Technical Articles
DKIM Enablement for Sender Domains – ByD
Background
In SAP Business ByDesign you can use e-mail as communication channel in various scenarios communicating with your employees and business partners, and SAP Business ByDesign allows you to configure sender e-mail addresses.
These sender e-mail addresses are subject to authentication checks of modern e-mail infrastructures using security measures such as Domain Keys Identified Mail (DKIM).
As part of our ongoing efforts to incorporate e-mail security and to pre-empt any e-mail spoofing attempts as well as to ensure e-mail delivery in line with commonly used security standards, we are making it mandatory for you – our customers – to enable DKIM on your sender e-mail domains.
Please request to enable DKIM for your e-mail sender domains, please find below more information and procedure:
- How to request DKIM key for your e-mail sender domain address?
Please create an incident to SAP Business ByDesign Support providing the below mentioned details.
Subject: Request to enable DKIM for ByD Business e-Mails / Bulk e-mails
Content of the Incident:
- Sender domain address details that is used from your tenant to relay Business e-mails / Bulk e-mails. (Example: test.com, abc.uk for scenarios like Tickets, customer invoice, order confirmation, etc.)
Note 1 – In case if you have multiple domains, please provide the complete list. (Including Sub-Domains if any)
Note 2 – A common DKIM key is generated if there are multiple domains.
Note 3 – It is now Mandatory and best practice to not use the domains that are NOT signed with DKIM key for relaying e-mails from your ByD tenant. E-mails will be not be delivered if DKIM is not enabled. (In other words, it is recommended to DKIM sign all sender domains used by a ByD tenant rather than part of the domains)
Note 4 – The DKIM key that will be generated and provided to you is meant for ALL your environments. (Test + Production) (i.e.: the key is independent of your ByD tenant)
- Overview of the Execution steps for enabling DKIM Key
The Service Request takes approximately 2 weeks of time for enabling and implementing
- First we should get the domain details as mentioned in Note 1. (mentioned above)
- DKIM key will be generated from our side (with Key Size – 2048 Bit) for the domains provided.
- Public Key and Selector details will be shared to customer.
- Customer must create a DKIM TXT record in their DNS Servers.
NOTE: In case if you have multiple domains, please mention all the domain names, and only one key is provided by default for all the domains. Maintain the same DKIM key for all the domains.
- Check if the key is maintained correctly through external tools by providing the “Domain” and “Selector” details.
Example: https://dkimcore.org/tools/keycheck.html - Once the key is correctly maintained, send the incident back to SAP for activating the key. (Though the key is maintained correctly in your DNS, if the ticket is not sent back to SAP – the process is not complete and DKIM is not enabled)
- SAP will activate the key for the mentioned domains and will close the incident.
- How to check DKIM key for a sender domain once DKIM TXT record is updated in your DNS Servers?
Please use any external tool like https://dkimcore.org/tools/keycheck.html → Provide the “Selector” and “Domain” details → click on button “Check”, You should be seeing a record similar to below (This is a valid DKIM record):
FAQ’s
- What is DKIM and Advantages of enabling DKIM key for Business e-mails / Bulk e-mails?
DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to
check that an email was indeed send and authorized by the owner of that domain. This is done by
giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
- Implementing DKIM will improve email deliverability
- Prevents from E-mail spoofing
- Makes mails trustworthy
- More details about e-mail Authentication (SPF, DKIM)
The solution includes support for validating and performing email authentication with SPF (Sender policy framework) and DKIM (Domain key signing). While SPF is a DNS txt record which publishes trusted outbound IP for the given domain, DKIM requires to sign each message with a proper key that matches the sending domain within the message body. The Email service allows to configure DKIM keys and profiles to perform that action for all customers whereas DKIM profiles are being used.
- How to check if e-mail messages sent from SAP Business ByDesign Tenant is DKIM signed, and for which domain is it DKIM signed?
Check the mail headers: “header.i”, “header.s”, “header.from” of the received E-Mail, in the section “Authentication-Results”: In this section we should see the domain and selector details of the DKIM key.
- Can customer choose their own selector while requesting a DKIM key?
A standard and unique selector is provided for each customers domain(s) so it is not possible to deliver the DKIM keys with custom selectors that are requested by Customers
- Is DKIM Key enabled by default for your sender domain during the migration to new E-Mail infra?
No, an explicit request has to be created for DKIM key creation for your sender domains which are used for relaying Business e-mails / Bulk e-mails from your SAP Business ByDesign tenant
- Is the same DKIM key valid for both test environment and production environment?
Yes, the same key is valid for both the environments Production and Test.
- How SAP is handling private keys so that they are protected and not misused? And what is the plan if key is compromised
The secrets are stored in the email service without the ability to retrieve them.
If a private key is compromised, then SAP will inform the customer and generate a new DKIM key and update the customer (same process as mentioned above in the overview of execution steps).
8. If the e-mails are sent with DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address, should you still request DKIM
No, not needed. DKIM should be requested for all the domains that you own and are used to send e-mails from BYD application
Conclusion:
We hope that this article provides clarity on how to get your sender domains DKIM enabled, which is more reliable and secure.
Hello,
I have two questions regarding the activation of DKIM:
1) If a customer is currently in a test system do we need to order DKIM from the test system so that it is ready when the customer goes live?
2) If the emails are sent with the DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address. Should we request DKIM for the domain myxxxxxx.mail.sapbydesign.com?
Best regards,
Geneviève
Hello - Thank you, please find my response inline
1) If a customer is currently in a test system do we need to order DKIM from the test system so that it is ready when the customer goes live?
[Response] - Yes please. If your domains are ready, please go-ahead and request for DKIM. As outlined in Note 4 of section 1 of the blog: DKIM key that will be generated and provided to you is meant for ALL your environments (Test + Production)
2) If the emails are sent with the DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address. Should we request DKIM for the domain myxxxxxx.mail.sapbydesign.com?
[Response] - No action required, if the domain is not owned by you. So, no need to request DKIM for mail.sapbydesign.com. You should be able to use it without any action from your end
Regards,
Subbu
How can I check that SAP correctly activated DKIM? I understand that we must ensure this before end of March?
Is it recommend to also activate DKIM for test systems? I would appriciate that for test systems, this would not be required.
Hello - Thank you.
How can I check that SAP correctly activated DKIM?
[Response] After activating DKIM from our end, we will attach the screenshot (You can request in the ticket if that's not provided from us)
I am sorry to say that this is application for All environments (Test + Prod)
Regards,
Subbu
What happens, if we do NOT request to enable DKIM? We don't use DKIM for our normal E-Mail system we use spf. So it is no option for us to enable DKIM for SAP.
Hello,
Outbound e-mails sent from SAP Business ByDesign using sender e-mail domains that are not DKIM signed can no longer be delivered to e-mail recipients.
Hello,
if customer doesn't use sending email function from ByDesign, is there any impact to skipping this setting?
Thank you,
Avazeh
Hello,
No action required if e-mail functionality is not used
Thank you,
Subbu
Thanks for your reply.
I have 2 more questions:
On the other hand, Does it cause encrypting all emails from the target DNS server? or only Emails from ByDesign are targets?
Best Regards,
Avazeh
Hello,
[Updated]
Regards,
Subbu
Hi Abolfazl,
The selection of the DKIM key is done using the DKIM selector which is send in the email header. The selector identifies the specific DKIM public key that exists in the DNS.
so for example:
your domain is: companyabc.com.au
selector is: byd-busi-my123456-companybac.com.au
The key and the selector is provided by the SAP support team but you need to add it to your public DNS.
Regards
Paul
Buen día
Tengo 2 preguntas
byd_partner_engagement_office@mailsap.com
byd_customer_engagement_office@sap.com
sapcloudsupport@alerts.ondemand.com
notification-service@sap.com
2. Tenemos desarrollos e interfaces, como por ejemplo el pack de timbrado; para estos dominios se debe solicitar el DKIM?
Hello - If I understood your question right, you would like to check if you will still receive notifications from SAP if you do not enable DKIM:
[Response] Yes, you will still receive notifications from SAP
You should enable DKIM for the domains you own, no action required if you do not use any of your domains as sender domain from SAP ByD application
Regards,
Subbu
Hello,
we have already done DKIM enablement in 2021.
Now we need to enable additional e-mail domains.
Can we have these additional domains added to the already excisting key?
Kind regards,
Pierre
Hello - Yes please
As you did earlier, please raise a ticket with additional domains (Please mention the DKIM public key and selector you used in your DNS for reference)
Regards,
Subbu
Hello,
could you please de-activate the reminder for customers which already have DKIM enabled?
Kind regards,
Dietmar
Hello - We are sending out reminders with a remark that customers who have already finished with DKIM configurations should ignore the reminder notification. We understand that it is an irritant to keep getting this e-mail even though you have finished with your DKIM configurations. Please bear with us for some more time, because at present, it is not possible to segregate the notification for customers who have already finished DKIM configurations and those who have not. We completely understand that this is an irritation and please rest assured that we will stop these notifications within some time
Regards,
Subbu
Hello Dietmar,
My name is Patrick and we are facing also the DKIM-Topic in our C4C-Project. Are you able to have a short call for that topic. I wantet to talk with someone who implementeted this feature already. My Mail-Adress is: patrick.klingenmaier@mapal.com
Thanks in advance
Best regards,
Patrick
Hi,
Is this applicable to all transactional activity that has an email functions, like Sales quote, sales order, purchase order, invoicing, quote awarding result, etc?
Thank you,
CJ
Hello Carlo,
Yes all these constitute to Business Emails and for which you need to activate the DKIM Profile for the sender domains.
Regards,
Ankit K
Dear Venkata Subbarayudu Panguluri
could you please tell me what happens to sent out mails, if DKIM has not been activated?
Will they not be sent at all or will they (potentially) end up in the recipient's spam folder?
Kind regards,
Pierre
Hello Pierre,
If DKIM Key & Profile is not activated, EMails from those domains which are used to sent out from your SAP Business ByDesign tenant will not be delivered to recipients inbox.
Further you can refer the Blog: DKIM Key Activation for Business Emails in SAP Business ByDesign(ByD)
Refer Q12 in this blog: Next-Generation Cloud Delivery transition – New Business ByDesign E-mail Infrastructure
Regards,
Ankit K