Skip to Content
Technical Articles
Author's profile photo Knut Heusermann

E-Mail Validation using SPF for SAP Business ByDesign

Using SAP Business ByDesign you have the possibility to send business e-mails from ByD in context of multiple business scenarios or triggered from administrative tasks. The most popular examples are customer invoices or order confirmations send to customers using e-mail as output channel.

In such scenarios the receiving mail exchange server may check the incoming e-mail and apply some scoring. Junk e-mails (spam) and phishing e-mails often use forged sender e-mail addresses.
E-mail validation using SPF (Sender Policy Framework) is often used as anti-spam technique to verify if the sending host is authorized by the domain owner to send e-mails using the domain as author/sender.


SAP Business ByDesign moved to a new e-mail infrastructure in 2022. You find all details in the blogs post:



Let’s consider an e-mail example first:

Assume the company “Almika Inc.” is located on the ByD tenant with host name “” and sends a customer invoice using e-mail to the account “Kate Jacob“.

Then the incoming e-mail at Kate Jacob’s e-mail server may look as following:

Sending server IP: SAP uses Cyren eXpurgate as e-mail security gateway and hence the sending server IP points to a Cyren eXpurgate server

Originator field “From” according RFC5322, configured in the ByD output channel selection); SPF measure for better scoring, authorizing the envelope-from and sending server IPs to send e-mails for this RFC5322.From


Destination address field “To” according RFC5322, entered in the ByD customer invoice document or picked from the ByD account master data)


Using SPF measures, Kate Jacob or her e-mail recipient provider may check the incoming e-mail

  1. if the sending server IP is permitted to send e-mails with envelope-from domain,
  2. or for better scoring against spam, if the sending server IP is authorized to send e-mails with From-address


How to create SPF records?

Per default SAP does not create SPF DNS records (aka. SPF-RR) to register the Cyren sender domain and IP range as permitted sending hosts for the technical envelope-from domain used by ByD tenants.

This may lead on receiver side to the e-mail SPF status like for example: “received-spf: None ( does not designate permitted sender hosts)“.

The domain “*.” is managed by SAP and hence SAP can create SPF records in the SAP external facing DNS to authorize Cyren sending servers to send e-mails with the tenant-specific envelope-from domain “”.

The domain used in the originator field “From” is managed by the SAP customer or some e-mail service provider and hence the SAP customer has to take care creating the SPF records. However, SAP can help you to create the SPF records by providing the sending server IPs and envelope-from domains.

Please follow the following process to create SPF records for your ByD tenant:

SPF records to verify sending server IP vs. envelope-from:

  1. Create a ByD incident with the request to create SPF records for your productive tenant. Provide your tenant hostname and refer to this blog post in the incident details.
  2. SAP creates SPF records

SPF records to verify RFC5322.from vs. sending server IPs:

  1. Create a ByD incident with the request to provide the envelope-from domain and sending server IPs used for outgoing e-mails send by ByD for the purpose of creating SPF records. Provide your tenant hostname and refer to this blog post in the incident details.
  2. SAP provides the envelope-from domain and sending server IPs used for sending e-mails by your ByD tenant via the ByD incident.
  3. Create the SPF records according your company policies.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Manuel Peschke
      Manuel Peschke

      Thanks Knut! Very helpful tutorial!


      Author's profile photo Renaud Wanschoor
      Renaud Wanschoor

      Hi Knut,

      I have two questions:

      • Do you know if we can make DMARC work with only SPF activated ? I don't manage to do that. On our domain there is a DMARC policy and all mails fall in spam. In received mail i have spf:passed, dkim:none, dmarc:fail. SAP support told us dkim is not supported, but on website they say it is possible to do dmarc with only spf.


      • Do we need to include the envelope from domain in a "a:" mechanism or in a "include:" mechanism in our own domain SPF record ?

      Little disclaimer, we are on cloud for Customer, but i understood the technical Platform is the same ( instead of and emails are coming from expurgate as well)

      Thanks !



      Author's profile photo Knut Heusermann
      Knut Heusermann
      Blog Post Author

      Hi Renaud,

      could you please submit your topic as question to the community with primary tag "SAP Hybris Cloud for Customer" to reach a broader community incl. C4C infrastructure experts? You are welcome to refer to this blog.

      Thanks, Knut

      Author's profile photo Musa Podile
      Musa Podile

      Hi guys

      I'm not receiving service request that where created from outlook in ByD anymore, what could be the problem?

      Author's profile photo Knut Heusermann
      Knut Heusermann
      Blog Post Author

      Hi Musa,

      as your question is not related to the subject of this blog post, I would suggest that you either submit an SAP community question or a ByD incident.


      Author's profile photo Hendrik Neumann
      Hendrik Neumann

      Hi Knut,

      thank you for this helpful stuff!