SAP is going to change the e-mail infrastructure used for business e-mails sent from SAP Business ByDesign (ByD). The new e-mail infrastructure supports Domain Keys Identified Mail (DKIM), which allows you to digitally sign your business e-mails.
What are the upcoming changes?
With transition to the new e-mail infrastructure, the sending server IP used to deliver e-mails sent from ByD will change.
What remains unchanged?
All other e-mail properties remain unchanged. This applies specifically to
- Envelope-from (for example firstname.lastname@example.org)
- Sender e-mail address (e-mail from-header) taken from your business configuration or master data settings in ByD (for example email@example.com)
Note: These changes are not relevant for bulk e-mails in context of marketing campaigns sent from ByD, which already supports DKIM functionality.
What does this mean for you?
- SAP takes care to create SPF records for your ByD tenants.
- In case you set IP whitelisting for receiving E-Mails in your Infrastructure or SPF records that you created in your own DNS or in case if you have any throttling on your E-Mail server based on IP address, then you need to take action. Please refer to FAQ section below
- For enabling DKIM for your sender Domain, Please refer to FAQ section below
There are two types of E-mail scenarios in Business ByDesign:
Business E-Mails: E-mail messages sent through Tickets, customer invoice, order confirmation, etc. are all referred to business e-mail scenarios
- Here E-mails are relayed from ByD (SAP Network) – Business Mail Service Provider – Recipients.
- Business E-Mails are enabled with SPF policy only and based on request
- Business E-Mails are sent through these IP address/range – 220.127.116.11/32 ip4:18.104.22.168/32
- SPF record for the business mails are updated on the technical from/Mail From/Envelope-From address, which is always dsn@myXXXXXX.mail.sapbydesign.com or dsn@myXXXXXX.mail.sapbyd.cn
Bulk/Mass E-Mails: E-mail messages sent through Marketing/Campaign are referred as Bulk/Mass E-Mail
- Bulk E-mails are relayed from ByD (SAP Network) – Bulk Mail Service Provider – Recipients
- Bulk E-Mails are enabled with DKIM policy
- Bulk E-Mails are sent through this IP address/range – 22.214.171.124/32, 126.96.36.199/23, 188.8.131.52/27, 184.108.40.206/23, 220.127.116.11/22
- DKIM key is enabled for a customer sender domain and tenant based on request
Note – There are different service providers for business mail and for bulk mail.
Business E-Mails – E-mail messages sent through Ticket, customer invoice, order confirmation, etc. are all referred to business e-mail scenarios
- Business E-Mails are relayed from ByD (SAP Network) – CISCO Mail device (SAP Network) – Recipients
- Business E-Mails will be enabled with SPF policy by default
- Business E-Mails are sent through these IP range/address – 18.104.22.168/30, 22.214.171.124/30, 126.96.36.199/31,188.8.131.52/31
- SPF record for the business mails are updated on the technical from/Mail From/Envelop-From address, which is always
- dsn@myXXXXXX.mail.sapbydesign.com or dsn@myXXXXXX.mail.sapbyd.cn
- Example: SPF record for domain: myXXXXXX.mail.sapbydesign.com or myXXXXXX.mail.sapbyd.cn would look like: “v=spf1 include:_spf.cmail.ondemand.com ~all“
- Business E-Mails are sent with DKIM key signed – This is done based on “Explicit Request“, how to request DKIM key for your sender domains that are used in ByD sending Business E-Mails is mentioned below
Example: DKIM record for sender domain looks like:
Bulk/Mass E-Mails – The bulk E-Mail scenario remains the same for now.
- How to request DKIM key for your E-Mail sender domain address?
Please create an incident to SAP Business ByDesign Support providing the below mentioned details
Subject: Request to enable DKIM for ByD Business E-Mails
Content of the Incident:
- Sender Domain address details that is used from your tenant to relay Business Mails (Example: test.com, abc.uk for scenarios like Tickets, customer invoice, order confirmation, etc.)
NOTE 1 – In case if you have multiple domains, please provide the complete list (Including Sub-Domains if any)
NOTE 2 – A common DKIM key is generated if there are multiple domains
NOTE 3 – It is recommended and best practice to not use the domains that are not signed with DKIM key for relaying mails from your ByD tenant, as there are possibilities they might be classified as SPAM by some recipient servers (In other words, it is recommended to DKIM sign all sender domains used by a ByD tenant rather than part of the domains)
NOTE 4 – The DKIM key that will be generated and provided to you is meant for ALL your environments (Test + Production) (i.e.: the key is independent of your ByD tenant)
- Overview of the Execution steps for enabling DKIM Key
The Service Request takes approximately 2 weeks of time for enabling and implementing
- Once we get the domain details as mentioned in FAQ’s section point 1
- DKIM key will be generated from our side (with Key Size – 1024 Bit)
- Public Key and Selector details will be shared to customer
- Customer must create a DKIM TXT record in their DNS Servers
NOTE: In case if you have multiple domains, please mention all the domains name, and only one key is provided by default for all the domains. Maintain the same DKIM key for all the domains.
- Check if the key is maintained correctly through external tools by providing the “Domain” and “Selector” details
- Once the key is correctly maintained, send the incident back to SAP for activating the key.
- SAP will activate the key for the mentioned domains and will close the incident.
- What is DKIM and Advantages of enabling DKIM key for Business Mails?
DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to
check that an email was indeed send and authorized by the owner of that domain. This is done by
giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
- Implementing DKIM will improve email deliverability
- Prevents from E-mail spoofing
- Makes mails trustworthy
- What is SPF and Advantages of enabling SPF record for Business Mails?
The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. The SPF record is checked on “Envelope-From/Mail-From/Technical Sender” address
- By enabling this it is determined which e-mail servers are authorized to relay an e-mail.
- How to check SPF record?
Use any External Tool like https://mxtoolbox.com/SuperTool.aspx → Provide the domain as myXXXXXX.mail.sapbydesign.com or myXXXXXX.mail.sapbyd.cn
- How to check DKIM key for a sender domain once DKIM TXT record is updated in your DNS Servers?
External Tool like https://dkimcore.org/tools/keycheck.html → Provide the “Selector” and “Domain” details → click on button “Check”, You should be seeing a record similar to below
- SPF and DKIM policies are checked on which domains for Outbound Mail Scenario?
These checks are done at recipient Mail Server, in general mails sent from SAP Business ByDesign application have headers similar to the following:
SPF Check is done on – “Envelop-From” address
DKIM Check is done on – “From Address”
Recipient Address: <Independent details>
Subject: <Independent details>
- Can the “Envelop-From” address be overwritten to the same as “From Address”
NO, this is not possible and not supported in the solution
From Address: <>@abc.com
Envelope-From Address: <>@abc.com
- Can the customer point their ByD tenant to their own Mail infrastructure?
NO, this is not possible and not supported in SAP Business ByDesign.
- In case of special request or any queries which are not covered above
Please create an incident to SAP Business ByDesign Support
- What is the size limit of an Outbound and Inbound E-mail sent/received at SAP Business ByDesign application?
Mail size can be maximum of 25MB (Including attachments)
- How to check if e-mail messages sent from SAP Business ByDesign Tenant is DKIM signed, and for which domain is it DKIM signed?
Check the mail headers: “header.i”, “header.s”, “header.from” of the received E-Mail, in the section “Authentication-Results”: In this section we should see the domain and selector details of the DKIM key.
- Whether mail is relayed securely from our mail relay server(CISCO)
Yes, the E-Mail is relayed securely with TLSv1.2 protocol by default, and incase if the target/recipient mail infra doesn’t support TLSv1.2 protocol a fall back protocol is used.
NOTE: It is currently recommended to ensure that your mail servers support TLSv1.2 protocol because in future TLSv1.1 and TLSv1.0 will be disabled by our E-Mail servers for both Outbound and Inbound Mails.
- What are the attachment types that are “NOT Allowed” at our CISCO mail server?
E-mails containing one of the following file types currently fall into the category “dangerous attachment”:
ade, adp, app, asp, bas, bat, bhx, cab, ceo, chm, cmd, com, cpl, crt, csr, der, exe, fxp, hlp, hta, inf, ins, isp, its, js, jse, lnk, mad, maf, mag, mam, mar, mas, mat, mde, mim, msc, msi, msp, mst, ole, pcd, pif, reg, scr, sct, shb, shs, vb, vbe, vbmacros, vbs, vsw, wmd, wmz, ws, wsc, wsf, wsh, xxe, docm, xlsm
This also applies if attachments with these extensions are found in the following (password-protected) archives:
arj, cab, jar, lha, rar, tar, zip, gz
- Can customer choose their own selector while requesting a DKIM key?
A standard and unique selector is provided for each customers domain(s) so it is not possible to deliver the DKIM keys with custom selectors that are requested by Customers
- In case if you have any throttling on your E-Mail server based on IP address (Like – How many E-mails can be sent in a period?) or any white listing was done based on old IP address, what are the actions that should be taken?
You should white list following IP addresses at your side: 184.108.40.206/30, 220.127.116.11/30, 18.104.22.168/31,22.214.171.124/31
- What is the IP address through which E-Mails are sent from your ByD tenant?
Following are the IP address through which your E-Mails will be sent from your ByD tenant: 126.96.36.199/30, 188.8.131.52/30, 184.108.40.206/31,220.127.116.11/31
- Is DKIM Key enabled by default for your sender domain during the migration to new E-Mail infra (CISCO)?
No, an explicit request has to be created for DKIM key creation for your sender domains which are used for relaying Business Mails from your SAP Business ByDesign tenant
- Is the same DKIM key valid for both test environment and production environment?
Yes, the same key is valid for both the environments Production and Test.
- E–mails sent with this domain “donotreply@myXXXXXX.mail.sapbydesign.com” / “donotreply@myXXXXXX.mail.sapbyd.cn” are signed with DKIM key?
No, E-mails sent with this domain are not signed with DKIM key.
- In case if you have added the Old IP address in the SPF record of your domains (example: abc.com), is there any need to adapt it with the new IP address
Yes, please add new IP address given below
Old IP address for sending Business Mails: ip4:18.104.22.168/32 ip4:22.214.171.124/32
New IP address for sending Business Mails: include:_spf.cmail.ondemand.com
- Will, there be any change to “Inbound Mail” route?
The “Inbound Business Mail” path is NOT part of this change. Separate communication will be sent for the change to “Inbound business mail” path
23. What is the schedule to switch the systems to New E-Mail host?
Detailed Change scheduled was already communicated via E-mail, below is the plan:
|Data Center||Test Systems||Production Systems|
|Sydney||4th Oct 2019 18:00 to 22:00 UTC||26th Oct 2019 15:00 to 19:00 UTC|
|Shanghai||4th Oct 2019 18:00 to 22:00 UTC||26th Oct 2019 15:00 to 19:00 UTC|
|St. Leon Rot AND FRANKFURT||5th Oct 2019 00:00 to 04:00 UTC||26th Oct 2019 22:00 UTC to 27th Oct 2019 02:00 UTC|
|New Town Square||5th Oct 2019 07:00 to 11:00 UTC||27th Oct 2019 04:00 to 08:00 UTC|
- What if customer doesn’t want DKIM enabled for their sender domain and doesn’t have any IP white listing/throttling/SPF record updated with old sap address?
Outbound Business Mails will still be sent out from your ByD tenant even after the above mentioned timelines, and customer doesn’t have to take any action
25. Are there any Exception domains for which DKIM key cannot be created from our side?
DKIM key cannot be created for following Domains: gmail.com, yahoo.com, Hotmail.com, outlook.com, sap.com
We hope that this article provides clarity on migration of ByD customers to the new E-mail infrastructure, which is more reliable and secure.