SAP is going to change the e-mail infrastructure used for business e-mails sent from SAP Business ByDesign (ByDesign).
In case you have:
then you need to take action.
IMPORTANT: It is now mandatory to have DKIM enabled for your sender domains, please refer to DKIM Blog-Post for more details on how to request enabling DKIM for your sender domains.
Outbound e-mails sent from SAP Business ByDesign using sender e-mail domain(s) that are not DKIM signed can no longer be delivered to e-mail recipients after the change to the new email-infrastructure
What are the upcoming changes?
With transition to the new e-mail infrastructure, the sending server IP used to deliver e-mails sent from ByDesign will change.
It is now Mandatory to have DKIM enabled for your sender domains, please refer to https://blogs.sap.com/2022/01/18/dkim-enablement-for-sender-domains-byd/ for more details on how to request enabling DKIM for your sender domains
What does this mean for you?
________________________________________________________________________________
There are two types of E-mail scenarios in Business ByDesign:
Business E-Mails – E-mail messages sent through Ticket, customer invoice, order confirmation, etc. are all referred to business e-mail scenarios
Bulk/Mass E-Mails: E-mail messages sent through Marketing/Campaign are referred as Bulk/Mass E-Mail
Note – There are different service providers for business mail and for bulk mail.
________________________________________________________________________________
Business E-Mails – E-mail messages sent through Ticket, customer invoice, order confirmation, etc. are all referred to business e-mail scenarios
1. Regarding DKIM enablement for sender domains - Any further action required from customers who had already enabled DKIM for their sender domains?
No action required from customers who had already enabled DKIM for their sender domains. You can continue to use the same DKIM keys which were provided by SAP.
However, if key was generated in old e-mail infrastructure but not activated: Customer will be provided with a new DKIM key and selector which is generated from new e-mail infrastructure. Customer need to use the new key and selector provided
2. How to request DKIM key for your E-Mail sender domain address?
Please refer to https://blogs.sap.com/2022/01/18/dkim-enablement-for-sender-domains-byd/ for more details on how to request enabling DKIM. Outbound e-mails sent from SAP Business ByDesign using sender e-mail domains that are not DKIM signed can no longer be delivered to e-mail recipients
3. What is DKIM and Advantages of enabling DKIM key for Business Mails?
DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to check that an email was indeed send and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
4. What is SPF and Advantages of enabling SPF record for Business Mails?
The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. The SPF record is checked on “Envelope-From/Mail-From/Technical Sender” address
By enabling this it is determined which e-mail servers are authorized to relay an e-mail.
5. SPF and DKIM policies are checked on which domains for Outbound Mail Scenario?
These checks are done at recipient Mail Server. In general, e-mails sent from SAP Business ByDesign application have headers similar to the following:
SPF Check is done on – “Envelop-From” address
DKIM Check is done on – “From Address”
++++++
From Address – Customer’s sender domain (example: test.com, abc.uk)
Envelop-From Address in ByDesign applications will always be: dsn@myXXXXXX.mail.sapbydesign.com / dsn@myXXXXXXX.mail.sapbyd.cn
Recipient Address: <Independent details>
Subject: <Independent details>
++++++
6. How to check if e-mail messages sent from SAP Business ByDesign Tenant is DKIM signed, and for which domain is it DKIM signed?
Check the mail headers: “header.i”, “header.s”, “header.from” of the received E-Mail, in the section “Authentication-Results”: In this section we should see the domain and selector details of the DKIM key.
7. Can customer choose their own selector while requesting a DKIM key?
A standard and unique selector is provided for each customers domain(s) so it is not possible to deliver the DKIM keys with custom selectors that are requested by Customers
8. Is DKIM Key enabled by default for your sender domain during the migration to new E-Mail infra
No, an explicit request has to be created for DKIM key creation for your sender domains which are used for relaying Business Mails from your SAP Business ByDesign tenant
9. Is the same DKIM key valid for both test environment and production environment?
Yes, the same key is valid for both the environments Production and Test
10. E–mails sent with this domain “donotreply@myXXXXXX.mail.sapbydesign.com” / “donotreply@myXXXXXX.mail.sapbyd.cn” / "donotreply@myXXXXXX.mail.businessbydesign.cloud.sap" / "donotreply@myXXXXXX.mail.businessbydesign.sapcloud.cn" are signed with DKIM key?
Yes, E-mails sent with above domains are already signed with DKIM key
11. If the e-mails are sent with DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address, should you still request DKIM
No, not needed. DKIM should be requested for all the domains that you own and are used to send e-mails from BYDesign application
12. What if customer doesn’t want DKIM enabled for their sender domain
Outbound business e-mails sent from your SAP ByDesign tenant using sender e-mail domains that are not DKIM signed can no longer be delivered to e-mail recipients
13. Can the “Envelop-From” address be overwritten to the same as “From Address”
NO, this is not possible and not supported in SAP Business ByDesign
14. Are there any Exception domains for which DKIM key cannot be created from our side?
DKIM key cannot be created for following Domains: gmail.com, yahoo.com, Hotmail.com, outlook.com, sap.com
15. What is the IP address through which E-Mails are sent from your ByDesign tenant?
Following are the IP address through which your E-Mails will be sent from your ByDesign tenant: 199.255.192.0/22 , 199.127.232.0/22 , 54.240.0.0/18 , 69.169.224.0/20 , 23.249.208.0/20 , 23.251.224.0/19 , 76.223.176.0/20 , 54.240.64.0/19 , 54.240.96.0/19 , 52.82.172.0/22
16. What are the attachment types that are “NOT Allowed” at our e-mail server?
E-mails containing one of the following file types currently fall into the category “dangerous attachment”:
ade, adp, app, asp, bas, bat, bhx, cab, ceo, cer, chm, cmd, com, cpl, crt, csr, csh, der, docm, exe, fxp, gadget, hlp, hta, inf, ins, isp, its, js, jse, ksh, lib, lnk, mad, maf, mag, mam, maq, mar, mas, mat, mau, mav, maw, mda, mdb, mdt, mde, mdw, mdz, mim, msc, msc, msh, msh1, msh2, mshxml, msh1xml, msh2xml, msi, msp, mst, ops, ole, pcd, pif, plg, prf, prg, ps1, ps1xml, ps2, ps2xml, psc1, psc2, reg, scf, scr, sct, shb, shs, sys, tmp, url, vb, vbe, vbmacros, vbs, vps, vsmacros, vss, vst, vsw, vxd, wmd, wmz, ws, wsc, wsf, wsh, xnk, xxe, xlsm
This also applies if attachments with these extensions are found in the following (password-protected) archives:
arj, cab, jar, lha, rar, tar, zip, gz
Also, please refer below link to view complete list of attachment types that are blocked from Amazon SES
https://docs.aws.amazon.com/ses/latest/dg/mime-types.html
17. What is the size limit of an Outbound and Inbound E-mail sent/received at SAP Business ByDesign application?
Mail size can be maximum of 25MB (Including attachments)
18. Can the customer point their ByDesign tenant to their own Mail infrastructure?
NO, this is not possible and not supported in SAP Business ByDesign
19. How SAP is handling private keys so that they are protected and not misused? And what is the plan if key is compromised
The secrets are stored in the email service without the ability to retrieve them.
If a private key is compromised, then SAP will inform the customer and generate a new DKIM key and update the customer (same process as mentioned above in the overview of execution steps).
20. If DKIM key was generated in old e-mail infrastructure and customer did not request to activate the key before the switch, can we use the same key?
If key was generated in old e-mail infrastructure but not activated: Customer will be provided with a new DKIM key and selector which is generated from new e-mail infrastructure. Customer need to use the new key and selector provided to import into their DNS (Old key and selector provided will be obsolete and cant be used)
21. Will there be any change in the e-mail header "Return-Path"?
Yes, please note that there is a change in the e-mail header "Return-Path" / "Envelope-Sender" / "mailfrom" / "Bounce Address". Below are the new values for each DC:
Earlier : dsn@my<tenantNumber>.mail.sapbydesign.com (or) dsn@my<tenantNumber>.mail.sapbyd.cn
Now : Return path will be changed based on your system location:
Frankfurt: ***@eu-central-1.amazonses.com (Example - 0107-66f90629-bef1-4a03-9a38-45fba29b6e70-000000@eu-central-1.amazonses.com)
USA: ***@ca-central-1.amazonses.com (Example - 010d-128d33fc-d10c-4be6-b2d7-65e976db2ffe-000000@ca-central-1.amazonses.com)
China: ***@ap-northeast-1.amazonses.com (Example - 0106-fd47112b-deb5-49a7-a226-dc543064171b-000000@ap-northeast-1.amazonses.com)
Australia: **@ap-southeast-2.amazonses.com (Example - 0108-67acbe3f-2ab8-49f3-8bd2-589a10957f7b-000000@ap-southeast-2.amazonses.com)
ROT: **@eu-west-1.amazonses.com (Example - 0102018322cf2600-40a2f297-59de-45dc-be43-8a6144638e80-000000@eu-west-1.amazonses.com)
22. Is there any limit for maximum number of recipients per e-mail?
Yes, we do have a hard limit of 100 recipients per e-mail and this is not adjustable
23. What are the reasons for generating soft bounce and hard bounce?
Please refer to Note https://launchpad.support.sap.com/#/notes/3257552
24. What is the schedule to switch the systems to New E-Mail host?
Detailed Change scheduled will be communicated via E-mail too:
Data Center | Date |
Shanghai | 18-July-2022 between 18:00 UTC and 22:00 UTC |
Sydney | 27-July-2022 between 15:00 UTC and19:00 UTC |
Colorado Springs, USA | 12-Aug-2022 between 04:00 UTC and 08:00 UTC |
Frankfurt | Between 29-Aug-22 22:00 UTC and 30-Aug-22 02:00 UTC |
ROT (RO2) / Walldorf (WD4) | Switch to New e-mail infra happened as part of migration of your tenant to SAP Converged Cloud (through the SAP Next-Generation Cloud Delivery program) |
For example, in a case where an authority / receiver server blacklists existing mail-from (like *@eu-west-1.amazonses.com / *@*.amazonses.com), you can request a custom mail-from sub domain
When there is a requirement for a custom Mail-From, we would request to follow below procedure:
a.) We need you to create a ticket and provide a subdomain (which is a free text)(something like "<feedback>.<DKIM signed domain>" - a custom subdomain of the DKIM signed domain)
Please note that no DKIM activation is required for the sub-domain if the main/parent domain is already DKIM activated.
b.) Once you provide us the subdomain, we will request our email server team to proceed with the setup
c.), Once we get a confirmation from the e-mail server team that the setup is done, we will revert the ticket to you as you need to maintain the MX record to activate the setup:
example format:
* MX name: <subdomain>.<DKIM signed domain>
* MX value: 10 feedback-smtp.eu-west-1.amazonses.com
This change will not impact the current mail operation.
More information about this topic is documented here - https://docs.aws.amazon.com/ses/latest/dg/mail-from.html
We hope that this article provides clarity on migration of ByDesign customers to the new E-mail infrastructure, which is more reliable and secure.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
8 | |
7 | |
7 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 | |
2 |