DKIM Enablement for Sender Domains – ByD
In SAP Business ByDesign you can use e-mail as communication channel in various scenarios communicating with your employees and business partners, and SAP Business ByDesign allows you to configure sender e-mail addresses.
These sender e-mail addresses are subject to authentication checks of modern e-mail infrastructures using security measures such as Domain Keys Identified Mail (DKIM).
As part of our ongoing efforts to incorporate e-mail security and to pre-empt any e-mail spoofing attempts as well as to ensure e-mail delivery in line with commonly used security standards, we are making it mandatory for you – our customers – to enable DKIM on your sender e-mail domains.
Please request to enable DKIM for your e-mail sender domains, please find below more information and procedure:
- How to request DKIM key for your e-mail sender domain address?
Please create an incident to SAP Business ByDesign Support providing the below mentioned details.
Subject: Request to enable DKIM for ByD Business e-Mails / Bulk e-mails
Content of the Incident:
- Sender domain address details that is used from your tenant to relay Business e-mails / Bulk e-mails. (Example: test.com, abc.uk for scenarios like Tickets, customer invoice, order confirmation, etc.)
Note 1 – In case if you have multiple domains, please provide the complete list. (Including Sub-Domains if any)
Note 2 – A common DKIM key is generated if there are multiple domains.
Note 3 – It is now Mandatory and best practice to not use the domains that are NOT signed with DKIM key for relaying e-mails from your ByD tenant. E-mails will be not be delivered if DKIM is not enabled. (In other words, it is recommended to DKIM sign all sender domains used by a ByD tenant rather than part of the domains)
Note 4 – The DKIM key that will be generated and provided to you is meant for ALL your environments. (Test + Production) (i.e.: the key is independent of your ByD tenant)
- Overview of the Execution steps for enabling DKIM Key
The Service Request takes approximately 2 weeks of time for enabling and implementing
- First we should get the domain details as mentioned in Note 1. (mentioned above)
- DKIM key will be generated from our side (with Key Size – 2048 Bit) for the domains provided.
- Public Key and Selector details will be shared to customer.
- Customer must create a DKIM TXT record in their DNS Servers.
NOTE: In case if you have multiple domains, please mention all the domain names, and only one key is provided by default for all the domains. Maintain the same DKIM key for all the domains.
- Check if the key is maintained correctly through external tools by providing the “Domain” and “Selector” details.
- Once the key is correctly maintained, send the incident back to SAP for activating the key. (Though the key is maintained correctly in your DNS, if the ticket is not sent back to SAP – the process is not complete and DKIM is not enabled)
- SAP will activate the key for the mentioned domains and will close the incident.
- How to check DKIM key for a sender domain once DKIM TXT record is updated in your DNS Servers?
Please use any external tool like https://dkimcore.org/tools/keycheck.html → Provide the “Selector” and “Domain” details → click on button “Check”, You should be seeing a record similar to below (This is a valid DKIM record):
- What is DKIM and Advantages of enabling DKIM key for Business e-mails / Bulk e-mails?
DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to
check that an email was indeed send and authorized by the owner of that domain. This is done by
giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
- Implementing DKIM will improve email deliverability
- Prevents from E-mail spoofing
- Makes mails trustworthy
- More details about e-mail Authentication (SPF, DKIM)
The solution includes support for validating and performing email authentication with SPF (Sender policy framework) and DKIM (Domain key signing). While SPF is a DNS txt record which publishes trusted outbound IP for the given domain, DKIM requires to sign each message with a proper key that matches the sending domain within the message body. The Email service allows to configure DKIM keys and profiles to perform that action for all customers whereas DKIM profiles are being used.
- How to check if e-mail messages sent from SAP Business ByDesign Tenant is DKIM signed, and for which domain is it DKIM signed?
Check the mail headers: “header.i”, “header.s”, “header.from” of the received E-Mail, in the section “Authentication-Results”: In this section we should see the domain and selector details of the DKIM key.
- Can customer choose their own selector while requesting a DKIM key?
A standard and unique selector is provided for each customers domain(s) so it is not possible to deliver the DKIM keys with custom selectors that are requested by Customers
- Is DKIM Key enabled by default for your sender domain during the migration to new E-Mail infra?
No, an explicit request has to be created for DKIM key creation for your sender domains which are used for relaying Business e-mails / Bulk e-mails from your SAP Business ByDesign tenant
- Is the same DKIM key valid for both test environment and production environment?
Yes, the same key is valid for both the environments Production and Test.
- How SAP is handling private keys so that they are protected and not misused? And what is the plan if key is compromised
The secrets are stored in the email service without the ability to retrieve them.
If a private key is compromised, then SAP will inform the customer and generate a new DKIM key and update the customer (same process as mentioned above in the overview of execution steps).
8. If the e-mails are sent with DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address, should you still request DKIM
No, not needed. DKIM should be requested for all the domains that you own and are used to send e-mails from BYD application
We hope that this article provides clarity on how to get your sender domains DKIM enabled, which is more reliable and secure.