Why DKIM is no longer negotiable in 2026
Since February 2024, Google, Yahoo and Microsoft have been hard-enforcing what BSI and GDPR have long recommended: SPF, DKIM and DMARC — properly aligned. Without DKIM signatures, your mail lands in spam or never gets delivered at all. Microsoft Exchange On-Premises ships without any DKIM signer. The ISW Exchange DKIM Signer Family fills exactly that gap — in three editions for every use case.
Better Deliverability
Gmail, Microsoft 365 and Yahoo flag unsigned emails as suspicious. DKIM ensures your messages land in the inbox — not the spam folder.
Protection Against Spoofing
Without a valid private key, no one can sign emails in your domain's name. DKIM reliably prevents email spoofing attacks.
Foundation for DMARC
DMARC builds on DKIM and SPF. Without DKIM, no effective DMARC policy is possible — and therefore no complete email protection.
Compliance Requirement
ISO 27001, BSI IT-Grundschutz, PCI-DSS and GDPR all require email authentication. DKIM is a key building block to meet these obligations.
Three Editions for Three Worlds
All three editions share the same engineering core: Transport Agent on .NET Framework 4.8, modern WPF configuration tool on .NET 10, RSA-2048 signing via MimeKit + BouncyCastle. They differ only in what goes beyond that.
5.0.1 Classic
One Exchange Server, your own domains, classic mail flows. Set up once, runs reliably.
- DKIM per RFC 6376 / RSA-SHA256
- Live DNS check + DNS dashboard
- Quick status tiles
- Per-domain statistics
- Event Log viewer
- Local operation on the server
6.0.0 ARC Edition
ARC per RFC 8617 for mailing lists, forwarding and upstream gateways. Required for DMARC p=reject.
- Everything in 5.0.1 Classic
- Full ARC sealer (RFC 8617)
- Ed25519 support (RFC 8463)
- DMARC awareness
- Incoming ARC chain validation
- Per domain: DKIM / ARC / both
7.0.0 Remote-Deploy
Full management from the admin workstation via PowerShell remoting. Server Core ready.
- Everything in 5.0.1 Classic
- Remote deployment over WinRM
- Server Core compatible
- Edge Transport in DMZ
- Kerberos or basic auth
- Multi-server management
settings.xml and keys/ directories from older versions are taken over without migration.
Which Edition Fits Your Setup?
Three quick rules of thumb, no science needed:
Classic 5.0.1
Single server, Desktop Edition, own domains, no mailing lists
ARC Edition 6.0.0
Forwarding · mailing lists · Proofpoint / Mimecast / Hornetsecurity · DMARC p=reject
Remote-Deploy 7.0.0
Multiple Exchange servers · Server Core · Edge DMZ · MSP setup
How the License Works
Simple flat-fee model. No subscription, no hidden costs. One license is valid indefinitely for one company location.
In Plain English
- One license = one site. Flat fee — you pay once per company location, regardless of how many Exchange servers, domains or emails are processed there.
- Multiple sites = multiple licenses. Each additional site requires its own site license. Different sites may run different editions.
- No upgrade path between editions. Switching editions means buying the new edition as a full version. We do not build a discount construct between 5.0.1, 6.0.0 and 7.0.0.
- Includes bugfix updates within the major version purchased (e.g. 5.0.1 → 5.0.x). Major jumps (5 → 6 or 6 → 7) are paid new purchases.
- No time limit — the license is perpetual.
Feature Matrix
| Feature | 5.0.1 Classic |
6.0.0 ARC |
7.0.0 Remote |
|---|---|---|---|
| DKIM signing (RFC 6376) | ✓ | ✓ | ✓ |
| RSA-2048 / RSA-SHA256 | ✓ | ✓ | ✓ |
| Ed25519 support (RFC 8463) | – | ✓ | – |
| ARC sealer (RFC 8617) | – | ✓ | – |
| DMARC awareness | – | ✓ | – |
| Live DNS check | ✓ | ✓ | ✓ |
| Per-domain statistics | ✓ | ✓ | ✓ |
| Quick status dashboard | ✓ | ✓ | ✓ |
| Remote deploy via WinRM | – | – | ✓ |
| Server Core compatible | – | – | ✓ |
| Edge Transport support | ✓ | ✓ | ✓ |
| DAG / cluster support | ✓ | ✓ | ✓ |
| Config reload without restart | ✓ | ✓ | ✓ |
| AES-256 key encryption | ✓ | ✓ | ✓ |
| 30-day logging | ✓ | ✓ | ✓ |
What All Three Editions Deliver
- Automatic DKIM signing of all outgoing emails via the Exchange Transport Agent
- Modern WPF configuration tool with .NET 10 and MVVM architecture
- RSA-2048 keygen directly in the tool (BouncyCastle 2.6, MIT-licensed)
- Live DNS validation with optional Google DNS 8.8.8.8 bypass
- Atomic-swap settings reload — config changes active immediately, no service restart
- Defensive XML deserialization — a corrupted
settings.xmldoesn't crash the agent - Per-domain statistics: success / failure / min-/max-latency + failure reason tracking
- AES-256 locally encrypted key storage (no DPAPI, no cloud KMS)
- 30-day logging to
%ProgramData%\ISW Exchange DKIM Signer\Logs\ - Windows Event Log integration
- No cloud components · no telemetry · no "phone home"
Compliance Is Not a Marketing Sticker
The ISW Exchange DKIM Signer Family ships with full audit documentation — Clean-Room Statement, code provenance table, verbatim third-party license texts. Ready for any compliance audit.
Meets
System Requirements
Exchange Server
- Exchange Server 2016 (RTM+)
- Exchange Server 2019 (RTM+)
- Exchange Server SE (RTM+)
- Mailbox Server or Edge Transport
Operating System
- Windows Server 2016 or higher
- Server Core (7.0.0 only)
- .NET Framework 4.8+ (Transport Agent)
- .NET 10 Desktop Runtime (Config Tool)
Permissions
- Local administrator rights
- Exchange Organization Management role
- NETWORK SERVICE: read access to keys
- WinRM 5985/5986 (7.0.0 only)
Cryptography
- RSA-2048 / RSA-SHA256 (all editions)
- Ed25519 (6.0.0 only)
- AES-256 (local key encryption)
- Relaxed/Simple canonicalization
Ready for Clean DKIM Signing?
Pick your edition in the shop or request a 30-day evaluation license.
Visit the Shop →