For sending payslips and other HRM-related messages, you can configure a sender in the employer's properties.

For alerts, AFAS Pocket activation mail, etc., we look at the email address that has been specified in the properties of the environment in the Sender automatic email field unless a sender has been specified in the message template.

Configure the AFAS Online mail server

You will be using the AFAS mail server. You must authorise the AFAS mail server to email on behalf of the sender's domain name. Next, you record the settings in Profit.

Profit will log all sent email messages including the return information of the recipient (such as a bounce status and a mailbox that cannot be reached). Use this function to actively monitor outgoing email and thus improve the communication.

Step 1: Authorise via the SPF record

You can authorise the AFAS Online mail server by adding the AFAS mail server to the SPF record of your own domain. You inform the receiving party with this that an email message that arrives through the AFAS Online server with you as the sender, is known to you. If you do not configure an SPF record, outgoing emails will not be correctly delivered and they will be blocked.

Please note:

If you change the DNS of your domain name, it may lead to your website and email no longer being accessible. We recommend only to make changes yourself if you are experience in administrating the DNS. Contact your system administrator regarding this.

The principle of the explanation below is:

You ask your system administrator or your web hosting partner to create or change an SPF record.

  • Example of an existing SPF record


    The SPF record looks as follows:

    Domain name | Type | Record txt v=spf1 mx ip4: ~all

  • Example of the same SPF record with authorisation for AFAS


    After the change, the SPF record will look as follows: txt v=spf1 mx ip4: ~all

You therefore only need to add the following:

Have you added to the SPF record of your own? Carry out the steps below to configure the outgoing mail server in Profit.

Below, you will see the instructions of the three largest hosting providers of the Netherlands:

Step 2: Configuring the mail server in Profit:

  1. Go to: General / Environment / Management / Properties.
  2. Go to the tab: E-mail.
  3. Select AFAS Online in the Mail server type field.

    You only need to Automatic e-mail sender enter.

  4. Enter that address in Automatic e-mail sender that will be specified in the automatically sent emails. Enter here a general email address of the organisation, for example, (use your own email address and not this example).


  • Also add another different sender email address for each administration. This will prevent error messages from being sent.
  • You can, moreover, add a deviating sender email address through the message templates for each component in the order route than used for the E-mail and Output actions.
Configure your own mail server (incl. Gmail and Office 365)

This is the default procedure for configuring the outgoing mail server.

Configuring the mail server and recipient in the environment:

  1. Go to: General / Environment / Management / Properties.
  2. Go to the tab E-mail.

    Own mail server


    Office 365

  3. Port and ‘Enforce secure communication’.

    What you enter here will depend on the settings and options of your mail server. If you have doubts, check the documentation of the mail server (service) or contact its administrator. The most secure configuration (and therefore the option recommended by AFAS) is to use port 465 in combination with the ‘Enforce secure communication’ option.

    • Allowed ports: 465, 587 and 25.

      Only port 587 is allowed in relation to Office 365 and Gmail.

    • If 'Enforce secure communication' has been activated, a correctly configured mail server will be enforced. The server name must therefore match the CN (or one of the alternative names) in the certificate. The certificate must be valid and must originate from a trusted publisher. (A self-signed certificate is therefore invalid.) For port 465, an 'Implicit SSL/TLS' connection is started with this configuration. For port 25 or 587, a connection is started with StartTLS.
    • If 'Enforce secure communication' has been deactivated, an attempt will be made to set up a secure connection. Correct certificate data is not enforced within this context. Security risks are linked to this method: a 'man in the middle' attack is therefore, for example, possible. If the server has not configured an SSL certificate, communication will take place in plain text. This applies to ports 465, 587 and 25.
    • Profit uses TLS 1.2 for the communication with the mail server. Or, if it is not available, TLS 1.1 or TLS 1.0.
  4. Select the Password verification required field if this verification is required on the mail server. Also enter the general username and password. The username and password: the user who you enter must have rights in relation to the mail server to email outside the domain. If you use your own mail server on AFAS Online, we recommend that you always work with a username/password and/or IP filter on your mail server to ensure that others cannot send email (such as spam) through your mail server.
  5. Allow list if required on the mail server the IP range or the IP address Profit offers emails to your mail server through this IP address. If you do not do this, this IP address by be added to a deny list. This will mean, for example, that your email will no longer arrive at the recipient.
  6. Enter that address in Automatic e-mail sender that will be specified in the automatically sent emails. Enter here a general email address of the organisation, for example, (use your own email address and not this example).


Error message: MailKit.Net.Smtp.SmtpCommandException: 5.7.64 Relay Access Denied ATTR36.


Emails from Profit are not being sent. Sometimes, the email with the invitation sent to employees for the Pocket App is sent, but invoices/reminders, etc. not.


The required IP addresses are not specified in your own allow list.


Domain Key Identified Mail (DKIM) as an extra security tier for sending emails

If you use the mail server of AFAS Online, in addition to the SPF record, you have an additional option to secure your email flow: DKIM. This means that the emails that you send from Profit (on behalf of the mail server of AFAS Online), will be provided with a DKIM signature. This signature contains the sender (domain) of your organisation.

You can request this via the AFAS customer portal. Go through the steps below after which AFAS will send you a username and password. By entering the username and password in a Profit environment at the mail server, DKIM signature will be applied from this environment for the domain for which you request this.

Please note:

The SPF record must be configured for the email address/domain name that is used in relation to this request.

You can enter the same username and password in several Profit environments to apply DKIM signature on behalf of that domain from several environments. This process consists of two steps, that is, the request through the customer portal and the definition of the settings in the Profit environment. You can read how to add an extra domain below, for example, when you are operational in a different country.

Step 1: Request via the customer portal

  1. Log on to the AFAS customer portal as the Administrator.
  2. On the customer portal, to Mijn gegevens / Abonnementen / Mijn abonnement.
  3. Click the subscription of your Profit environment.

    If, for example, the Profit environment is called O98765AA, the subscription is 98765.

  4. Click: Create DKIM request.
  5. Enter the domain that you want to use in the DKIM domain field.

    It is important that the correct domain name is entered in the DKIM domain field. Enter here the domain for which you want to use DKIM. The domain is part of the e-mail address.


    Your email address is

    We only need the section that comes after @, therefore

  6. First create two CNAME records in the DNS or your domain. This refers to the two records below where must be replaced with your domain.
    • must be created as CNAME with a reference to
    • must be created as CNAME with a reference to

    AFAS recommends a TTL (Time to live) of 1 hour for both CNAME records. Your system administrator can create the CNAME records for you in the DNS.

    It is allowed to already make the request with AFAS before the CNAME records are created. In this case, the request will be rejected with the option to have the request reassessed. It is also mandatory that you already have the AFAS Online SPF record configured before making this request.

Step 2: Settings in the Profit environment

  1. You will receive a username and password through the request. Configure these as follows in Profit:
    1. Open the environment.
    2. Go to: General / Environment / Management / Properties.
    3. Go to the tab E-mail.
    4. Select Apply DKIM in relation to outgoing emails and enter the email address and password.
  2. The figure below includes example data. Enter your own data.

After the configuration, your emails will be sent after applying DKIM encryption.

DKIM request for an extra domain

Image you once requested and this domain works how you like it. You recently opened a site in Belgium and now want that the emails on behalf of are DKIM signed. In this case, you must restart the request and enter The same checks are carried out. Only the steps in Settings in Profit are no longer necessary. AFAS will indicate that you already have a username and password in the request and that you do not again have to define them somewhere. When the request has been completed, the email messages that you send on behalf of will also be signed with DKIM.

Configure the checking policy for recipients on the sender's domain (DMARC)

You can use DMARC. In relation to DMARC, you can specify with a registration (DMARC record) on the domain from where you send emails how you want recipients to handle specific checks (such as DKIM and SPF) for emails that are sent (or seem to be sent) from your domain. This will help to limit spam or emails that are not really sent on behalf of your organisation.

Since DMARC is a setting on your domain, this is something that you can configure yourself as an organisation. This is not a setting that you need to request from AFAS and AFAS does not offer support with regard to this. Contact the administrator of your domain or mail servers. If you send your outgoing email through the AFAS mail server; read how you can configure SPF and DKIM above.

For more Information, please refer to

SendGrid (sending large quantities of email)

SendGrid is a party who specialises in sending (large quantities) of emails. In addition, they offer all types of tools to analyse your email flow.

Please note:

AFAS does not offer support with regard to the configuration of SendGrid; contact SendGrid yourself with regard to this.

Configure SendGrid:

  1. Register on the page.
  2. Create an SMTP Relay by using the next page.

  3. Copy the created API key and keep it on your PC. You need it for the configurations in Profit.
  4. Leave the SendGrid page open.

Configure Profit:

  1. Open the environment.
  2. Go to: General / Environment / Management / Properties.
  3. Go to the tab E-mail.
  4. Select SMTP in the Mail server type field.
  5. Server for outgoing mail:
  6. Port for outgoing mail: 465
  7. Select Enforce secure communication and SMTP server requires verification.
  8. Username: apikey
  9. Password: the previously copied API key.

  10. Go to the SendGrid page and click Verify integration.
  11. Go to Profit and send an email with the Test button.

The recipients of email that you send through SendGrid will see ‘via’ in the received email.

If you do not want this, apply ‘domain authentication’ in the configuration within your DNS and SendGrid. The message will disappear from emails that are subsequently sent. This will have a positive impact on your reputation as a sending party.

Exchange Online via Azure AD Connect

You can send outgoing email from Profit by using Exchange Online through Azure AD Connect. You can also import e-invoices by using Azure AD Connect; see the separate description.

The configuration consists of the following steps:

  1. Create application in Azure AD
  2. Configure Profit
  3. Check senders/user in Azure AD

Step 1: Create application in Azure AD

You create an application in Azure AD that has the correct rights.

  1. Go to and sign on as the administrator.
  2. Click Azure Active Directory.
  3. Click App registrations.
  4. Click New registration.
  5. Give the new registration a logical name such as Profit email.
  6. Click Register.

  7. Click API permissions.
  8. Click Add a permission.
  9. Click Microsoft Graph.
  10. Click Application permissions.
  11. Select Mail.ReadWrite and Mail.Send permissions.
  12. Click Add permissions.

    To send using Profit emails, at least the Mail.ReadWrite and Mail.Send permissions must have been allocated to the registration. The other permissions may, if required, be deleted

  13. Click Grant admin consent for ….

  14. Click Certificates & secrets.
  15. Click New client secret.
  16. Give the new secret a logical name and specify how long the secret will apply.
  17. Click Add.
  18. You will now see the secret in the view. Save it in, for example, a password safe. Once you exit this screen, you will no longer be able to see the secret. If you cannot remember the secret anymore, a new one must be created. You will need it later on when configuring Profit in the Application secret field.

  19. Click Overview
  20. You will see the Application (client) ID and Directory (tenant) ID values. You will need it later when configuring Profit for the Application ID and Directory ID fields.

Step 2: Configure Profit

  1. Open the environment.
  2. Go to: General / Environment / Management / Properties.
  3. Go to the tab E-mail.
  4. Select Exchange Azure AD at Mail server type.
  5. Enter the Directory ID, Application ID and Application secret values (based on the configuration of the Azure AD App in step 1).
  6. Enter an email address that is known in Azure AD in the Sender automatic email field (see also step 3)

Step 3: Check senders/user in Azure AD

In Profit, emails can be sent at different times by different senders. Emailing via Exchange Azure AD will only be successful if the used sender is a user in Azure AD. To create an Azure AD user, go to Users in the Azure AD administrator's environment (step 1) and select New user.

Directly to

  1. Configure report e-mailing
  2. Change/add reports
  3. Authorise the e-mail configuration
  4. Environment e-mail settings
  5. Set up a message template
  6. Configure e-invoicing
  7. Configure sales contacts for e-mailing and printing
  8. Configure purchase contacts for e-mailing and printing
  9. Allow the e-mailing of credit invoices using the Output wizard
  10. Translate supply report PDF file name
  11. Issue a report by e-mail



Work area