This is a critical step for improving the deliverability and security of domain.co.uk.

However, there is one major technical hurdle you must address first: Microsoft Exchange 2019 (On-Premise) does not natively support DKIM signing.

Unlike Exchange Online (Office 365), the on-premise version cannot sign outgoing emails with DKIM out of the box. You must install a third-party agent on the server or route your email through a gateway (like Mimecast or a smart host) that handles the signing.

Below is the step-by-step guide to setting this up, assuming you will use the industry-standard open-source agent for Exchange.

Phase 1: Setting up DKIM (The Hard Part)

Since Exchange 2019 lacks native support, the standard solution for many administrators is the open-source "Exchange DKIM Signer".

1. Install the DKIM Agent

• Download the latest release of Exchange DKIM Signer (usually hosted on GitHub by the user Pro/dkim-exchange).


• Run the installer on your Exchange 2019 Transport Server(s).


• Launch the "DKIM Configuration" tool installed on the server.

2. Generate the Key Pair

• In the configuration tool, click Configure.


• Select the domain businessdirectories.co.uk.


• Click Generate to create a new Private/Public key pair.


• Selector: You will need to name your selector. A common standard is mail or exch, or the current date (e.g., 202310). Let's assume you use mail.

3. Create the DKIM DNS Record
Once the key is generated in the tool, it will display a "Suggested DNS Name" and "Suggested DNS Content." You need to add this to your public DNS (where you bought your domain).

• Type: TXT


• Host/Name: mail._domainkey (If your selector is 'mail')


• Value: v=DKIM1; k=rsa; p=[Your_Long_Public_Key_String_From_The_Tool]

4. Restart Transport Service

• After saving the configuration in the tool, restart the "Microsoft Exchange Transport" service on your server to begin signing emails.

Phase 2: Setting up DMARC (The Easy Part)

Once DKIM is set up (and assuming you already have an SPF record), you can publish your DMARC record.

Important: Start with a policy of "None." This tells receiving servers to report back to you without blocking email. If you set it to "Reject" immediately, you risk blocking legitimate emails if your SPF or DKIM is misconfigured.

Create this record at your DNS host:

• Type: TXT


• Host/Name: _dmarc (Some DNS hosts automatically append the domain, so it becomes _dmarc.domain.co.uk)


• Value:

  v=DMARC1; p=none; rua=mailto:[email protected]; 
  

  
  

Breakdown of the tags:

• v=DMARC1: Version tag.


• p=none: Policy. We are monitoring only. No action is taken against failing mail yet.


• rua=...: Reporting URI. This is where XML reports about your email traffic will be sent. Note: Replace admin@ with a dedicated inbox if you don't want daily XML reports in your main inbox.

Phase 3: Verification & Ramping Up

Once the records are added:

1. Wait for Propagation: DNS changes can take 1-24 hours, though usually, they happen within minutes.


2. Test: Send an email from your Exchange server to an external Gmail account.


3. Inspect Headers: In Gmail, open the email, click the three dots, and select "Show Original." Look for "DKIM: PASS" and "DMARC: PASS."

Strategy for Moving to "Reject":
Do not stay on p=none forever.

1. Monitor reports for 2-4 weeks. Ensure all legitimate sources (printers, marketing tools, CRMs) are passing SPF/DKIM.


2. Change DMARC to v=DMARC1; p=quarantine; ... (Sends failures to Spam folder).


3. Finally, change to v=DMARC1; p=reject; ... (Blocks failures entirely).

Prerequisite Check: SPF

DMARC relies on DKIM and SPF. Do you already have an SPF record in place?
It usually looks like: v=spf1 ip4:1.2.3.4 include:spf.protection.outlook.com -all

Would you like me to scan the current public DNS for domain.co.uk to see if your SPF record is correctly formatted before you add DMARC?