With emails now bouncing due to DKIM I tried testing a few workarounds. Connecting to the IONOS servers worked in as much as incoming and outgoing mail functioned. I then tried to set up DKIM and was surprised that this will not be available until the second quarter of this year.
Next, I researched using a 365 account. Read all the recent documentation about setting up basic authentication (some as recent as last November). 365 and Exhange happily allowed me to change all the settings to basic, but I could not get this to work so ran a check.
Mmm - it would appear you can enable basic authentication because I have just done it, but it doesn't work if you do...
Delving deeper it would appear this to be the case, 365/Online Exchange will not work with POP3, IMAP4 or SMTP at the server level. However, I did stumble upon a tech sheet that said legacy basic authentication is still supported at pop-legacy.office365.com, imap-legacy.office365.com and smtp-legacy.office365.com.
I reset to the above addresses and SMTP now works (TLS 1.2) but IMAP is still giving this error (can't be username and password as they are the same for SMTP)
So the question being, is there a configuration setting at the client that may be different using the legacy address?
Is it possible to configure outgoing through 365/Exchange and still have incoming route through IONOS? Setting up DKIM proved quite easy for the test domain I tried with 365.
Bearing in mind I have never used 365 before, it didn't dawn on me that I could generate keys from an accepted domain without using the 365/Exchange to send and receive emails, and the whole point of the exercise was to be DKIM compliant.
With the test domain I went to the MS DKM page, clicked the accepted domain and then 'Create DKIM Keys' - this gave me the settings for CNAME that I added to DNS, then went back and enabled DKM.
With the main domain I clicked on that accepted domain - this showed DKIM keys but disabled. Enabling it threw a CNAME error - went back to the ISP and entered them - then tried again. This time it worked.
Not an answer to the POP, IMAP issue - which is probably unsolvable, but at least I can now send emails through an ISP that doesn't support DKIM and still have them signed :-)