Cybersecurity
Email is the lifeblood of professional communication, but it's also a favourite target for fraudsters and phishing campaigns. If your organisation sends invoices, legal documents, financial reports, or sensitive client correspondence, you need to prove those emails genuinely come from you—not from an imposter using your domain name. That's where DKIM email authentication setup comes in. DKIM (DomainKeys Identified Mail) is a technical standard that digitally signs your outgoing emails, giving recipients cryptographic proof that your messages haven't been forged or tampered with. For London-based SMBs in professional services, this isn't just a nice-to-have feature—it's increasingly essential for protecting your reputation and maintaining client trust.
DKIM works by attaching a digital signature to every email your organisation sends. Think of it like a wax seal on a formal letter: the recipient can verify that the seal is authentic and that nobody has altered the contents during transit. When your email server sends a message, DKIM adds a cryptographic signature based on a private key that only your organisation possesses. The recipient's mail server checks this signature against your public key (published in your DNS records) to confirm the email is genuine.
For professional services firms—solicitors, accountants, financial advisers—this matters enormously. Your clients receive sensitive communications about their legal matters, tax affairs, or investments. If a fraudster spoofs your domain and sends fake invoices or instructions, the damage is severe: lost funds, broken client relationships, and potential regulatory scrutiny. DKIM, combined with SPF and DMARC, forms a complete authentication framework that makes domain spoofing vastly harder.
In the UK, organisations handling client data also face growing pressure from regulators and professional bodies to demonstrate robust email security. The Information Commissioner's Office (ICO) and sector-specific regulators expect organisations to take reasonable steps to protect communications. Implementing DKIM shows you take that responsibility seriously.
Your email server or email service provider (such as Microsoft 365, Google Workspace, or your own mail server software) will generate two keys: a private key and a public key. The private key stays on your mail server and is used to sign outgoing emails. The public key goes into your DNS records so that recipient servers can verify signatures.
If you're using a managed email platform, this is often automatic. Office 365, for example, creates DKIM keys for your domain by default. If you're running your own mail server (less common in smaller SMBs), you'll use tools like OpenDKIM or your mail server software to generate the keys.
Once you have your public key, you publish it as a special DNS record called a DKIM record. This record typically looks like:
selector._domainkey.yourdomain.co.uk
The "selector" is a label you choose (often something like "default" or "selector1"). This allows you to rotate keys without affecting older emails. The actual record contains your public key in a specific format that mail servers understand.
You'll access your domain's DNS settings through your registrar (such as Nominet, GoDaddy, or 123 Reg in the UK). If you're unsure how to manage DNS, your IT support team or a consultant like VantagePoint Networks can handle this task—it's a common part of email security configuration.
Once your DNS record is published, you need to configure your mail server or email platform to actually sign outgoing messages. For cloud platforms:
Allow several hours for DNS propagation. Mail servers worldwide won't immediately see your new DKIM record, so test after a few hours have passed.
Once DNS records are live, verify that everything is working. Most email platforms offer a built-in verification button. You can also use online DKIM checkers (freely available) to query your DNS records and confirm the public key is readable and correctly formatted.
Send a test email to an external address and ask your recipient to check the email headers. Headers should show a "DKIM-Signature" field if signing is active. This confirms that your messages are being signed correctly.
DKIM implementation is usually straightforward, but a few mistakes can cause problems:
If your organisation hasn't yet implemented DKIM, now is the time. The technical effort is modest—typically a few hours of configuration—but the protection is substantial. You'll reduce the risk of domain spoofing, strengthen your email reputation, and demonstrate to clients and regulators that you take security seriously.
Start by checking whether your email platform already has DKIM enabled. Many do by default. If you're unsure, or if your organisation runs a more complex email infrastructure with multiple servers or third-party systems, professional guidance can save time and prevent mistakes. The investment in getting email authentication right pays dividends across client confidence, regulatory compliance, and long-term operational resilience.
VP Shield runs six passive checks across DNS, TLS, headers, SPF, DKIM, DMARC and subdomain takeover — no login, no install, no port scans. Results in 15 seconds.
Scan your domain now →