Overview
Clients
Partners
BlogOur latest posts on digital
marketing.
ResourcesAccess to guides, case studies, webinars & more.
LearningDevelop your knowledge at your own pace with Mapp learning tools!
About us
As of July 2, 2025, T-Online in Germany requires strict alignment for DKIM signatures on emails. But what does that actually mean?
Until now, it was acceptable to send an email using the domain foo.com while signing it with a subdomain such as news.foo.com. This setup is known as relaxed alignment. T-Online no longer accepts this configuration. Going forward, the domain in the “From” header and the domain used to sign the message must match exactly. Setups using relaxed alignment will be rejected with the following bounce message:
559 5.1.9 (DKIM reject DKIMr) Missing, invalid or non-matching DKIM signature (250)
In other words: you either send with foo.com and sign with foo.com, or you send with news.foo.com and also sign with news.foo.com. That is the only way to achieve said strict alignment.
T-Online is the first German mailbox provider to enforce this requirement. However, it is very likely that others will follow. Mapp therefore recommends migrating to strict alignment for all outbound email.
Many customers configure their sending domain at their email service provider using a subdomain. The DKIM signature is then also created with this subdomain. No further configuration is usually required on the organizational domain – for the main domain such as foo.com, at least.
However, if a customer wants to use foo.com in the “From” header, the email service provider must also be able to sign with this domain. This requires additional configuration on the organisational domain. Only then can the receiving mailbox provider look up the correct DKIM key via DNS.
The consequences of this change are bigger than one would initially expect. Many mailbox providers no longer rely primarily on IP addresses when assessing emails. Instead, the sending domain plays a key role. And often, the domain used in the DKIM signature is the one that is evaluated – because it is the only one that is reliably validated.
If we move the signature from a subdomain to the organisational domain, it also shifts the reputation. Newsletters and regular office emails that are both sent from the same domain will now share the same reputation. That can be beneficial – or problematic, depending on the use case.
An email service provider who has so far measured separate reputations for subdomains can no longer easily do so. Integration with tools such as the Gmail Postmaster Tools or the Yahoo Feedback Loop must now also be based on the organisational domain.
This becomes even more tricky for companies that are using multiple email service providers. Feedback loop data – such as that from Yahoo – cannot be processed by more than one destination. These reports are sent to a single address. If multiple providers are involved, valuable data may be lost or delivered to the wrong place. This can lead to deliverability issues as a worst case scenario.
The cleanest setup looks like this: delegate a dedicated subdomain to your email service provider, and send emails from that subdomain. This ensures a clear separation. Strict alignment is guaranteed, and all technical requirements of mailbox providers are fulfilled.
If you still wish to send emails from the organisational domain in the “From” header, you can do so – but the setup is more complex and needs to be planned carefully. In some cases, you may need to accept a shared reputation across all emails. If more than one email service provider is involved, we advise against this approach.
MAPP actively supports its customers on this topic. We review existing setups, explain the new requirements and provide tailored recommendations. Together, we will find a solution that is technically robust and fully compliant.
If you have any questions, please feel free to reach out. Our Deliverability Services team is happy to support you.
DE
