3444997 - Frequently asked Question on new process to enable DKIM and DMARC for business emails.

Enable the DKIM and optionally DMARC for all your C4C email sending domains. Since more and more email ISP/ESP are rolling out new stringent e-mail sender guidelines that enforces stricter e-mail authentication checks on DKIM and
DMARC. SAP has already rolled out a guideline to send all outbound emails only DKIM signed.

Ensure to follow the process as per KBA 3424159 to enable the DKIM and optionally DMARC for all your C4C business e-mails.

SAP Cloud for Customer.

What it means for the customer:
SAP has implemented all the required steps to activate SPF checks for all outbound emails. Customer should follow the process to enable the DKIM and DMARC for their business e-mail and mass e-mail.

Below are some important terminologies used.

1. Sender Policy Framework (SPF) - Sender Policy Framework (SPF) is an e-mail authentication technique that is used to prevent spammers from sending messages on behalf of your domain.

This gives you the ability to specify which e-mail servers are permitted to send email on behalf of your domain. SAP creates an SPF record for all SAP Cloud for Customer tenants using the CISCO mail device.

2. Domain Keys Identified Mail (DKIM) - Domain Keys Identified Mail (DKIM) is a signature-based e-mail authentication technique involving a digital signature that allows the receiver to check that an e-mail was sent and authorized by the owner of that domain.

DKIM signature is a header that is added to the message and is secured with encryption. SAP recommends that sender domains used in your SAP solution are DKIM signed. Administrators must explicitly request a unique DKIM key from SAP.

Users send business e-mails when they work with tickets, accounts, appointments, visits, sales quotes, workflow notifications, or similar objects in the SAP solution.

3. Domain-Based Message Authentication, Reporting, and Conformance (DMARC) - DMARC is an e-mail validation system designed to protect your company’s e-mail domain from being used for e-mail spoofing, phishing scams, and other cybercrimes.

DMARC leverages the existing e-mail authentication techniques such as Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM). A message sent without DKIM or SPF can be considered suspicious by the different e-mail analysis tools.

DMARC adds an important function, reporting. When a domain owner publishes a DMARC record into their DNS record, they will gain insights on who is sending the e-mail on behalf of their domain. This information can be used to get detailed information about the e-mail channel. Domain owners can use this information get control over the e-mail sent on their behalf.

DMARC helps e-mail receivers determine if the purported message aligns with what the receiver knows about the sender. If not, DMARC includes guidance on how to handle the non-aligned messages.

Frequently asked Question on new process to enable DKIM and DMARC for business emails:

1. What does the notification means for the customer? 

Ans: As per the KBA 3424159, customer should create 3 CNAME records for every domain associated with each tenant in their DNS Server or Service Portal.

We have already completed the required actions to activate SPF checks for all outbound emails. For the configuration of DKIM, the following three initial TXT records for DKIM keys pertaining to your tenant have been created and published:

c4c-busi-my<123456>-1.c4cdkim.crm.ondemand.com
c4c-busi-my<123456>-2.c4cdkim.crm.ondemand.com
c4c-busi-my<123456>-3.c4cdkim.crm.ondemand.com

Please be aware that the aforementioned three TXT records serve merely as examples for your guidance. The initial segment of these three hostnames represents the selector for your DKIM records. Substitute the placeholder <123456> with your unique Tenant ID. Ensure to omit the angle brackets "<>" during the replacement process, as they are not part of the string.
 
2. How can the customer validate if they have maintained the DKIM from their end?

Ans: Use the tool : https://dkimcore.org/tools/
 
Selector : c4c-busi-my<123456>-1 

Note: replace <123456> with the real tenant ID of the customer.
 
Domain : enter your domain
 
For the first CNAME record this tool will return green signal. Whereas for 2nd and 3rd record this tool will show error which is an expected behavior. But it is mandatory to maintain 3CNAME record for each domain.

3. Does for every domain 3 CNAME records should be maintained mandatorily?
   
Ans: Yes, for each domain on each tenant, 3 CNAME records should be created, If the domain are using on 2 tenants, then 6 CNAME should be created.

Example of CNAME record that should be maintained for each of your domains :

CName1
Name >     c4c-busi-my<123456>-1._domainkey
Value >     c4c-busi-my<123456>-1.c4cdkim.crm.ondemand.com

CName2
Name >     c4c-busi-my<123456>-2._domainkey
Value >     c4c-busi-my<123456>-2.c4cdkim.crm.ondemand.com

CName3
Name >    c4c-busi-my<123456>-3._domainkey
Value >      c4c-busi-my<123456>-3.c4cdkim.crm.ondemand.com

Note: Replace the placeholders <123456> with your <Tenant ID> in name and value.

4. Can we from SAP provide list domains which is being referred to in the notification email?

Ans: No, we from SAP cannot provide the list of domains associated with each tenant. Customer should only provide the list of domains associated with each tenant as per below format.

For example:
On tenant my<123456>.crm.ondemand.com, example.com and sample.com domains are used
On tenant my<456789>.crm.ondemand.com, test.example.com domain is used

5. For which domains customer should activate DKIM?

Ans: DKIM should be activated for all the custom domains used to send business emails.

3424159 - New email rules: Enable DKIM and DMARC for Business Emails

FAQs for DKIM and DMARC, CNAME, SPF , KBA , LOD-CRM-ADM , Administration UI , How To

SAP Cloud for Customer add-ins all versions ; SAP Cloud for Customer core applications all versions