Cryptographic proof your emails are genuine and unaltered.
DKIM adds a cryptographic signature to every email you send. Receiving mail servers verify the signature to confirm the email came from you and was not modified in transit. IP Four configures DKIM correctly for every platform you use and keeps it aligned with your DMARC policy.
DKIM configured correctly for every sender you use.
DKIM must be configured in every platform that sends email on your behalf. One unconfigured sender breaks DMARC alignment. We cover every platform and keep them all working.
DKIM Key Generation and Publishing
Cryptographic key pairs generated for each sending domain and selector. Public keys published as DNS TXT records. Private keys configured in your mail platform. Correct key length and algorithm used for maximum compatibility.
Mail Platform DKIM Configuration
DKIM signing configured directly in Microsoft 365, Google Workspace, or your on-premise mail server. Signing policy applied to all outbound email. Verified against receiving mail servers before deployment is confirmed.
Third-Party Sender DKIM Setup
Marketing platforms, CRMs, helpdesks, and transactional email services each require separate DKIM configuration. We configure DKIM for every third-party sender using their specific setup process and verify signing is working correctly.
DKIM Alignment with DMARC
DKIM alignment ensures the signing domain matches the From header domain visible to recipients. Relaxed or strict alignment configured based on your sending infrastructure. Alignment failures identified and resolved before DMARC enforcement.
Key Rotation Management
DKIM keys rotated periodically to maintain security best practice. Old selectors retained during transition to prevent authentication failures for email in transit. Key rotation schedule documented and managed as part of ongoing service.
DKIM Signature Verification
DKIM signatures verified end-to-end using test email analysis and DMARC aggregate report data. Signing failures identified and resolved. Pass rates monitored continuously to catch any configuration drift.
From assessment to verified signing.
DKIM Status Assessment
Current DKIM configuration reviewed across all sending platforms. Existing selectors and keys identified. Alignment with DMARC From domain checked. Gaps and misconfigurations documented.
Sending Platform Inventory
All platforms sending email on behalf of your domain identified. Each platform assessed for DKIM capability and configuration requirements. Third-party services that require custom DKIM selectors noted.
Key Generation and DNS Publishing
DKIM key pairs generated for each platform and selector. Public keys published as DNS TXT records with appropriate TTL. Private keys configured in each sending platform.
Alignment Configuration
DKIM alignment configured to match your DMARC policy requirements. Relaxed alignment applied where subdomain signing is used. Strict alignment applied where full domain matching is required.
Verification and Testing
DKIM signatures verified using test emails and header analysis. DMARC aggregate reports reviewed to confirm pass rates. Any alignment failures identified and resolved before DMARC enforcement is tightened.
Rotation Schedule and Handover
Key rotation schedule established and documented. Handover pack includes all selector names, key values, and rotation procedures. Ongoing monitoring included in managed service.
How we have fixed DKIM for UK businesses.
Microsoft 365 DKIM Not Enabled
A Sheffield law firm had been using Microsoft 365 for 3 years without enabling DKIM signing. Their emails were passing SPF but failing DKIM, causing DMARC alignment failures and reduced deliverability to major providers.
DKIM enabled and configured in Microsoft 365 admin centre. Custom domain selectors published in DNS. DMARC pass rate increased from 61% to 99.4% within 48 hours of deployment.
Marketing Platform DKIM Alignment Failure
A Cardiff retail business used a marketing platform that signed emails with the platform's own domain rather than the client's domain. DKIM was technically signing but failing DMARC alignment checks.
Custom DKIM selector configured in the marketing platform using the client's own domain. Alignment changed from failing to passing. DMARC enforcement moved to quarantine then reject without affecting marketing email delivery.
Outdated 1024-bit Keys Causing Failures
A Glasgow financial services firm had DKIM configured but using 1024-bit keys that were being rejected by some receiving mail servers following updated security policies at major providers.
New 2048-bit DKIM keys generated and published. Old selectors retained during 30-day transition period. All receiving servers accepting new keys before old selectors were removed. Zero authentication failures during transition.
Check whether your DKIM is correctly configured.
Our free DKIM check verifies whether your emails are being signed correctly and whether DKIM is aligned with your DMARC policy. Takes minutes and costs nothing.