E-Mail Validation using SPF for SAP Business ByDesign

Using SAP Business ByDesign you have the possibility to send business e-mails from ByD in context of multiple business scenarios or triggered from administrative tasks. The most popular examples are customer invoices or order confirmations send to customers using e-mail as output channel.

In such scenarios the receiving mail exchange server may check the incoming e-mail and apply some scoring. Junk e-mails (spam) and phishing e-mails often use forged sender e-mail addresses.
E-mail validation using SPF (Sender Policy Framework) is often used as anti-spam technique to verify if the sending host is authorized by the domain owner to send e-mails using the domain as author/sender.

***

SAP Business ByDesign moved to a new e-mail infrastructure in 2022. You find all details in the blogs post:

• DKIM Enablement for Sender Domains – ByD
• Next-Generation Cloud Delivery transition – New Business ByDesign E-mail Infrastructure

***

Let’s consider an e-mail example first:

Assume the company “Almika Inc.” is located on the ByD tenant with host name “my123456.sapbydesign.com” and sends a customer invoice using e-mail to the account “Kate Jacob“.

Then the incoming e-mail at Kate Jacob’s e-mail server may look as following:

Using SPF measures, Kate Jacob or her e-mail recipient provider may check the incoming e-mail

1. if the sending server IP is permitted to send e-mails with envelope-from domain mail.sapbydesign.com,
2. or for better scoring against spam, if the sending server IP is authorized to send e-mails with From-address invoicing@almica.com.

How to create SPF records?

Per default SAP does not create SPF DNS records (aka. SPF-RR) to register the Cyren sender domain and IP range as permitted sending hosts for the technical envelope-from domain myXXXXXX.mail.sapbydesign.com used by ByD tenants.

This may lead on receiver side to the e-mail SPF status like for example: “received-spf: None (protection.outlook.com: my123456.mail.sapbydesign.com does not designate permitted sender hosts)“.

The domain “*. mail.sapbydesign.com” is managed by SAP and hence SAP can create SPF records in the SAP external facing DNS to authorize Cyren sending servers to send e-mails with the tenant-specific envelope-from domain “myXXXXXX.mail.sapbydesign.com”.

The domain used in the originator field “From” is managed by the SAP customer or some e-mail service provider and hence the SAP customer has to take care creating the SPF records. However, SAP can help you to create the SPF records by providing the sending server IPs and envelope-from domains.

Please follow the following process to create SPF records for your ByD tenant:

SPF records to verify sending server IP vs. envelope-from:

1. Create a ByD incident with the request to create SPF records for your productive tenant. Provide your tenant hostname and refer to this blog post in the incident details.
2. SAP creates SPF records

SPF records to verify RFC5322.from vs. sending server IPs:

1. Create a ByD incident with the request to provide the envelope-from domain and sending server IPs used for outgoing e-mails send by ByD for the purpose of creating SPF records. Provide your tenant hostname and refer to this blog post in the incident details.
2. SAP provides the envelope-from domain and sending server IPs used for sending e-mails by your ByD tenant via the ByD incident.
3. Create the SPF records according your company policies.