Skip to Content

Using SAP Business ByDesign you have the possibility to send business e-mails from ByD in context of multiple business scenarios or triggered from administrative tasks. The most popular examples are customer invoices or order confirmations send to customers using e-mail as output channel.

In such scenarios the receiving mail exchange server may check the incoming e-mail and apply some scoring. Junk e-mails (spam) and phishing e-mails often use forged sender e-mail addresses.
E-mail validation using SPF (Sender Policy Framework) is often used as anti-spam technique to verify if the sending host is authorized by the domain owner to send e-mails using the domain as author/sender.

 

Let’s consider an e-mail example first:

Assume the company “Almika Inc.” is located on the ByD tenant with host name “my123456.sapbydesign.com” and sends a customer invoice using e-mail to the account “Kate Jacob“.

Then the incoming e-mail at Kate Jacob’s e-mail server may look as following:

Sending server IP: SAP uses Cyren eXpurgate as e-mail security gateway and hence the sending server IP points to a Cyren eXpurgate server (see as well note 2073170)
Envelope-from: dsn@my123456.mail.sapbydesign.com
From:

invoicing@almica.com 

Originator field “From” according RFC5322, configured in the ByD output channel selection); SPF measure for better scoring, authorizing the envelope-from and sending server IPs to send e-mails for this RFC5322.From

To:

jacob@example-customer.de 

Destination address field “To” according RFC5322, entered in the ByD customer invoice document or picked from the ByD account master data)

 

Using SPF measures, Kate Jacob or her e-mail recipient provider may check the incoming e-mail

  1. if the sending server IP is permitted to send e-mails with envelope-from domain mail.sapbydesign.com,
  2. or for better scoring against spam, if the sending server IP and the envelope-from domain mail.sapbydesign.com are authorized to send e-mails with From-address invoicing@almica.com.

 

How to create SPF records?

Per default SAP does not create SPF DNS records (aka. SPF-RR) to register the Cyren sender domain and IP range as permitted sending hosts for the technical envelope-from domain myXXXXXX.mail.sapbydesign.com used by ByD tenants.

This may lead on receiver side to the e-mail SPF status like for example: “received-spf: None (protection.outlook.com: my123456.mail.sapbydesign.com does not designate permitted sender hosts)“.

The domain “*. mail.sapbydesign.com” is managed by SAP and hence SAP can create SPF records in the SAP external facing DNS to authorize Cyren sending servers to send e-mails with the tenant-specific envelope-from domain “myXXXXXX.mail.sapbydesign.com”.

The domain used in the originator field “From” is managed by the SAP customer or some e-mail service provider and hence the SAP customer has to take care creating the SPF records. However, SAP can help you to create the SPF records by providing the sending server IPs and envelope-from domains.

Please follow the following process to create SPF records for your ByD tenant:

SPF records to verify sending server IP vs. envelope-from:

  1. Create a ByD incident with the request to create SPF records for your productive tenant. Provide your tenant hostname and refer to this blog post in the incident details.
  2. SAP creates SPF records

SPF records to verify RFC5322.from vs. envelope-from and sending server IPs:

  1. Create a ByD incident with the request to provide the envelope-from domain and sending server IPs used for outgoing e-mails send by ByD for the purpose of creating SPF records. Provide your tenant hostname and refer to this blog post in the incident details.
  2. SAP provides the envelope-from domain and sending server IPs used for sending e-mails by your ByD tenant via the ByD incident.
  3. Create the SPF records according your company policies.
To report this post you need to login first.

3 Comments

You must be Logged on to comment or reply to a post.

  1. Renaud Wanschoor

    Hi Knut,

    I have two questions:

    • Do you know if we can make DMARC work with only SPF activated ? I don’t manage to do that. On our domain there is a DMARC policy and all mails fall in spam. In received mail i have spf:passed, dkim:none, dmarc:fail. SAP support told us dkim is not supported, but on dmarc.org website they say it is possible to do dmarc with only spf.

     

    • Do we need to include the envelope from domain in a “a:” mechanism or in a “include:” mechanism in our own domain SPF record ?

    Little disclaimer, we are on cloud for Customer, but i understood the technical Platform is the same (crm.ondemand.com instead of sapbydesign.com and emails are coming from expurgate as well)

    Thanks !

    Regards

    Renaud

    (0) 
    1. Knut Heusermann Post author

      Hi Renaud,

      could you please submit your topic as question to the community with primary tag “SAP Hybris Cloud for Customer” to reach a broader community incl. C4C infrastructure experts? You are welcome to refer to this blog.

      Thanks, Knut

      (0) 

Leave a Reply