- August 16, 2023: New Grading & Finding Behavior sections.
- July 16, 2020: “Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths (NIST Special Publication 800-131A)” reference updated to revision 2.
The DKIM Records risk vector assesses the effectiveness of DomainKeys Identified Mail (DKIM) records, which is a countermeasure against adversaries that are attempting to send fake email by using a company’s email domain. Properly configured DKIM records can ensure that only authorized hosts can send email on behalf of a company.
The protocol allows receiving email servers to check if the sending domain is authorized. An encrypted signature is placed inside a DKIM-protected email. It’s checked by a recipient against the sender’s public DKIM record (another key). The signature in the email is then decrypted by the recipient using the key to confirm the sender’s authenticity.
Risks
Without DKIM records, a company may not be effectively preventing email from being spoofed from its domains. This makes phishing attacks easier and makes the organization susceptible to any number of intrusions that can put the organization’s information, employees, and customers at risk.
Grading
See how the DKIM Records risk vector is graded.
| Concept | Behavior |
|---|---|
| Lifetime | 60 Days |
| No Findings |
This is set in the center of the grading scale for computing into security ratings. Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. |
|
(Out of 70.5% in Diligence) |
1% |
Remediation
Review DKIM Record findings. We follow NIST recommendations:
- Search for DKIM Record findings and then implement an effective DKIM record if one does not already exist. Please see our comprehensive article on How to create a DKIM record.
- Generate a new RSA keypair, specifying a bit strength of 2048 or larger. For elliptic curve keys, a length of 224 bits is recommended. Refer to the recommended key length. We follow NIST recommendations regarding key length.
- Refer to the recommended key rotation for how often to generate a new RSA keypair.
- Check that your keys are properly stored and the DKIM record has the correct key.
Resources
- NIST: Special Publication 800-177
- NIST: 800-131A (See Section 3)
- DKIM RFC (RFC-4871)
- Wikipedia: DomainKeys Identified Mail
- Google: Internet-wide efforts to fight email phishing are working
- Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
Finding Behavior
| Concept | Behavior |
|---|---|
| Refresh |
Automated: 30-50 Days User-Requested: 2 Days |
| Remediated | The old finding is replaced by a new finding. Grades improve when a new DKIM Records finding is detected. |