Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

DKIM Enablement for Sender Domains - ByD

pangulurivenkata
Associate
Associate
‎01-18-2022 3:56 PM

Background

In SAP Business ByDesign you can use e-mail as communication channel in various scenarios communicating with your employees and business partners, and SAP Business ByDesign allows you to configure sender e-mail addresses.

These sender e-mail addresses are subject to authentication checks of modern e-mail infrastructures using security measures such as Domain Keys Identified Mail (DKIM).

As part of our ongoing efforts to incorporate e-mail security and to pre-empt any e-mail spoofing attempts as well as to ensure e-mail delivery in line with commonly used security standards, we are making it mandatory for you - our customers - to enable DKIM on your sender e-mail domains.

Please request to enable DKIM for your e-mail sender domains, please find below more information and procedure:

**Once key is generated and shared it must be maintained within a month, in case no response received for an inactive domain, the same will be removed after a month of generation and can be requested again when needed.**

    1. How to request DKIM key for your e-mail sender domain address?

Please create an incident to SAP Business ByDesign Support providing the below mentioned details.
Subject: Request to enable DKIM for ByD Business e-Mails / Bulk e-mails

Content of the Incident:

    • Sender domain address details that is used from your tenant to relay Business e-mails / Bulk e-mails. (Example: test.com, abc.uk for scenarios like Tickets, customer invoice, order confirmation, etc.)

Note 1 – In case if you have multiple domains, please provide the complete list. (Including Sub-Domains if any)

Note 2 – A common DKIM key is generated if there are multiple domains.

Note 3 – It is now Mandatory and best practice to not use the domains that are NOT signed with DKIM key for relaying e-mails from your ByD tenant. E-mails will be not be delivered if DKIM is not enabled. (In other words, it is recommended to DKIM sign all sender domains used by a ByD tenant rather than part of the domains)

Note 4 – The DKIM key that will be generated and provided to you is meant for ALL your environments. (Test + Production) (i.e.: the key is independent of your ByD tenant)

    1. Overview of the Execution steps for enabling DKIM Key

The Service Request takes approximately 2 weeks of time for enabling and implementing

    • First we should get the domain details as mentioned in Note 1. (mentioned above)
    • DKIM key will be generated from our side (with Key Size – 2048 Bit) for the domains provided.
    • Public Key and Selector details will be shared to customer.
    • Customer must create a DKIM TXT record in their DNS Servers.

NOTE: In case if you have multiple domains, please mention all the domain names, and only one key is provided by default for all the domains. Maintain the same DKIM key for all the domains.

    • Once the key is correctly maintained, send the incident back to SAP for activating the key. (Though the key is maintained correctly in your DNS, if the ticket is not sent back to SAP - the process is not complete and DKIM is not enabled)
    • SAP will activate the key for the mentioned domains and will close the incident.
    1. How to check DKIM key for a sender domain once DKIM TXT record is updated in your DNS Servers?

Please use any external tool like https://dkimcore.org/tools/keycheck.html → Provide the “Selector” and “Domain” details → click on button “Check”, You should be seeing a record similar to below (This is a valid DKIM record):

 **Once key is generated and shared it must be maintained within a month, in case no response received for an inactive domain, the same will be removed after a month of generation and can be requested again when needed.**

FAQ's

  1. What is DKIM and Advantages of enabling DKIM key for Business e-mails / Bulk e-mails?

DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to
check that an email was indeed send and authorized by the owner of that domain. This is done by
giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.

    • Implementing DKIM will improve email deliverability
    • Prevents from E-mail spoofing
    • Makes mails trustworthy

       2. More details about e-mail Authentication (SPF, DKIM)

The solution includes support for validating and performing email authentication with SPF (Sender policy framework) and DKIM (Domain key signing). While SPF is a DNS txt record which publishes trusted outbound IP for the given domain, DKIM requires to sign each message with a proper key that matches the sending domain within the message body. The Email service  allows to configure DKIM keys and profiles to perform that action for all customers whereas DKIM profiles are being used.

      3. How to check if e-mail messages sent from SAP Business ByDesign Tenant is DKIM signed, and for which domain is it DKIM signed?

Check the mail headers: “header.i”, “header.s”, “header.from” of the received E-Mail, in the section “Authentication-Results”: In this section we should see the domain and selector details of the DKIM key.

    4. Can customer choose their own selector while requesting a DKIM key?

A standard and unique selector is provided for each customers domain(s) so it is not possible to deliver the DKIM keys with custom selectors that are requested by Customers

    5. Is DKIM Key enabled by default for your sender domain during the migration to new E-Mail infra?

No, an explicit request has to be created for DKIM key creation for your sender domains which are used for relaying Business e-mails / Bulk e-mails from your SAP Business ByDesign tenant

    6. Is the same DKIM key valid for both test environment and production environment?

Yes, the same key is valid for both the environments Production and Test.

    7. How SAP is handling private keys so that they are protected and not misused? And what is the plan if key is compromised

The secrets are stored in the email service without the ability to retrieve them.

If a private key is compromised, then SAP will inform the customer and generate a new DKIM key and update the customer (same process as mentioned above in the overview of execution steps).

   8. If the e-mails are sent with DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address, should you still request DKIM

No, not needed. DKIM should be requested for all the domains that you own and are used to send e-mails from BYD application

Conclusion:

We hope that this article provides clarity on how to get your sender domains DKIM enabled, which is more reliable and secure.

22 Comments
former_member737564
Explorer
‎01-24-2022 3:03 PM
0 Kudos
Hello,

I have two questions regarding the activation of DKIM:

1) If a customer is currently in a test system do we need to order DKIM from the test system so that it is ready when the customer goes live?

2) If the emails are sent with the DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address. Should we request DKIM for the domain myxxxxxx.mail.sapbydesign.com?

Best regards,

Geneviève
former_member745672
Member
‎01-24-2022 3:31 PM
0 Kudos

How can I check that SAP correctly activated DKIM? I understand that we must ensure this before end of March?

Is it recommend to also activate DKIM for test systems? I would appriciate that for test systems, this would not be required.

pangulurivenkata
Associate
Associate
‎01-25-2022 8:28 AM
Hello - Thank you, please find my response inline

1) If a customer is currently in a test system do we need to order DKIM from the test system so that it is ready when the customer goes live?

[Response] - Yes please. If your domains are ready, please go-ahead and request for DKIM. As outlined in Note 4 of section 1 of the blog: DKIM key that will be generated and provided to you is meant for ALL your environments (Test + Production)

2) If the emails are sent with the DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address. Should we request DKIM for the domain myxxxxxx.mail.sapbydesign.com?

[Response] - No action required, if the domain is not owned by you. So, no need to request DKIM for mail.sapbydesign.com. You should be able to use it without any action from your end

Regards,

Subbu
pangulurivenkata
Associate
Associate
‎01-25-2022 4:27 PM
0 Kudos

Hello - Thank you.

How can I check that SAP correctly activated DKIM?

[Response] After activating DKIM from our end, we will attach the screenshot (You can request in the ticket if that's not provided from us)

I am sorry to say that this is application for All environments (Test + Prod)

 

Regards,

Subbu

former_member429735
Member
‎02-01-2022 1:14 PM
0 Kudos
What happens, if we do NOT request to enable DKIM? We don't use DKIM for our normal E-Mail system we use spf. So it is no option for us to enable DKIM for SAP.
pangulurivenkata
Associate
Associate
‎02-02-2022 1:40 PM
0 Kudos
Hello,

Outbound e-mails sent from SAP Business ByDesign using sender e-mail domains that are not DKIM signed can no longer be delivered to e-mail recipients.
avazeh
Explorer
‎02-07-2022 9:28 AM
0 Kudos

Hello,

if customer doesn't use sending email function from ByDesign, is there any impact to skipping this setting?

 

Thank you,

Avazeh

pangulurivenkata
Associate
Associate
‎02-07-2022 7:00 PM
Hello,

No action required if e-mail functionality is not used

Thank you,

Subbu
former_member636182
Member
‎02-08-2022 3:54 PM
0 Kudos
Buen día

 

Tengo 2 preguntas

  1. Nosotros no usamos el servidor de correo dentro de sap, pero si recibo correos informativos directamente de sap desde estas cuentas a mi correo electronico. Si no solicitamos habilitar el DKIM dejare de recibirlos?


byd_partner_engagement_office@mailsap.com
byd_customer_engagement_office@sap.com
sapcloudsupport@alerts.ondemand.com
notification-service@sap.com

2. Tenemos desarrollos e interfaces, como por ejemplo el pack de timbrado; para estos dominios se debe solicitar el DKIM?

 
pangulurivenkata
Associate
Associate
‎02-12-2022 11:20 AM
0 Kudos
Hello - If I understood your question right, you would like to check if you will still receive notifications from SAP if you do not enable DKIM:

[Response] Yes, you will still receive notifications from SAP

You should enable DKIM for the domains you own, no action required if you do not use any of your domains as sender domain from SAP ByD application

 

Regards,

Subbu
avazeh
Explorer
‎02-17-2022 2:56 AM
0 Kudos
Thanks for your reply.

I have 2 more questions:

  1. We are using office 365. If we set the DKIM key generated by SAP side in our DNS server, is there any impact on our other daily emails that are not sent from ByDesign?
    On the other hand, Does it cause encrypting all emails from the target DNS server? or only Emails from ByDesign are targets?

  2. If in the future, we set another DKIM key for other purposes in the same DNS server, is it possible? Can we set several DKIM keys in the same DNS Server?


Best Regards,

Avazeh
pangulurivenkata
Associate
Associate
‎02-17-2022 3:44 PM

Hello,

[Updated]

  1. There will be no impact to other e-mails that are not sent from SAP ByD. DKIM check will be done only for the e-mails sent from SAP ByD. Regarding encryption: DKIM just signs (takes email body and signs it with a key), domain verification will be done by DKIM
  2. I would request you to please reach out to your Network team who maintain your DNS. They would be the best colleagues to confirm as i do not have any knowledge on how your DNS is setup and the settings maintained. However one clue: We should be able to maintain multiple keys for same domain as each key can have a unique selector (I mean - Yes, its possible)

Regards,

Subbu

Pierre_Braun
Explorer
‎02-22-2022 11:00 AM
0 Kudos
Hello,

we have already done DKIM enablement in 2021.

Now we need to enable additional e-mail domains.

Can we have these additional domains added to the already excisting key?

 

Kind regards,

Pierre
pangulurivenkata
Associate
Associate
‎02-27-2022 5:39 PM
0 Kudos
Hello - Yes please

As you did earlier, please raise a ticket with additional domains (Please mention the DKIM public key and selector you used in your DNS for reference)

Regards,

Subbu
Paul_Ka
Participant
‎03-01-2022 4:56 AM

Hi Abolfazl,

 

The selection of the DKIM key is done using the DKIM selector which is send in the email header. The selector identifies the specific DKIM public key that exists in the DNS.

so for example:

your domain is: companyabc.com.au

selector is: byd-busi-my123456-companybac.com.au

The key and the selector is provided by the SAP support team but you need to add it to your public DNS.

 

Regards

Paul

 

dietmarmiller
Discoverer
‎03-15-2022 2:02 PM
0 Kudos
Hello,

could you please de-activate the reminder for customers which already have DKIM enabled?

Kind regards,

Dietmar
pangulurivenkata
Associate
Associate
‎03-23-2022 11:06 AM
0 Kudos
Hello - We are sending out reminders with a remark that customers who have already finished with DKIM configurations should ignore the reminder notification. We understand that it is an irritant to keep getting this e-mail even though you have finished with your DKIM configurations. Please bear with us for some more time, because at present, it is not possible to segregate the notification for customers who have already finished DKIM configurations and those who have not. We completely understand that this is an irritation and please rest assured that we will stop these notifications within some time

Regards,

Subbu
KlingenmaierP
Discoverer
‎05-02-2022 7:46 AM
0 Kudos
Hello Dietmar,

My name is Patrick and we are facing also the DKIM-Topic in our C4C-Project. Are you able to have a short call for that topic. I wantet to talk with someone who implementeted this feature already. My Mail-Adress is: patrick.klingenmaier@mapal.com

Thanks in advance

Best regards,

Patrick
former_member817661
Member
‎08-18-2022 4:14 AM
0 Kudos
Hi,

Is this applicable to all transactional activity that has an email functions, like Sales quote, sales order, purchase order, invoicing, quote awarding result, etc?

 

Thank you,

CJ
Ankit
Product and Topic Expert
Product and Topic Expert
‎08-18-2022 5:48 AM
0 Kudos
Hello Carlo,

Yes all these constitute to Business Emails and for which you need to activate the DKIM Profile for the sender domains.

Regards,

Ankit K
Pierre_Braun
Explorer
‎09-08-2022 2:15 PM
0 Kudos

Dear pangulurivenkata

could you please tell me what happens to sent out mails, if DKIM has not been activated?

Will they not be sent at all or will they (potentially) end up in the recipient's spam folder?

 

Kind regards,

Pierre

Ankit
Product and Topic Expert
Product and Topic Expert
‎09-08-2022 4:45 PM
0 Kudos
Hello Pierre,

If DKIM Key & Profile is not activated, EMails from those domains which are used to sent out from your SAP Business ByDesign tenant will not be delivered to recipients inbox.

Further you can refer the Blog: DKIM Key Activation for Business Emails in SAP Business ByDesign(ByD)

Refer Q12 in this blog: Next-Generation Cloud Delivery transition – New Business ByDesign E-mail Infrastructure

Regards,

Ankit K
Popular Blog Posts