DKIM Support for Outbound Emails

The DomainKey Identified Mail (DKIM) authentication standard adds an encrypted digital signature to outbound email messages sent on company’s behalf. As a result, email recipients who have implemented DKIM on their side can be certain that messages really come from SAP CPQ and have not been modified along the way.

Setting up a DKIM Signature

To set up the functionality and generate a key, take the following steps:

  1. Go to Setup > Security > DKIM Keys.
  2. Enable the functionality.
  3. Click New Key.
    A pop-up displays.
  4. In Selector, enter a unique name (e.g. Callidus).
    The selector is added to the domain name and will be visible in the email header.
  5. In Domain, enter the company’s domain name for which the DKIM key is generated.
  6. From the Encryption drop-down list, select the signing algorithm.
    RSA-SHA256 is selected by default.
  7. Define how a private/public key pair is generated.
    - Let SAP CPQ generate private/public keys: If selected, SAP CPQ generates a private/public key pair. The length of each key is 2,048 bits.
    - Add private/public keys manually: If selected, paste both the private and public key in the dedicated fields. Additionally, if the private key is password protected, enter the password in the corresponding field.
    - Upload private/public keys from file: If selected, upload a .pfx file containing a private/public key pair by clicking Upload new file. Additionally, if the .pfx file is password protected, enter the password in the corresponding field.
  8. Click Save Key.
    The key is displayed in the grid.

There cannot be more than one DKIM key per domain.

The private key is not visible, whereas the public key of the defined DKIM key can be copied from the Public Key column or downloaded as a .cer file. Additionally, the DKIM key can be edited by clicking the Edit button. The selector, domain and encryption algorithm can all be edited, whereas the private/public key pair cannot be modified. You can leave the existing key pair as is or generate a new pair, as explained in step 7.

Activating the DKIM Key and Updating the DNS

The newly created DKIM key is inactive by default, so you have to activate it by enabling the toggle switch in the Active column. However, before activating the DKIM key, you need to add the public key to the DNS record.
When adding the public key to the DNS, the format of the name of the TXT record is, whereas the value in the TXT record is in the following format: v=DKIM1; k=rsa; p=MIIBIjANBgkqhki…;
The value after p= is the public key.

Testing DKIM Signature

To confirm that DKIM authentication is active, you can use both Gmail and Yahoo accounts.

When using Gmail:

  1. Send a message from your domain (e.g. to your Gmail email address.
  2. Open the message in your Gmail inbox.
  3. Click next to the recipient’s name (in this case, your name) to view details.
    A pop-up displays.
    If there is signed-by: your domain, DKIM authentication is active.

When using Yahoo:

  1. Send a message from your domain to your Yahoo email address.
  2. Open the message in your Yahoo inbox.
  3. Next to Spam, click .
  4. Select View raw message.
    A new tab opens, containing the full message, including the email header information. If there is dkim=pass (ok) in the email header, DKIM authentication is active.
You are here: SAP Sales Cloud CPQ Online HelpAdmin Page HelpSecurityDKIM Support for Outbound Emails