The DKIM Records risk vector assesses the effectiveness of DomainKeys Identified Mail (DKIM) records, which is a countermeasure against adversaries that are attempting to send fake email by using a company’s email domain. Properly configured DKIM records can ensure that only authorized hosts can send email on behalf of a company.
The protocol allows receiving email servers to check if the sending domain is authorized. An encrypted signature is placed inside a DKIM-protected email. It’s checked by a recipient against the sender’s public DKIM record (another key). The signature in the email is then decrypted by the recipient using the key to confirm the sender’s authenticity.
Risks
Without DKIM records, a company may not be effectively preventing email from being spoofed from its domains. This makes phishing attacks easier and makes the organization susceptible to any number of intrusions that can put the organization’s information, employees, and customers at risk.
Grading
See how the DKIM Records risk vector is graded.
Concept | Behavior |
---|---|
Duration: 60 Days |
|
A default risk vector grade is assigned. |
Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. This is set in the center of the grading scale for computing into security ratings. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. |
Percentage (out of 70.5% in Diligence): 1% |
Remediation
Resources
Recommendations
Follow NIST recommendations:
- Search for DKIM Record findings and then implement an effective DKIM record if one does not already exist. Please see our comprehensive article on How to create a DKIM record.
- Generate a new RSA keypair, specifying a bit strength of 2048 or larger. For elliptic curve keys, a length of 224 bits is recommended. Refer to the recommended key length. We follow NIST recommendations regarding key length.
- Refer to the recommended key rotation for how often to generate a new RSA keypair.
- Check that your keys are properly stored and the DKIM record has the correct key.
Resources
- NIST: Special Publication 800-177
- NIST: 800-131A (See Section 3)
- DKIM RFC (RFC-4871)
- Wikipedia: DomainKeys Identified Mail
- Google: Internet-wide efforts to fight email phishing are working
- Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
Finding Behavior
Concept | Behavior |
---|---|
The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated. |
Automated Scan Duration: 30-50 Days User-Requested Refresh Duration: 2 Days |
Impact is immediate. The old finding is replaced by a new finding. Grades improve when a new DKIM Records finding is detected. |
- March 26, 2024: “No findings/low findings” changed to “insufficient data.”
- November 10, 2023: Linked to finding messages.
- August 16, 2023: New Grading & Finding Behavior sections.
Feedback
1 comment
Links to NIST articles are pointing to outdated/superseded publications.
Please sign in to leave a comment.