SAP Knowledge Base Article - Public

3286675 - ARCHIVED: Differences between DKIM for Mass E-mails and Business Mails

Symptom

You need to send outbound e-mails from your tenant but you don't know which activation is needed or you have read that DKIM is needed but you are not sure what should be requested to SAP support.

"Image/data in this KBA is from SAP internal systems, sample data, or demo systems. Any resemblance to real data is purely coincidental."

Environment

SAP Business ByDesign

Resolution

Definition:

  • DKIM stands for "Domain Keys Identified Mail" and is used to certify that an e-mail was authorized and sent from the owner of the Domain. This technique is used on Business ByDesign to sign Mass E-mails and Business Mails. 

Usage:

  • Mass E-mails: This is the activation needed when you plan to use a subdomain for the functionalities on the "Sales Campaign" Work Center. 
  • Business E-mails: This is the activation needed for e-mails that are sent as notifications from your Tickets, Sales Quotes, Visits and any other functions which generate an e-mail within the system.

Mass E-mail Activation: 

Add the public DKIM key to your DNS (Domain Name System). Request your network administrator to perform this task. Follow below steps to complete this activity.

     a. Create an entry for your sub-domain of your DNS with the following structure:

               mailing._domainkey.[ subdomain ].[ domain ].[ tld ]

        So for the above example Sub-Domain, an entry will be created with the structure,

               mailing._domainkey.news.bankarc.com

     b. Insert the below Text record for your sub-domain into your DNS.

k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCfvgMo245lekN+eHQipbDcEzEzAYtWg3/OAvp66FLqRnF29yG/rUddTjFhA+KgZ5F3kXqK/ksX3N+oVFh150zZRc9HNxbJNdTeb/m+EKMpwjiejL9mb8yuJo36QqEsgz5NohU8jBj10vNhkdnsjhLumO/VJQ/LiU78kOvJsT+EEwIDAQAB;

Attention:  The public DKIM might be truncated in any translated version of the KBA therefore please use only the key from the original, English version.

Note:

1. Make sure there are no line breaks while inserting the above DKIM key to your DNS. It is spread on two lines in this documentation.

2. Documentation on Help Center for “Activation of Mass E-Mail” contains the public DKIM key and the steps above to add it on your DNS.

3. To test whether the DKIM is added on your DNS, follow below steps:

     a. Go to DKIM Core on your browser.

     b. Enter the values in the form that opens up.

     Let’s consider the example we seen above. (mailing._domainkey.news.example.com)

  • Enter ‘mailing’ as your Selector.
  • Enter your sub-domain where you have inserted your DKIM record. Here in our example ‘news.example.com’
  • Click on button ‘Check’
  • If the DKIM key is inserted correctly, we would get the below message.

2024-01-31_10-33-28.png

4. Repeat the above steps for all sub-domains in case if there exists more than one sub-domain which are to be used for Mass E-mailing.

5. Open the E-mail and Fax Setting Fine Tune activity and maintain all the sub-domains in the list on the view Activation of Mass E-Mail.

6. Once these steps are completed, inform SAP to activate the Mass E-mailing for your tenant for your sub-domains. To do so raise an incident for every sub-domain with the below subject and text.

Subject: Activate mass e-mail

Text: Activate DKIM sending process for sub-domain <your sub-domain>

7. SAP will check to confirm whether you have inserted the DKIM record for the sub-domain. If the entry doesn’t seem correct, they will reply to accordingly.

8. SAP also asks some basic information on your Mass E-mailing to enable it for you. E.g.

    a. What is the mailing type? Alarm/ News/ Updates?

     b. Who are the recipients? Customers? Partners? Interested people?

     c. Estimated mail volume? i.e. estimated mails sent per month.

9. Once they confirm that you have performed all the pre-requisites to activate the Mass E-mailing, they initiate the Mass E-mail Activation for your sub-domain on your tenant.

10.  After the activation of mass e-mailing, test it by creating a test Marketing Campaign to the recipients where you can check the delivery of the e-mail.

     a. If the test e-mail was not delivered to the recipient’s mail box, re-open the incident.

     b. If the test e-mail was delivered successfully, the activation of mass e-mail is completed.

Business Mail Activation:

Solution

To ensure that your emails are delivered without any disruptions, you need to meet the following new conditions:

  • Mandatory: Set up DKIM (DomainKeys Identified Mail) for all sending domains
  • Optional: Set up DMARC (Domain-based Message Authentication, Reporting, and Conformance) for email authentication

We advise you to set up a DMARC policy, but it is not mandatory for sending out emails.

DKIM setup 

To ensure the security of your sender identity and improve email deliverability, it is essential to configure SPF (Sender Policy Framework) and DKIM for all sending domains.

Note: We have already completed the required actions to activate SPF checks for all outbound emails. For the configuration of DKIM, the following three initial TXT records for DKIM keys pertaining to your tenant have been created and published:

  • c4c-busi-my<123456>-1.c4cdkim.crm.ondemand.com
  • c4c-busi-my<123456>-2.c4cdkim.crm.ondemand.com
  • c4c-busi-my<123456>-3.c4cdkim.crm.ondemand.com

Please be aware that the aforementioned three TXT records serve merely as examples for your guidance. The initial segment of these three hostnames represents the selector for your DKIM records. Substitute the placeholder <123456> with your unique Tenant ID. Ensure to omit the angle brackets "<>" during the replacement process, as they are not part of the string. Also, if the domain of your tenant's URL differs from the one stated above, replace the domain component of the hostnames with your actual domains as shown in the following examples:

  • c4cdkim.crm.ondemand.com (as stated in the above-mentioned example)
  • c4cdkim.c4c.cloud.sap
  • c4cdkim.c4c.sapcloud.cn
  • c4cdkim.c4c.saphybriscloud.cn

Perform the following steps to enable DKIM:

  1. Identify all the domains and subdomains on each tenant you use for sending out emails with SAP Sales and Service Cloud. This includes all domains used as the "From:" address in your SAP Sales and Service Cloud emails. For example, if you send emails from user@example.com and user@sample.com for the tenant <my123456>, your domains would be example.com and sample.com and if you send emails from user@test.example.com for the tenant <my456789>, your domains would be test.example.com.

Note: If you have not yet configured your own domains on your C4C tenants to send outbound emails, it is recommended to choose one of your own domains for each tenant. After assigning the domains, proceed to activate DKIM for each domain. Following the activation of DKIM, proceed to configure the domains for every tenant as promptly as possible.

  1. In your DNS Server or Service Portal, create three CNAME records for every domain associated with each tenant and link these records to the three initial TXT records mentioned above.

The keys of the three CNAME records for each domain would resemble the following:

    • c4c-busi-my<123456>-1._domainkey
    • c4c-busi-my<123456>-2._domainkey
    • c4c-busi-my<123456>-3._domainkey

The values of the three CNAME records would resemble the following:

    • c4c-busi-my<123456>-1.c4cdkim.crm.ondemand.com
    • c4c-busi-my<123456>-2.c4cdkim.crm.ondemand.com
    • c4c-busi-my<123456>-3.c4cdkim.crm.ondemand.com

Note: Replace the placeholders <123456> with your <Tenant ID> in key and value, and if the domain component in the value differs from your tenant's real domain, replace it with your real domain.

  1. If the CNAME records for each domain are generated correctly, they should appear similar to the following CNAME record examples. These examples display the comprehensive list of CNAME entries for the domains mentioned in step 1. Validate the entries with your network admin before applying them to your DNS Server:
    • c4c-busi-my<123456>-1._domainkey.example.com 3600 IN CNAME c4c-busi-my<123456>-1.c4cdkim.crm.ondemand.com
    • c4c-busi-my<123456>-2._domainkey.example.com 3600 IN CNAME c4c-busi-my<123456>-2.c4cdkim.crm.ondemand.com
    • c4c-busi-my<123456>-3._domainkey.example.com 3600 IN CNAME c4c-busi-my<123456>-3.c4cdkim.crm.ondemand.com
    • c4c-busi-my<456789>-1._domainkey.test.example.com 3600 IN CNAME c4c-busi-my<456789>-1.c4cdkim.crm.ondemand.com
    • c4c-busi-my<456789>-2._domainkey.test.example.com 3600 IN CNAME c4c-busi-my<456789>-2.c4cdkim.crm.ondemand.com
    • c4c-busi-my<456789>-3._domainkey.test.example.com 3600 IN CNAME c4c-busi-my<456789>-3.c4cdkim.crm.ondemand.com
    • c4c-busi-my<123456>-1._domainkey.sample.com 3600 IN CNAME c4c-busi-my<123456>-1.c4cdkim.crm.ondemand.com
    • c4c-busi-my<123456>-2._domainkey.sample.com 3600 IN CNAME c4c-busi-my<123456>-2.c4cdkim.crm.ondemand.com
    • c4c-busi-my<123456>-3._domainkey.sample.com 3600 IN CNAME c4c-busi-my<123456>-3.c4cdkim.crm.ondemand.com
  2. Create an incident with SAP Sales Cloud and SAP Service Cloud Product support team with the following details:
    1. In the Subject field, enter 'Request to activate DKIM for <customer name> in accordance with SAP note:3424159' 
    2. Specify that you want to enable DKIM for business emails
    3. Provide the complete list of domains you have used for each tenant in your SAP Sales and Service Cloud for sending business mails. For example:
      1. On tenant my<123456>.crm.ondemand.com, example.com and sample.com domains are used
      2. On tenant my<456789>.crm.ondemand.com, test.example.com domain is used
  3. Wait for a response from our Product Support team. SAP will validate your configurations and revert if needed with further instructions.
  4. Once you receive a response from our support team, carefully follow any instructions provided by them.

Replace 12345 with your tenant ID.

After completing the settings in the DNS please validate it in both external tool:

Use the tool :   https://dkimcore.org/tools/

Use the tool : https://dnschecker.org

Selector : c4c-busi-my12345-1

Domain : XXXXXXX.com

DMARC Setup

DMARC is used for email authentication. You need to setup DMARC for sending business emails and after activating DKIM. Perform the following steps to setup DMARC:

Prerequisite

Ensure that you activate DKIM before you set up DMARC.

  1. Create TXT records in your DNS Servers for DMARC and align them with your network and security experts. Following are examples of a non-impacting DMARC entry on your DNS Server for all used domains:
Domain DNS Entry

_dmarc.example.com.

3600   IN     TXT      "v=DMARC1;p=none;pct=100;rua=mailto:dmarc@example.com;aspf=r;fo=1;adkim=r;"

_dmarc.sample.com.

 3600   IN     TXT      "v=DMARC1;p=none;pct=100;rua=mailto:dmarc@sample.com;aspf=r;fo=1;adkim=r;" 

Note: You need to adjust the above DNS entries to match your specific values, such as the domain names, email addresses, and other DMARC parameters.

  1. Ensure that the email addresses specified in the DMARC statement behind "rua=" (reporting URI) are valid and monitored by your organization. These addresses will receive DMARC reports from receiving mail servers. 
  2. Before applying the DMARC records to your DNS Servers, validate the above suggestions with your network administrator to ensure they align with your network infrastructure and security requirements. 
  3. Once you have confirmed the accuracy of the DMARC records, apply them to your DNS Server. This will enable DMARC protection for your domains.

Refer FAQ section in SAP Note- 3444997 for further information.



See Also

To check the two activations in detail, please refer to blogs below:

Keywords

Bulk Mail, Campaign E-mail, E-mail Blast , KBA , dkim , dkim key , LOD-CRM-ADM , Administration UI , How To

Product

SAP Business ByDesign all versions