DKIM Records Risk Vector

DKIM Records is a Diligence risk vector. It assesses the effectiveness of DomainKeys Identified Mail (DKIM) records, which is a countermeasure against adversaries that are attempting to send fake email by using a company’s email domain. Properly configured DKIM records can ensure that only authorized hosts can send email on behalf of a company.

The protocol allows receiving email servers to check if the sending domain is authorized. An encrypted signature is placed inside a DKIM-protected email. It’s checked by a recipient against the sender’s public DKIM record (another key). The signature in the email is then decrypted by the recipient using the key to confirm the sender’s authenticity.

See data collection methods.

Risks

Without DKIM records, a company may not be effectively preventing email from being spoofed from its domains. This makes phishing attacks easier and makes the organization susceptible to any number of intrusions that can put the organization’s information, employees, and customers at risk.

Grading

See how the DKIM Records risk vector is graded.

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Default:

Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. This is set in the center of the grading scale for computing into security ratings.

❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 60 Days

Weight

The DKIM Records risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: 1%

Remediation

Resources

• Findings
• Finding Messages

Recommendations

Follow NIST recommendations:

• Search for DKIM Record findings and then implement an effective DKIM record if one does not already exist. Please see our comprehensive article on How to create a DKIM record.
• Generate a new RSA keypair, specifying a bit strength of 2048 or larger. For elliptic curve keys, a length of 224 bits is recommended. Refer to the recommended key length. We follow NIST recommendations regarding key length.
• Refer to the recommended key rotation for how often to generate a new RSA keypair.
• Check that your keys are properly stored and the DKIM record has the correct key.

Resources

• NIST: Special Publication 800-177
• NIST: 800-131A (See Section 3)
• DKIM RFC (RFC-4871)
• Wikipedia: DomainKeys Identified Mail
• Google: Internet-wide efforts to fight email phishing are working
• Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Rescan Base Duration

The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan: 30-50 Days

User-Requested Rescan: 3 days. See timeline for details.

Finding Behavior

The behavior of findings based on remediation and rescan statuses:

• Remediated
• Not Remediated

Remediated

• Grades improve when a new DKIM Records finding is detected.
• The remediated finding stops impacting the grade. If a user-requested rescan is initiated, the rescan status is either Remediated or Partially Remediated.
• A new finding impacting the grade is created. If this is a result of a user-requested rescan, the rescan status is Replacement Finding.

Not Remediated

If a user-requested rescan is initiated and the issue persists, the rescan status is Not Remediated and the finding continues to impact the grade until it completes its lifetime.