SAP Knowledge Base Article - Public

3397415 - FAQs about DKIM activation for a domain for S/4HANA Public Cloud Customer


You have question related DKIM activation for a email domain


S/4HANA Cloud, Public edition


  1. What is DKIM, is it mandatory to do DKIM activation?

    DKIM is an e-mail authentication technique involving a digital signature that allows the receiver to check that an e-mail was sent and authorized by the owner of that domain. The DKIM signature is a header that is added to the message and is secured with encryption. By enabling DKIM you can make sure messages aren't altered in transit between the sending and receiving email servers. It uses public-key cryptography to sign emails with a private key as it leaves a sending email server. Custom domains which are used for internal purposes like workflow item, Purchase order approval, PR approval, etc., should be enabled the DKIM setup. This will ensure that emails sent through your SAP S/4HANA system are secure.

  2. How do I request for a DKIM Key Activation?

    Create a service request for component XX-S4C-OPR-SRV using SAP Support Launchpad.

    As description, use Request to setup and activation of DKIM.

    Use the following template text in the ticket:

    Hello SAP S/4HANA Cloud Operations,
    Please set up and activate DKIM to emails sent from my SAP S/4HANA system.
    SAP S/4HANA Cloud system: Please provide the SIDs or host names or URLs of your SAP S/4HANA Cloud system from which you plan to use DKIM. For example: <>
    I want to enable DKIM for the domain <your domain> and top-level-domain <your top-level-domain>. For example:
    <Your Name>

  3. How the process flow looks like for DKIM Activation?

    Stage 1:

    DKIM key will be generated. Process of DKIM key generation will take approximately 3-4 hours.
    Once the key is generated, Cloud Operations will send the key to customer to update their DNS.
    To update DNS, kindly check with your local network/mail server team for assistance. DNS is unique and we have different DNS providers in the market, hence SAP is not have a control over it.
    We have captured few screenshots based on one of the reference customer’s DNS in SAP note 3231960. Please note that it is only for reference purpose and your DNS settings might be different than the captured one.

    Stage 2:

    Once the DNS is updated, Customer needs to revert back to cloud operations through case to perform profile activation.
    Cloud operations will validate the DNS, if the key and DKIM TXT record is created properly or not. If the validations are successful, we will proceed with profile activation. If we get an error during validation, we will let the customer know about the same through case and  customer needs to correct the same
    Post profile activation, DKIM setup will be completed.
    Process of profile activation will take approximately 3-4 hours.
    Customer can validate the DKIM signing in the “Header” of the mail.

  4. How do I know I have maintained the DKIM key correctly?

    Sometimes it may happen that customer will update only half of the key in their DNS. Actual key should end with "DAQAB". Incase if you are getting an error as 'TXT record should not contains more than 255 characters', then please split the keys in a single TXT record as suggested in the DKIM keys and TXT record limits and please inform your network/mail server team that DKIM keys are 2048 bit. They will help you on this.

  5. How does DKIM ensure email integrity?

    DKIM signs messages with a private key to prevent alteration during transmission between sending and receiving servers.

  6. I am not able to receive emails even after DKIM Key Activation. What should I do?

    If emails are not delivered to regular inbox, you can check respective Junk/spam folder if emails are received there.

    After DKIM Setup, to prevent emails from going into spam please publish SPF Record as per section "4.2.6 Publish SPF Record for Sender Domain" of guide - Setting Up Output Management (1LQ)

    If this is not the case, kindly create a ticket to XX-S4C-OPR-SRV Component and provide below details for the failed email:

    - Sender Address
    - Recipient Address
    - Time
    - Date
    - Subject

  7. What is the resolution if mails are not being received by the recipients which are sent from custom sender domains after mail server migration?

    Please update the DNS with the provided DKIM Key. Customers can refer KBA How to Update the DNS with the provided DKIM Key for detail.

  8. Is it possible to generate 1 K Bit key which are less than 250 characters?

    SAP can generate 1024-bit DKIM key which will be less than 250 characters. But 1024 bit keys are kind of outdated and SAP is not recommending to use it. If you still want to go with 1024 bit key, then there might be security related concerns and SAP won't be responsible for that. Because we are doing this against standards.

    Before generating the 1024 bit key, a screen sharing session will happen with customer to understand the issue, Based on that SAP can ask for internal security approvals to generate 1024 bit key.

See Also

3223182 - Mandatory DKIM setup - SAP S/4HANA Cloud 2208
3223594 - DKIM Enablement in S/4HANA and SMC Systems


DKIM activation, SPF Record, Email delivery     , KBA , XX-S4C-OPR-SRV , S/4HANA Cloud service requests , How To


SAP S/4HANA Cloud all versions