Next-Generation Cloud Delivery transition – New Business ByDesign E-mail Infrast...

Background

SAP is going to change the e-mail infrastructure used for business e-mails sent from SAP Business ByDesign (ByD).

What are the upcoming changes?

With transition to the new e-mail infrastructure, the sending server IP used to deliver e-mails sent from ByD will change.

It is now Mandatory to have DKIM enabled for your sender domains, please refer to https://blogs.sap.com/2022/01/18/dkim-enablement-for-sender-domains-byd/ for more details on how to request enabling DKIM for your sender domains

What remains unchanged?

All other e-mail properties remain unchanged. This applies specifically to

1. Envelope-from (for example [email protected])
2. Sender e-mail address (e-mail from-header) taken from your business configuration or master data settings in ByD (for example [email protected])

Note: These changes are not relevant for bulk e-mails in context of marketing campaigns sent from ByD, which already supports DKIM functionality.

What does this mean for you?

• SAP takes care to create SPF records for your ByD tenants.
• In case you set IP whitelisting for receiving E-Mails in your Infrastructure or SPF records that you created in your own DNS or in case if you have any throttling on your E-Mail server based on IP address, then you need to take action. Please refer to FAQ section below
• For enabling DKIM for your sender Domain(s), please refer to https://blogs.sap.com/2022/01/18/dkim-enablement-for-sender-domains-byd/

________________________________________________________________________________

                                                      Current Behavior

There are two types of E-mail scenarios in Business ByDesign:

Business E-Mails – E-mail messages sent through Ticket, customer invoice, order confirmation, etc. are all referred to business e-mail scenarios

•  Business E-Mails are relayed from ByD (SAP Network) – CISCO Mail device (SAP Network) – Recipients
•  Business E-Mails will be enabled with SPF policy by default
•  Business E-Mails are sent through these IP range/address – 155.56.208.100/30, 157.133.97.216/30, 169.145.66.70/31,169.145.66.72/31
•  SPF record for the business mails are updated on the technical from/Mail From/Envelop-From address, which is always [email protected] or [email protected]
• Example: SPF record for domain: myXXXXXX.mail.sapbydesign.com or myXXXXXX.mail.sapbyd.cn would look like: “v=spf1 include:_spf.cmail.ondemand.com ~all“
•  Business E-Mails are sent with DKIM key signed – This is done based on “Explicit Request“

Bulk/Mass E-Mails: E-mail messages sent through Marketing/Campaign are referred as Bulk/Mass E-Mail

• Bulk E-mails are relayed from ByD (SAP Network) – Bulk Mail Service Provider – Recipients
• Bulk E-Mails are enabled with DKIM policy
• Bulk E-Mails are sent through this IP address/range – 213.61.69.122/32, 193.169.180.0/23, 212.45.106.160/27, 91.229.178.0/23, 91.241.72.0/22
• DKIM key is enabled for a customer sender domain and tenant based on request

Note – There are different service providers for business mail and for bulk mail.

________________________________________________________________________________

                                                       New Behavior

Business E-Mails – E-mail messages sent through Ticket, customer invoice, order confirmation, etc. are all referred to business e-mail scenarios

• It is now Mandatory to have DKIM enabled for your Domains, please refer to https://blogs.sap.com/2022/01/18/dkim-enablement-for-sender-domains-byd/ for more details on how to request enabling DKIM. Outbound e-mails sent from SAP Business ByDesign using sender e-mail domains that are not DKIM signed can no longer be delivered to e-mail recipients
• Business E-Mails are relayed from ByD (SAP Network) – Cronus (Hosted in SAP Network) – AWS (Hosted in Internet) – Recipients
•  Business E-Mails will be enabled with SPF policy by default
•  Business E-Mails are sent through these IP range/address – 199.255.192.0/22 , 199.127.232.0/22 , 54.240.0.0/18 , 69.169.224.0/20 , 23.249.208.0/20 , 23.251.224.0/19 , 76.223.176.0/20 , 54.240.64.0/19 , 54.240.96.0/19 , 52.82.172.0/22
•  SPF record for the business mails are updated on the technical from/Mail From/Envelop-From address, which is always [email protected] or [email protected]. Example: SPF record for domain: myXXXXXX.mail.sapbydesign.com or myXXXXXX.mail.sapbyd.cn would look like: “v=spf1 include:_spf.cmail.ondemand.com include:amazonses.com ~all“

SPF Maintenance:

This section is only relevant if the DMARC for SPF is maintained as strict for your sender domain(s).
In this case, please maintain below SPF record for your sender Domain which you are going to use in ByD.
“v=spf1 include:_spf.cmail.ondemand.com include:amazonses.com ~all”

Bulk/Mass E-Mails – The bulk E-Mail scenario remains the same for now.

FAQ’s:

1. Regarding DKIM enablement for sender domains – Any further action required from customers who had already enabled DKIM for their sender domains?

No action required from customers who had already enabled DKIM for their sender domains. You can continue to use the same DKIM keys which were provided by SAP

2. How to request DKIM key for your E-Mail sender domain address?

Please refer to https://blogs.sap.com/2022/01/18/dkim-enablement-for-sender-domains-byd/ for more details on how to request enabling DKIM. Outbound e-mails sent from SAP Business ByDesign using sender e-mail domains that are not DKIM signed can no longer be delivered to e-mail recipients

3. What is DKIM and Advantages of enabling DKIM key for Business Mails?

DKIM (Domain Keys Identified Mail) is an e-mail authentication technique that allows the receiver to check that an email was indeed send and authorized by the owner of that domain. This is done by giving the email a digital signature. This DKIM signature is a header that is added to the message and is secured with encryption.

• • Implementing DKIM will improve email deliverability
  • Prevents from E-mail spoofing
  • Makes mails trustworthy

4. What is SPF and Advantages of enabling SPF record for Business Mails?

The Sender Policy Framework (SPF) is an email-authentication technique which is used to prevent spammers from sending messages on behalf of your domain. The SPF record is checked on “Envelope-From/Mail-From/Technical Sender” address

By enabling this it is determined which e-mail servers are authorized to relay an e-mail.

5. SPF and DKIM policies are checked on which domains for Outbound Mail Scenario?

These checks are done at recipient Mail Server. In general, e-mails sent from SAP Business ByDesign application have headers similar to the following:
SPF Check is done on – “Envelop-From” address
DKIM Check is done on – “From Address”
++++++
From Address – Customer’s sender domain (example: test.com, abc.uk)
Envelop-From Address in ByD applications will always be: [email protected] / [email protected]
Recipient Address: <Independent details>
Subject: <Independent details>
++++++

6. How to check if e-mail messages sent from SAP Business ByDesign Tenant is DKIM signed, and for which domain is it DKIM signed?

Check the mail headers: “header.i”, “header.s”, “header.from” of the received E-Mail, in the section “Authentication-Results”: In this section we should see the domain and selector details of the DKIM key.

7. Can customer choose their own selector while requesting a DKIM key?

A standard and unique selector is provided for each customers domain(s) so it is not possible to deliver the DKIM keys with custom selectors that are requested by Customers

8. Is DKIM Key enabled by default for your sender domain during the migration to new E-Mail infra

No, an explicit request has to be created for DKIM key creation for your sender domains which are used for relaying Business Mails from your SAP Business ByDesign tenant

9. Is the same DKIM key valid for both test environment and production environment?

Yes, the same key is valid for both the environments Production and Test

10. E–mails sent with this domain “[email protected]” / “[email protected]” are signed with DKIM key?                                

Yes, E-mails sent with this domain are not signed with DKIM key

11. If the e-mails are sent with [email protected] address that is registered in the Default Sender Address, should you still request DKIM

No, not needed. DKIM should be requested for all the domains that you own and are used to send e-mails from BYD application

12. What if customer doesn’t want DKIM enabled for their sender domain

Outbound business e-mails sent from your SAP ByD tenant using sender e-mail domains that are not DKIM signed can no longer be delivered to e-mail recipients

13. Can the “Envelop-From” address be overwritten to the same as “From Address”

NO, this is not possible and not supported in SAP Business ByDesign

14. Are there any Exception domains for which DKIM key cannot be created from our side?

DKIM key cannot be created for following Domains: gmail.com, yahoo.com, Hotmail.com, outlook.com, sap.com

15. What is the IP address through which E-Mails are sent from your ByD tenant?

Following are the IP address through which your E-Mails will be sent from your ByD tenant: 199.255.192.0/22 , 199.127.232.0/22 , 54.240.0.0/18 , 69.169.224.0/20 , 23.249.208.0/20 , 23.251.224.0/19 , 76.223.176.0/20 , 54.240.64.0/19 , 54.240.96.0/19 , 52.82.172.0/22

16. What are the attachment types that are “NOT Allowed” at our e-mail server?

E-mails containing one of the following file types currently fall into the category “dangerous attachment”:
ade, adp, app, asp, bas, bat, bhx, cab, ceo, chm, cmd, com, cpl, crt, csr, der, exe, fxp, hlp, hta, inf, ins, isp, its, js, jse, lnk, mad, maf, mag, mam, mar, mas, mat, mde, mim, msc, msi, msp, mst, ole, pcd, pif, reg, scr, sct, shb, shs, vb, vbe, vbmacros, vbs, vsw, wmd, wmz, ws, wsc, wsf, wsh, xxe, docm, xlsm
This also applies if attachments with these extensions are found in the following (password-protected) archives:
arj, cab, jar, lha, rar, tar, zip, gz

17. What is the size limit of an Outbound and Inbound E-mail sent/received at SAP Business ByDesign application?

Mail size can be maximum of 25MB (Including attachments)

18. Can the customer point their ByD tenant to their own Mail infrastructure?

NO, this is not possible and not supported in SAP Business ByDesign

19. How SAP is handling private keys so that they are protected and not misused? And what is the plan if key is compromised

The secrets are stored in the email service without the ability to retrieve them.

If a private key is compromised, then SAP will inform the customer and generate a new DKIM key and update the customer (same process as mentioned above in the overview of execution steps).

20. What is the schedule to switch the systems to New E-Mail host?          

Detailed Change scheduled will be communicated via E-mail:

Data Center	Test Systems	Production Systems
Shanghai
Sydney
Colorado Springs, USA
Frankfurt

Conclusion:

We hope that this article provides clarity on migration of ByD customers to the new E-mail infrastructure, which is more reliable and secure.