DKIM Records is a Diligence risk vector. It assesses the effectiveness of DomainKeys Identified Mail (DKIM) records, which is a countermeasure against adversaries that are attempting to send fake email by using a company’s email domain. Properly configured DKIM records can ensure that only authorized hosts can send email on behalf of a company.
The protocol allows receiving email servers to check if the sending domain is authorized. An encrypted signature is placed inside a DKIM-protected email. It’s checked by a recipient against the sender’s public DKIM record (another key). The signature in the email is then decrypted by the recipient using the key to confirm the sender’s authenticity.
Risks
Without DKIM records, a company may not be effectively preventing email from being spoofed from its domains. This makes phishing attacks easier and makes the organization susceptible to any number of intrusions that can put the organization’s information, employees, and customers at risk.
Grading
See how the DKIM Records risk vector is graded.
Insufficient Data
A default risk vector grade is assigned if there is insufficient or no data.
Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. This is set in the center of the grading scale for computing into security ratings.
❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.
Lifetime
Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.
Duration: 60 Days
Weight
The DKIM Records risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.
Weight: 1%
Remediation
Resources
Recommendations
Follow NIST recommendations:
- Search for DKIM Record findings and then implement an effective DKIM record if one does not already exist. Please see our comprehensive article on How to create a DKIM record.
- Generate a new RSA keypair, specifying a bit strength of 2048 or larger. For elliptic curve keys, a length of 224 bits is recommended. Refer to the recommended key length. We follow NIST recommendations regarding key length.
- Refer to the recommended key rotation for how often to generate a new RSA keypair.
- Check that your keys are properly stored and the DKIM record has the correct key.
Resources
- NIST: Special Publication 800-177
- NIST: 800-131A (See Section 3)
- DKIM RFC (RFC-4871)
- Wikipedia: DomainKeys Identified Mail
- Google: Internet-wide efforts to fight email phishing are working
- Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
Rescan Base Duration
The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
Automated Scan: 30-50 Days
User-Requested Rescan: 3 days. See timeline for details.
Finding Behavior
The behavior of findings based on remediation and rescan statuses:
Remediated
- Grades improve when a new DKIM Records finding is detected.
- The remediated finding stops impacting the grade. If a user-requested rescan is initiated, the rescan status is either
Remediated
orPartially Remediated
.- A new finding impacting the grade is created. If this is a result of a user-requested rescan, the rescan status is
Replacement Finding
.
Not Remediated
If a user-requested rescan is initiated and the issue persists, the rescan status is
Not Remediated
and the finding continues to impact the grade until it completes its lifetime.
- June 25, 2025: Finding behavior grouped by rescan statuses.
- March 26, 2024: “No findings/low findings” changed to “insufficient data.”
- November 10, 2023: Linked to finding messages.
Feedback
1 comment
Links to NIST articles are pointing to outdated/superseded publications.
Please sign in to leave a comment.