Cybersecurity

How to Set Up DKIM Email Authentication: A Plain-English Guide

1 May 2026 · 5 min read · By Hak, VantagePoint Networks

Email is the lifeblood of professional communication, but it's also a favourite target for fraudsters and phishing campaigns. If your organisation sends invoices, legal documents, financial reports, or sensitive client correspondence, you need to prove those emails genuinely come from you—not from an imposter using your domain name. That's where DKIM email authentication setup comes in. DKIM (DomainKeys Identified Mail) is a technical standard that digitally signs your outgoing emails, giving recipients cryptographic proof that your messages haven't been forged or tampered with. For London-based SMBs in professional services, this isn't just a nice-to-have feature—it's increasingly essential for protecting your reputation and maintaining client trust.

What DKIM Does and Why It Matters for Your Organisation

DKIM works by attaching a digital signature to every email your organisation sends. Think of it like a wax seal on a formal letter: the recipient can verify that the seal is authentic and that nobody has altered the contents during transit. When your email server sends a message, DKIM adds a cryptographic signature based on a private key that only your organisation possesses. The recipient's mail server checks this signature against your public key (published in your DNS records) to confirm the email is genuine.

For professional services firms—solicitors, accountants, financial advisers—this matters enormously. Your clients receive sensitive communications about their legal matters, tax affairs, or investments. If a fraudster spoofs your domain and sends fake invoices or instructions, the damage is severe: lost funds, broken client relationships, and potential regulatory scrutiny. DKIM, combined with SPF and DMARC, forms a complete authentication framework that makes domain spoofing vastly harder.

In the UK, organisations handling client data also face growing pressure from regulators and professional bodies to demonstrate robust email security. The Information Commissioner's Office (ICO) and sector-specific regulators expect organisations to take reasonable steps to protect communications. Implementing DKIM shows you take that responsibility seriously.

The Technical Steps to Implement DKIM Authentication

Step 1: Generate Your DKIM Key Pair

Your email server or email service provider (such as Microsoft 365, Google Workspace, or your own mail server software) will generate two keys: a private key and a public key. The private key stays on your mail server and is used to sign outgoing emails. The public key goes into your DNS records so that recipient servers can verify signatures.

If you're using a managed email platform, this is often automatic. Office 365, for example, creates DKIM keys for your domain by default. If you're running your own mail server (less common in smaller SMBs), you'll use tools like OpenDKIM or your mail server software to generate the keys.

Step 2: Publish Your Public Key in DNS

Once you have your public key, you publish it as a special DNS record called a DKIM record. This record typically looks like:

selector._domainkey.yourdomain.co.uk

The "selector" is a label you choose (often something like "default" or "selector1"). This allows you to rotate keys without affecting older emails. The actual record contains your public key in a specific format that mail servers understand.

You'll access your domain's DNS settings through your registrar (such as Nominet, GoDaddy, or 123 Reg in the UK). If you're unsure how to manage DNS, your IT support team or a consultant like VantagePoint Networks can handle this task—it's a common part of email security configuration.

Step 3: Enable DKIM Signing on Your Mail Server

Once your DNS record is published, you need to configure your mail server or email platform to actually sign outgoing messages. For cloud platforms:

Microsoft 365: Go to the Exchange admin centre, navigate to protection settings, and enable DKIM for your domain. Microsoft provides step-by-step guidance for each organisation.
Google Workspace: Access the security settings within the admin console and configure DKIM. Google also automates much of this process.
Third-party services: If you use a dedicated email marketing platform or secure email gateway, check their documentation for DKIM configuration options.

Allow several hours for DNS propagation. Mail servers worldwide won't immediately see your new DKIM record, so test after a few hours have passed.

Step 4: Verify Your DKIM Configuration

Once DNS records are live, verify that everything is working. Most email platforms offer a built-in verification button. You can also use online DKIM checkers (freely available) to query your DNS records and confirm the public key is readable and correctly formatted.

Send a test email to an external address and ask your recipient to check the email headers. Headers should show a "DKIM-Signature" field if signing is active. This confirms that your messages are being signed correctly.

Common Pitfalls and How to Avoid Them

DKIM implementation is usually straightforward, but a few mistakes can cause problems:

Forgetting to publish the DNS record: The most common error. If the public key isn't in DNS, recipient servers can't verify signatures, and DKIM offers no protection. Always double-check that your DNS record is live before declaring victory.
Using the wrong selector: If your mail server signs with selector "default" but your DNS record uses selector "selector1", they won't match. Ensure consistency between your mail server configuration and your DNS records.
Not combining DKIM with SPF and DMARC: DKIM is powerful, but it's even better paired with SPF (which restricts which servers can send from your domain) and DMARC (which tells recipient servers what to do if authentication fails). Implement all three for comprehensive defence.
Failing to rotate keys: Over time, consider rotating your DKIM keys (using different selectors) as a security best practice. This is optional for smaller organisations but recommended for those handling highly sensitive information.

Next Steps for Your Organisation

If your organisation hasn't yet implemented DKIM, now is the time. The technical effort is modest—typically a few hours of configuration—but the protection is substantial. You'll reduce the risk of domain spoofing, strengthen your email reputation, and demonstrate to clients and regulators that you take security seriously.

Start by checking whether your email platform already has DKIM enabled. Many do by default. If you're unsure, or if your organisation runs a more complex email infrastructure with multiple servers or third-party systems, professional guidance can save time and prevent mistakes. The investment in getting email authentication right pays dividends across client confidence, regulatory compliance, and long-term operational resilience.

From VantagePoint Networks

Check Your Domain Security for Free

VP Shield runs six passive checks across DNS, TLS, headers, SPF, DKIM, DMARC and subdomain takeover — no login, no install, no port scans. Results in 15 seconds.

Scan your domain now →

Purpose	Data Used
Responding to enquiries & providing consultations	Name, email, phone, message
Delivering agreed IT services	Name, email, company details
Improving our website experience	Analytics, cookies
Legal & regulatory compliance	As required by law
Fraud prevention & site security	IP address, usage data

Type	Purpose	Required?
Essential	Cookie & theme preferences. Required for site functionality.	Always active
Analytics	Understanding visitor behaviour to improve the site.	Consent required