Digitally signing your email with DKIM

It's easy for some people to spoof email -- that is, send email that pretends to be from somebody else. To combat spoofing, you can digitally sign outbound email from WebTMA to prove that an email actually came from somebody in your organization and not somebody pretending to be from your organization.

WebTMA uses SendGrid to send outbound email from our Azure SaaS environment.  SendGrid allows DKIM (Domain Keys Identified Mail) authentication. Email service providers that support DKIM check inbound email to see whether an organization that claimed to have signed a message actually did. The signature is associated with the organization's registered domain name. If the message is properly signed, the email service provider delivers the message normally. If the message is not signed or is improperly signed, the email service provider may deliver it with a caution to the user or discard it.

If you use, or similar email service for your outbound email domain, you will not be able to setup DKIM. These services do not allow it.  You will have to use the email address. 

Updating your DNS records to use the SendGrid domain key

Before you can digitally sign your outbound email from WebTMA, you must update the Domain Name System (DNS) records of your domain so that the SendGrid domain key can be located and used for verifying signatures. The DNS update creates a redirect to the domain key on the SendGrid domain. When an email service provider receives an email with your domain name, the provider looks up the SendGrid domain key to verify the signature of the email.

Note: Working with domain names can be confusing because it's something most of us rarely do. Consult your system administrator, if you have one, before proceeding.

Step 1 – Notify TMA Systems by emailing that you wish to setup DKIM so that you can spoof emails to appear to come from your own email domain instead of


Step 2 – TMA Systems will setup your environment within SendGrid for DKIM authentication.  This will trigger an email from DKIM to the requestor from Step 1.  This email has a link which will open a webpage with the HOST and DATA field values you will need in Step 3.


Step 3 – Create CNAME entries in your DNS records

The UI and terminology may vary depending on your registrar, but the concepts are the same.

  1. Log in to your domain registrar's control panel.

Use the login name and password that you created when you registered the domain name.

  1. Look for the option to change DNS records.

The option might be called something like DNS Management, Name Server Management, or Advanced Settings.

  1. Locate the CNAME records for your domain.

A CNAME record, or Canonical Name record, is a type of alias used by the Domain Name System (DNS). CNAME records let you point to the SendGrid domain to use its domain key.

  1. Look for an option to add a CNAME record.
  2. You will need to create three separate CNAME records using the information in the SendGrid Sender Authentication email.

Note: It takes time for changes to the DNS system to be implemented. Typically, it can take anywhere from a few hours to a day, depending on the Time To Live (TTL) settings in your registrar's control panel.


Step 4 – Select the “I’m Done” button on the SendGrid.  Once completed, please reply to the ticket opened to request DKIM be setup.  This will notify the TMA Systems team that they can verify everything is setup correctly.  Once verified, we will update and close the ticket.


Was this article helpful?
0 out of 0 found this helpful

Articles in this section

2024 Client Training Schedule
See the full list of web training events.