Set the email server and sender

Profit can generate and sent email messages. The email application (installed on your own PC) is not used within this context. In Profit you record various settings, including the email server to be used.

Guidelines for emailing in relation to AFAS Online

Recommendations to successfully sending email messages through Profit.

Email addresses of those addressed

• Ensure you have an email address file that is up-to-date and correct in Profit.

  If a large number of email messages are sent to invalid addresses from AFAS Online, this may lead to the AFAS Online mail server getting a bad reputation. The AFAS Online mail servers may even be blocked because these invalid addresses are identified as being spam. Invalid/refused email messages therefore not only have an impact on the environment, but also on other AFAS Online environments. In addition, it is also important from customer centricity that customer data is correct.

• Examine refused email messages regularly and rectify incorrect addresses.
  

Your email address: sender@domain.nl

• Use an existing sender for email.

  Send the emails from Profit on behalf of a valid domain (the section behind the @). You usually use a sender of the organisation for this such as @enyoi.nl. It is important that you are the owner of this email address/domain. If this is not the case, the first step is to register a domain name. We cannot support you in this. You must arrange this outside Profit.

  An email address sender that does not exist is often rejected by the receiving party because it is deemed spam. A 'No-reply' address is a non-existing sender. If you want to use a no-reply address, at least ensure that the domain where the email comes from is valid.

  An additional disadvantage of a no-reply address is that, as the name already infers, you cannot receive replies to the messages. This means that you will not see which emails have arrived at the addressed parties. This means that you are missing out on the opportunity of rectifying incorrect email addresses.

• Use a valid, existing domain

  Valid means that a relationship can be demonstrated between the domain and the sending server. The mail server of the receiving party compares the domain of the email address using the sending AFAS Online mail server. If they do not seem to be related, this is referred to as 'sender spoofing'. The receiving mail server will not accept the email in this case. You can prevent this by changing the SPF record.

Where in Profit do I configure the sender of an email message?

In Profit, you can configure a sender for emails that you send from Profit at three levels.

1. In the properties of the environment (General / Environment / Management / Properties Email tab).
2. In the administration properties (General / Administration / Management / Properties Issue tab).
3. Deviating sender per message template (General / Management / Message / Message template).

Profit looks from the bottom to the top within this context. This means that, if a deviating email address has not been configured in the message template, the sender of the administration will be used. Has a sender not been specified in the properties of the administration? Profit will then check the email address in the environment's properties. When manually sending a report from the Report generator, a message template is not used. Here, therefore the sender from the administration is used for this.

For sending payslips and other HRM-related messages, you can configure a sender in the employer's properties.

For alerts, AFAS Pocket activation mail, etc., we look at the email address that has been specified in the properties of the environment in the Sender automatic email field unless a sender has been specified in the message template.

Configure the AFAS Online mail server

You will be using the AFAS mail server. You must authorise the AFAS mail server to email on behalf of the sender's domain name. Next, you record the settings in Profit.

Profit will log all sent email messages including the return information of the recipient (such as a bounce status and a mailbox that cannot be reached). Use this function to actively monitor outgoing email and thus improve the communication.

Step 1: Authorise via the SPF record

You can authorise the AFAS Online mail server by adding the AFAS mail server to the SPF record of your own domain. You inform the receiving party with this that an email message that arrives through the AFAS Online server with you as the sender, is known to you. If you do not configure an SPF record, outgoing emails will not be correctly delivered and they will be blocked.

Please note:

If you change the DNS of your domain name, it may lead to your website and email no longer being accessible. We recommend only to make changes yourself if you are experience in administrating the DNS. Contact your system administrator regarding this.

The principle of the explanation below is: yourdomain.nl.

You ask your system administrator or your web hosting partner to create or change an SPF record.

• Example of an existing SPF record

  Example:

  The SPF record looks as follows:

  Domain name | Type | Record
  yourdomain.nl txt v=spf1 mx ip4:213.76.258.8 include:spf.protection.outlook.com ~all

• Example of the same SPF record with authorisation for AFAS

  Example:

  After the change, the SPF record will look as follows:

  yourdomain.nl txt v=spf1 mx ip4:213.76.258.8 include:spf.protection.outlook.com include:spf.afas.online ~all

You therefore only need to add the following:

include:spf.afas.online

Have you added spf.afas.online to the SPF record of your own? Carry out the steps below to configure the outgoing mail server in Profit.

Below, you will see the instructions of the three largest hosting providers of the Netherlands:

• Hostnet
• GoDaddy
• YourHosting

Step 2: Configuring the mail server in Profit:

1. Go to: General / Environment / Management / Properties.
2. Go to the tab: E-mail.
3. Select AFAS Online in the Mail server type field.

   You only need to Automatic e-mail sender enter.

4. Enter that address in Automatic e-mail sender that will be specified in the automatically sent emails. Enter here a general email address of the organisation, for example, reply@enyoi.nl (use your own email address and not this example).

   

Tips:

• Also add another different sender email address for each administration. This will prevent error messages from being sent.
• You can, moreover, add a deviating sender email address through the message templates for each component in the order route than used for the E-mail and Output actions.

Configure your own mail server (incl. Gmail and Office 365)

This is the default procedure for configuring the outgoing mail server.

Configuring the mail server and recipient in the environment:

1. Go to: General / Environment / Management / Properties.
2. Go to the tab E-mail.

   Own mail server

   1. Select SMTP in the Mail server type field.
   2. Enter the mail server, for example,smtp.yourcompany.com.

      

   3. Port and ‘Enforce secure communication’.

      What you enter here will depend on the settings and options of your mail server. If you have doubts, check the documentation of the mail server (service) or contact its administrator. The most secure configuration (and therefore the option recommended by AFAS) is to use port 465 in combination with the ‘Enforce secure communication’ option.

      • Allowed ports: 465, 587 and 25.
      • If 'Enforce secure communication' has been activated, a correctly configured mail server will be enforced. The server name must therefore match the CN (or one of the alternative names) in the certificate. The certificate must be valid and must originate from a trusted publisher. (A self-signed certificate is therefore invalid.) For port 465, an 'Implicit SSL/TLS' connection is started with this configuration. For port 25 or 587, a connection is started with StartTLS.
      • If 'Enforce secure communication' has been deactivated, an attempt will be made to set up a secure connection. Correct certificate data is not enforced within this context. Security risks are linked to this method: a 'man in the middle' attack is therefore, for example, possible. If the server has not configured an SSL certificate, communication will take place in plain text. This applies to ports 465, 587 and 25.
      • Profit uses TLS 1.2 for the communication with the mail server. Or, if it is not available, TLS 1.1 or TLS 1.0.
   4. Select the Password verification required field if this verification is required on the mail server. Also enter the general username and password. The username and password: the user who you enter must have rights in relation to the mail server to email outside the domain. If you use your own mail server on AFAS Online, we recommend that you always work with a username/password and/or IP filter on your mail server to ensure that others cannot send email (such as spam) through your mail server.
   5. Allow list if required on the mail server the IP range 185.46.182.0/24 or the IP address 185.46.182.1/proxy.afas.online. Profit offers emails to your mail server through this IP address. If you do not do this, this IP address by be added to a deny list. This will mean, for example, that your email will no longer arrive at the recipient.
   6. Enter that address in Automatic e-mail sender that will be specified in the automatically sent emails. Enter here a general email address of the organisation, for example, reply@enyoi.nl (use your own email address and not this example).

   Gmail

   Points of attention:

   • If you use two-factor authentication for your Gmail account, you must configure an app password for use in Profit. We recommend transferring to two-factor authorisation if you do not use this yet. If you do not want to use two-factor authorisation, activate Less secure passwords in your Gmail account.
   • When emailing using the Gmail mail server, Gmail does not allow that you send an email on behalf of another sender than your own email address. This is the default setting. You can, however, add extra email addresses to your Gmail account (and verify them) through the Gmail website. Then you will be able to email from Profit on behalf of these senders through the Gmail mail server. For more Information, please refer to Sending emails from another address or alias.

   1. Copy the settings below. Enter your own email address, username and sender.

      

   2. Use port 587 for a Gmail account.
   3. ‘Enforce secure communication’ setting:
      • If 'Enforce secure communication' has been activated, a correctly configured mail server will be enforced. The server name must therefore match the CN (or one of the alternative names) in the certificate. The certificate must be valid and must originate from a trusted publisher. (A self-signed certificate is therefore invalid.) For port 465, an 'Implicit SSL/TLS' connection is started with this configuration. For port 25 or 587, a connection is started with StartTLS.
      • If 'Enforce secure communication' has been deactivated, an attempt will be made to set up a secure connection. Correct certificate data is not enforced within this context. Security risks are linked to this method: a 'man in the middle' attack is therefore, for example, possible. If the server has not configured an SSL certificate, communication will take place in plain text. This applies to ports 465, 587 and 25.
      • Profit uses TLS 1.2 for the communication with the mail server. Or, if it is not available, TLS 1.1 or TLS 1.0.
   4. Select the Password verification required field if this verification is required on the mail server. Also enter the general username and password. The username and password: the user who you enter must have rights in relation to the mail server to email outside the domain. If you use your own mail server on AFAS Online, we recommend that you always work with a username/password and/or IP filter on your mail server to ensure that others cannot send email (such as spam) through your mail server.
   5. Allow list if required on the mail server the IP range 185.46.182.0/24 or the IP address 185.46.182.1/proxy.afas.online. Profit offers emails to your mail server through this IP address. If you do not do this, this IP address by be added to a deny list. This will mean, for example, that your email will no longer arrive at the recipient.
   6. Enter that address in Automatic e-mail sender that will be specified in the automatically sent emails. Enter here a general email address of the organisation, for example, reply@enyoi.nl (use your own email address and not this example).

   Exchange Online via Azure AD Connect

   You can send outgoing email from Profit by using Exchange Online through Azure AD Connect. You can also import e-invoices by using Azure AD Connect; see the separate description.

   The configuration consists of the following steps:

   1. Create application in Azure AD
   2. Configure Profit
   3. Check senders/user in Azure AD

   Step 1: Create application in Azure AD

   You create an application in Azure AD that has the correct rights.

   1. Go to https://portal.azure.com and sign on as the administrator.
   2. Click Azure Active Directory.
   3. Click App registrations.
   4. Click New registration.
   5. Give the new registration a logical name such as Profit email.
   6. Click Register.

      

   7. Click API permissions.
   8. Click Add a permission.
   9. Click Microsoft Graph.
   10. Click Application permissions.
   11. Select Mail.ReadWrite and Mail.Send permissions.
   12. Click Add permissions.

       To send using Profit emails, at least the Mail.ReadWrite and Mail.Send permissions must have been allocated to the registration. The other permissions may, if required, be deleted.

       Note:

       This is a "crude" setting, as it allows Profit to mail on behalf of every user in your Azure environment. Microsoft offers a better (more fine-grained) solution for this: you can add a policy to your Azure app registration and link it to a group with a limited number of users. For more explanation, see https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access.

   13. Click Grant admin consent for ….

       

   14. Click Certificates & secrets.
   15. Click New client secret.
   16. Give the new secret a logical name and specify how long the secret will apply.
   17. Click Add.
   18. You will now see the secret in the view. Save it in, for example, a password safe. Once you exit this screen, you will no longer be able to see the secret. If you cannot remember the secret anymore, a new one must be created. You will need it later on when configuring Profit in the Application secret field.

       

   19. Click Overview
   20. You will see the Application (client) ID and Directory (tenant) ID values. You will need it later when configuring Profit for the Application ID and Directory ID fields.

       

   Step 2: Configure Profit

   1. Open the environment.
   2. Go to: General / Environment / Management / Properties.
   3. Go to the tab E-mail.
   4. Select Exchange Azure AD at Mail server type.
   5. Enter the Directory ID, Application ID and Application secret values (based on the configuration of the Azure AD App in step 1).
   6. Enter an email address that is known in Azure AD in the Sender automatic email field (see also step 3)

      

   Step 3: Check senders/user in Azure AD

   In Profit, emails can be sent at different times by different senders. Emailing via Exchange Azure AD will only be successful if the used sender is a user in Azure AD. To create an Azure AD user, go to Users in the Azure AD administrator's environment (step 1) and select New user.

   

Tips:

• You can, if required, add another different sender email address for each administration.
• You can, moreover, add a deviating sender email address through the message templates for each component in the order route than used for the E-mail and Output actions.

Error message: MailKit.Net.Smtp.SmtpCommandException: 5.7.64 Relay Access Denied ATTR36.

Problem:

Emails from Profit are not being sent. Sometimes, the email with the invitation sent to employees for the Pocket App is sent, but invoices/reminders, etc. not.

Cause:

The required IP addresses are not specified in your own allow list.

Solution:

• See the IP addresses that are specified above
• See the overview of IP addresses, URLs and ciphers

Domain Key Identified Mail (DKIM) as an extra security tier for sending emails

If you use the mail server of AFAS Online, in addition to the SPF record, you have an additional option to secure your email flow: DKIM. This means that the emails that you send from Profit (on behalf of the mail server of AFAS Online), will be provided with a DKIM signature. This signature contains the sender (domain) of your organisation.

You can request this via the AFAS customer portal. Go through the steps below after which AFAS will send you a username and password. By entering the username and password in a Profit environment at the mail server, DKIM signature will be applied from this environment for the domain for which you request this.

Please note:

Who should you contact to make DKIM changes in the domain provider's control panel? AFAS Support cannot help you with this, but you can look it up at https://lookup.icann.org/en/lookup (there are other, similar websites).

You can enter the same username and password in several Profit environments to apply DKIM signature on behalf of that domain from several environments. This process consists of two steps, that is, the request through the customer portal and the definition of the settings in the Profit environment. You can read how to add an extra domain below, for example, when you are operational in a different country.

Step 1: Request via the customer portal

1. Log on to the AFAS customer portal as the Administrator.
2. On the customer portal, to Mijn gegevens / Abonnementen / Mijn abonnement.
3. Click the subscription of your Profit environment.

   If, for example, the Profit environment is called O98765AA, the subscription is 98765.

4. Click: Create DKIM request.
5. Enter the domain that you want to use in the DKIM domain field.

   It is important that the correct domain name is entered in the DKIM domain field. Enter here the domain for which you want to use DKIM. The domain is part of the e-mail address.

   Example:

   Your email address is eva@voorbeelddomain.nl.

   We only need the section that comes after @, therefore exampledomain.nl.

6. First create two CNAME records in the DNS or your domain. This refers to the two records below where exampledomain.nl must be replaced with your domain.
   • afasonline1._domainkey.exampledomain.nl must be created as CNAME with a reference to afasonline1.domainkey.afas.online.
   • afasonline2._domainkey.exampledomain.nl must be created as CNAME with a reference to afasonline2.domainkey.afas.online.

   AFAS recommends a TTL (Time to live) of 1 hour for both CNAME records. Your system administrator can create the CNAME records for you in the DNS.

   It is allowed to already make the request with AFAS before the CNAME records are created. In this case, the request will be rejected with the option to have the request reassessed. It is also mandatory that you already have the AFAS Online SPF record configured before making this request.

Step 2: Settings in the Profit environment

1. You will receive a username and password through the request. Configure these as follows in Profit:
   1. Open the environment.
   2. Go to: General / Environment / Management / Properties.
   3. Go to the tab E-mail.
   4. Select Apply DKIM in relation to outgoing emails and enter the email address and password.
2. The figure below includes example data. Enter your own data.

   

After the configuration, your emails will be sent after applying DKIM encryption.

DKIM request for an extra domain

Image you once requested enyoi.nl and this domain works how you like it. You recently opened a site in Belgium and now want that the emails on behalf of enyoi.be are DKIM signed. In this case, you must restart the request and enter enyoi.be. The same checks are carried out. Only the steps in Settings in Profit are no longer necessary. AFAS will indicate that you already have a username and password in the request and that you do not again have to define them somewhere. When the request has been completed, the email messages that you send on behalf of enyoi.be will also be signed with DKIM.

Configure the checking policy for recipients on the sender's domain (DMARC)

You can use DMARC. In relation to DMARC, you can specify with a registration (DMARC record) on the domain from where you send emails how you want recipients to handle specific checks (such as DKIM and SPF) for emails that are sent (or seem to be sent) from your domain. This will help to limit spam or emails that are not really sent on behalf of your organisation.

Since DMARC is a setting on your domain, this is something that you can configure yourself as an organisation. This is not a setting that you need to request from AFAS and AFAS does not offer support with regard to this. Contact the administrator of your domain or mail servers. If you send your outgoing email through the AFAS mail server; read how you can configure SPF and DKIM above.

For more Information, please refer to

• https://www.dmarcanalyzer.com/nl/dmarc-2/
• https://www.sparkpost.com/resources/email-explained/dmarc-explained

SendGrid (sending large quantities of email)

SendGrid is a party who specialises in sending (large quantities) of emails. In addition, they offer all types of tools to analyse your email flow.

With SendGrid, it is recommended to choose a subscription type with a dedicated IP address. This is a more expensive subscription type, but it will prevent email from being sent through a shared IP address, which may mark your email as spam.

Please note:

AFAS does not offer support with regard to the configuration of SendGrid; contact SendGrid yourself with regard to this.

Configure SendGrid:

1. Register on the signup.sendgrid.com page.
2. Create an SMTP Relay by using the next page.

   

3. Copy the created API key and keep it on your PC. You need it for the configurations in Profit.
4. Leave the SendGrid page open.

Configure Profit:

1. Open the environment.
2. Go to: General / Environment / Management / Properties.
3. Go to the tab E-mail.
4. Select SMTP in the Mail server type field.
5. Server for outgoing mail: smtp.sendgrid.net
6. Port for outgoing mail: 465
7. Select Enforce secure communication and SMTP server requires verification.
8. Username: apikey
9. Password: the previously copied API key.

   

10. Go to the SendGrid page and click Verify integration.
11. Go to Profit and send an email with the Test button.

The recipients of email that you send through SendGrid will see ‘via sendgrid.net’ in the received email.

If you do not want this, apply ‘domain authentication’ in the configuration within your DNS and SendGrid. The message will disappear from emails that are subsequently sent. This will have a positive impact on your reputation as a sending party.