Skip to Content
Technical Articles
Author's profile photo Venkata Subbarayudu Panguluri

DKIM Enablement for Sender Domains – ByD

Background

In SAP Business ByDesign you can use e-mail as communication channel in various scenarios communicating with your employees and business partners, and SAP Business ByDesign allows you to configure sender e-mail addresses.

These sender e-mail addresses are subject to authentication checks of modern e-mail infrastructures using security measures such as Domain Keys Identified Mail (DKIM).

As part of our ongoing efforts to incorporate e-mail security and to pre-empt any e-mail spoofing attempts as well as to ensure e-mail delivery in line with commonly used security standards, we are making it mandatory for you – our customers – to enable DKIM on your sender e-mail domains.

Please request to enable DKIM for your e-mail sender domains, please find below more information and procedure:

  1. How to request DKIM key for your e-mail sender domain address?

Please create an incident to SAP Business ByDesign Support providing the below mentioned details.

Subject: Request to enable DKIM for ByD Business E-Mails

Content of the Incident:

  • Sender domain address details that is used from your tenant to relay Business e-mails. (Example: test.com, abc.uk for scenarios like Tickets, customer invoice, order confirmation, etc.)

Note 1 – In case if you have multiple domains, please provide the complete list. (Including Sub-Domains if any)

Note 2 – A common DKIM key is generated if there are multiple domains.

Note 3 – It is now Mandatory and best practice to not use the domains that are NOT signed with DKIM key for relaying e-mails from your ByD tenant. E-mails will be not be delivered if DKIM is not enabled. (In other words, it is recommended to DKIM sign all sender domains used by a ByD tenant rather than part of the domains)

Note 4 – The DKIM key that will be generated and provided to you is meant for ALL your environments. (Test + Production) (i.e.: the key is independent of your ByD tenant)

  1. Overview of the Execution steps for enabling DKIM Key

The Service Request takes approximately 2 weeks of time for enabling and implementing

  • First we should get the domain details as mentioned in Note 1. (mentioned above)
  • DKIM key will be generated from our side (with Key Size – 1024 Bit) for the domains provided.
  • Public Key and Selector details will be shared to customer.
  • Customer must create a DKIM TXT record in their DNS Servers.

NOTE: In case if you have multiple domains, please mention all the domain names, and only one key is provided by default for all the domains. Maintain the same DKIM key for all the domains.

  • Check if the key is maintained correctly through external tools by providing the “Domain” and “Selector” details.
    Example: https://dkimcore.org/tools/keycheck.html
  • Once the key is correctly maintained, send the incident back to SAP for activating the key.
  • SAP will activate the key for the mentioned domains and will close the incident.
  1. How to check DKIM key for a sender domain once DKIM TXT record is updated in your DNS Servers?

Please use any external tool like https://dkimcore.org/tools/keycheck.html → Provide the “Selector” and “Domain” details → click on button “Check”, You should be seeing a record similar to below (This is a valid DKIM record):

 

FAQ’s

  1. What is DKIM and Advantages of enabling DKIM key for Business Mails?

DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to
check that an email was indeed send and authorized by the owner of that domain. This is done by
giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.

  • Implementing DKIM will improve email deliverability
  • Prevents from E-mail spoofing
  • Makes mails trustworthy
  1. More details about e-mail Authentication (SPF, DKIM)

The solution includes support for validating and performing email authentication with SPF (Sender policy framework) and DKIM (Domain key signing). While SPF is a DNS txt record which publishes trusted outbound IP for the given domain, DKIM requires to sign each message with a proper key that matches the sending domain within the message body. The Email service  allows to configure DKIM keys and profiles to perform that action for all customers whereas DKIM profiles are being used.

  1. How to check if e-mail messages sent from SAP Business ByDesign Tenant is DKIM signed, and for which domain is it DKIM signed?

Check the mail headers: “header.i”, “header.s”, “header.from” of the received E-Mail, in the section “Authentication-Results”: In this section we should see the domain and selector details of the DKIM key.

  1. Can customer choose their own selector while requesting a DKIM key?

A standard and unique selector is provided for each customers domain(s) so it is not possible to deliver the DKIM keys with custom selectors that are requested by Customers

  1. Is DKIM Key enabled by default for your sender domain during the migration to new E-Mail infra (CISCO)?

No, an explicit request has to be created for DKIM key creation for your sender domains which are used for relaying Business Mails from your SAP Business ByDesign tenant

  1. Is the same DKIM key valid for both test environment and production environment?

Yes, the same key is valid for both the environments Production and Test.

  1. How SAP is handling private keys so that they are protected and not misused? And what is the plan if key is compromised

The secrets are stored in the email service without the ability to retrieve them.

If a private key is compromised, then SAP will inform the customer and generate a new DKIM key and update the customer (same process as mentioned above in the overview of execution steps).

8. If the e-mails are sent with DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address, should you still request DKIM

No, not needed. DKIM should be requested for all the domains that you own and are used to send e-mails from BYD application

Conclusion:

We hope that this article provides clarity on how to get your sender domains DKIM enabled, which is more reliable and secure.

Assigned Tags

      18 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Genevieve Arseneault
      Genevieve Arseneault

      Hello,

      I have two questions regarding the activation of DKIM:

      1) If a customer is currently in a test system do we need to order DKIM from the test system so that it is ready when the customer goes live?

      2) If the emails are sent with the DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address. Should we request DKIM for the domain myxxxxxx.mail.sapbydesign.com?

      Best regards,

      Geneviève

      Author's profile photo Venkata Subbarayudu Panguluri
      Venkata Subbarayudu Panguluri
      Blog Post Author

      Hello - Thank you, please find my response inline

      1) If a customer is currently in a test system do we need to order DKIM from the test system so that it is ready when the customer goes live?

      [Response] - Yes please. If your domains are ready, please go-ahead and request for DKIM. As outlined in Note 4 of section 1 of the blog: DKIM key that will be generated and provided to you is meant for ALL your environments (Test + Production)

      2) If the emails are sent with the DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address. Should we request DKIM for the domain myxxxxxx.mail.sapbydesign.com?

      [Response] - No action required, if the domain is not owned by you. So, no need to request DKIM for mail.sapbydesign.com. You should be able to use it without any action from your end

      Regards,

      Subbu

      Author's profile photo Marco Trautmann
      Marco Trautmann

      How can I check that SAP correctly activated DKIM? I understand that we must ensure this before end of March?

      Is it recommend to also activate DKIM for test systems? I would appriciate that for test systems, this would not be required.

      Author's profile photo Venkata Subbarayudu Panguluri
      Venkata Subbarayudu Panguluri
      Blog Post Author

      Hello - Thank you.

      How can I check that SAP correctly activated DKIM?

      [Response] After activating DKIM from our end, we will attach the screenshot (You can request in the ticket if that's not provided from us)

      I am sorry to say that this is application for All environments (Test + Prod)

       

      Regards,

      Subbu

      Author's profile photo Oliver Varoß
      Oliver Varoß

      What happens, if we do NOT request to enable DKIM? We don't use DKIM for our normal E-Mail system we use spf. So it is no option for us to enable DKIM for SAP.

      Author's profile photo Venkata Subbarayudu Panguluri
      Venkata Subbarayudu Panguluri
      Blog Post Author

      Hello,

      Outbound e-mails sent from SAP Business ByDesign using sender e-mail domains that are not DKIM signed can no longer be delivered to e-mail recipients.

      Author's profile photo Abolfazl Avazeh
      Abolfazl Avazeh

      Hello,

      if customer doesn't use sending email function from ByDesign, is there any impact to skipping this setting?

       

      Thank you,

      Avazeh

      Author's profile photo Venkata Subbarayudu Panguluri
      Venkata Subbarayudu Panguluri
      Blog Post Author

      Hello,

      No action required if e-mail functionality is not used

      Thank you,

      Subbu

      Author's profile photo Abolfazl Avazeh
      Abolfazl Avazeh

      Thanks for your reply.

      I have 2 more questions:

      1. We are using office 365. If we set the DKIM key generated by SAP side in our DNS server, is there any impact on our other daily emails that are not sent from ByDesign?
        On the other hand, Does it cause encrypting all emails from the target DNS server? or only Emails from ByDesign are targets?
      2. If in the future, we set another DKIM key for other purposes in the same DNS server, is it possible? Can we set several DKIM keys in the same DNS Server?

      Best Regards,

      Avazeh

      Author's profile photo Venkata Subbarayudu Panguluri
      Venkata Subbarayudu Panguluri
      Blog Post Author

      Hello,

      [Updated]

      1. There will be no impact to other e-mails that are not sent from SAP ByD. DKIM check will be done only for the e-mails sent from SAP ByD. Regarding encryption: DKIM just signs (takes email body and signs it with a key), domain verification will be done by DKIM
      2. I would request you to please reach out to your Network team who maintain your DNS. They would be the best colleagues to confirm as i do not have any knowledge on how your DNS is setup and the settings maintained. However one clue: We should be able to maintain multiple keys for same domain as each key can have a unique selector (I mean - Yes, its possible)

      Regards,

      Subbu

      Author's profile photo Paul Kalina
      Paul Kalina

      Hi Abolfazl,

       

      The selection of the DKIM key is done using the DKIM selector which is send in the email header. The selector identifies the specific DKIM public key that exists in the DNS.

      so for example:

      your domain is: companyabc.com.au

      selector is: byd-busi-my123456-companybac.com.au

      The key and the selector is provided by the SAP support team but you need to add it to your public DNS.

       

      Regards

      Paul

       

      Author's profile photo Esmeralda Gonzalez
      Esmeralda Gonzalez

      Buen día

       

      Tengo 2 preguntas

      1. Nosotros no usamos el servidor de correo dentro de sap, pero si recibo correos informativos directamente de sap desde estas cuentas a mi correo electronico. Si no solicitamos habilitar el DKIM dejare de recibirlos?

      byd_partner_engagement_office@mailsap.com
      byd_customer_engagement_office@sap.com
      sapcloudsupport@alerts.ondemand.com
      notification-service@sap.com

      2. Tenemos desarrollos e interfaces, como por ejemplo el pack de timbrado; para estos dominios se debe solicitar el DKIM?

       

      Author's profile photo Venkata Subbarayudu Panguluri
      Venkata Subbarayudu Panguluri
      Blog Post Author

      Hello - If I understood your question right, you would like to check if you will still receive notifications from SAP if you do not enable DKIM:

      [Response] Yes, you will still receive notifications from SAP

      You should enable DKIM for the domains you own, no action required if you do not use any of your domains as sender domain from SAP ByD application

       

      Regards,

      Subbu

      Author's profile photo Pierre Braun
      Pierre Braun

      Hello,

      we have already done DKIM enablement in 2021.

      Now we need to enable additional e-mail domains.

      Can we have these additional domains added to the already excisting key?

       

      Kind regards,

      Pierre

      Author's profile photo Venkata Subbarayudu Panguluri
      Venkata Subbarayudu Panguluri
      Blog Post Author

      Hello - Yes please

      As you did earlier, please raise a ticket with additional domains (Please mention the DKIM public key and selector you used in your DNS for reference)

      Regards,

      Subbu

      Author's profile photo Dietmar Miller
      Dietmar Miller

      Hello,

      could you please de-activate the reminder for customers which already have DKIM enabled?

      Kind regards,

      Dietmar

      Author's profile photo Venkata Subbarayudu Panguluri
      Venkata Subbarayudu Panguluri
      Blog Post Author

      Hello - We are sending out reminders with a remark that customers who have already finished with DKIM configurations should ignore the reminder notification. We understand that it is an irritant to keep getting this e-mail even though you have finished with your DKIM configurations. Please bear with us for some more time, because at present, it is not possible to segregate the notification for customers who have already finished DKIM configurations and those who have not. We completely understand that this is an irritation and please rest assured that we will stop these notifications within some time

      Regards,

      Subbu

      Author's profile photo Patrick Klingenmaier
      Patrick Klingenmaier

      Hello Dietmar,

      My name is Patrick and we are facing also the DKIM-Topic in our C4C-Project. Are you able to have a short call for that topic. I wantet to talk with someone who implementeted this feature already. My Mail-Adress is: patrick.klingenmaier@mapal.com

      Thanks in advance

      Best regards,

      Patrick