In SAP Business ByDesign you can use e-mail as communication channel in various scenarios communicating with your employees and business partners, and SAP Business ByDesign allows you to configure sender e-mail addresses.
These sender e-mail addresses are subject to authentication checks of modern e-mail infrastructures using security measures such as Domain Keys Identified Mail (DKIM).
As part of our ongoing efforts to incorporate e-mail security and to pre-empt any e-mail spoofing attempts as well as to ensure e-mail delivery in line with commonly used security standards, we are making it mandatory for you - our customers - to enable DKIM on your sender e-mail domains.
Please request to enable DKIM for your e-mail sender domains, please find below more information and procedure:
**Once key is generated and shared it must be maintained within a month, in case no response received for an inactive domain, the same will be removed after a month of generation and can be requested again when needed.**
Please create an incident to SAP Business ByDesign Support providing the below mentioned details.
Subject: Request to enable DKIM for ByD Business e-Mails / Bulk e-mails
Content of the Incident:
Note 1 – In case if you have multiple domains, please provide the complete list. (Including Sub-Domains if any)
Note 2 – A common DKIM key is generated if there are multiple domains.
Note 3 – It is now Mandatory and best practice to not use the domains that are NOT signed with DKIM key for relaying e-mails from your ByD tenant. E-mails will be not be delivered if DKIM is not enabled. (In other words, it is recommended to DKIM sign all sender domains used by a ByD tenant rather than part of the domains)
Note 4 – The DKIM key that will be generated and provided to you is meant for ALL your environments. (Test + Production) (i.e.: the key is independent of your ByD tenant)
The Service Request takes approximately 2 weeks of time for enabling and implementing
NOTE: In case if you have multiple domains, please mention all the domain names, and only one key is provided by default for all the domains. Maintain the same DKIM key for all the domains.
Please use any external tool like https://dkimcore.org/tools/keycheck.html → Provide the “Selector” and “Domain” details → click on button “Check”, You should be seeing a record similar to below (This is a valid DKIM record):
**Once key is generated and shared it must be maintained within a month, in case no response received for an inactive domain, the same will be removed after a month of generation and can be requested again when needed.**
DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to
check that an email was indeed send and authorized by the owner of that domain. This is done by
giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.
2. More details about e-mail Authentication (SPF, DKIM)
The solution includes support for validating and performing email authentication with SPF (Sender policy framework) and DKIM (Domain key signing). While SPF is a DNS txt record which publishes trusted outbound IP for the given domain, DKIM requires to sign each message with a proper key that matches the sending domain within the message body. The Email service allows to configure DKIM keys and profiles to perform that action for all customers whereas DKIM profiles are being used.
3. How to check if e-mail messages sent from SAP Business ByDesign Tenant is DKIM signed, and for which domain is it DKIM signed?
Check the mail headers: “header.i”, “header.s”, “header.from” of the received E-Mail, in the section “Authentication-Results”: In this section we should see the domain and selector details of the DKIM key.
4. Can customer choose their own selector while requesting a DKIM key?
A standard and unique selector is provided for each customers domain(s) so it is not possible to deliver the DKIM keys with custom selectors that are requested by Customers
5. Is DKIM Key enabled by default for your sender domain during the migration to new E-Mail infra?
No, an explicit request has to be created for DKIM key creation for your sender domains which are used for relaying Business e-mails / Bulk e-mails from your SAP Business ByDesign tenant
6. Is the same DKIM key valid for both test environment and production environment?
Yes, the same key is valid for both the environments Production and Test.
7. How SAP is handling private keys so that they are protected and not misused? And what is the plan if key is compromised
The secrets are stored in the email service without the ability to retrieve them.
If a private key is compromised, then SAP will inform the customer and generate a new DKIM key and update the customer (same process as mentioned above in the overview of execution steps).
8. If the e-mails are sent with DoNotReply@myxxxxxx.mail.sapbydesign.com address that is registered in the Default Sender Address, should you still request DKIM
No, not needed. DKIM should be requested for all the domains that you own and are used to send e-mails from BYD application
Conclusion:
We hope that this article provides clarity on how to get your sender domains DKIM enabled, which is more reliable and secure.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
6 | |
5 | |
4 | |
4 | |
3 | |
3 | |
3 | |
3 | |
3 | |
3 |