- December 12, 2023: Linked to no findings definition.
- December 4, 2023: Finding lifetime definition link changed to Finding Lifetime section.
- September 11, 2023: Separated finding messages.
The DKIM Records risk vector is assessed based on if a company has a DomainKeys Identified Mail (DKIM) record for each of their domains and the key length of the public key found in their DNS record. Test records are assessed as if the domain does not have a record.
The following standards are used as a basis for assessing a company's DKIM records:
- NIST – Since 2015, this US department of Commerce agency recommends that all RSA keys be at least 2048 bits.
- ECRYPT – This EU initiative, to strengthen European excellence in the area of cryptology, recommends that all RSA asymmetric keys be at least 2048 bits.
- French Network and Information Security Agency (ANSSI) – Recommends that all RSA asymmetric keys be at least 2048 bits since 2014.
- Lenstra – A mathematical algorithm used to estimate when cryptographic attacks against asymmetric are plausible, indicating that 1024 should no longer be used as of 2006.
|Details & Values
|How findings behave, depending on the action taken.
|Impact is immediate. Grades improve when a new DKIM Records finding is detected.
|The number of days a finding will impact the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period.
|There are no findings for this risk vector or we are temporarily unable to collect data. A default risk vector grade is assigned.
Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. This is set in the center of the grading scale for computing into security ratings.
If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.
|The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
|Automated Scan Duration
|The duration of a regularly scheduled finding refresh, as the Bitsight platform checks for new observations.
|User-Requested Refresh Duration
|The duration of a user-requested refresh, which initiates a refresh of eligible findings upon request. This is recommended when a change in the finding is expected, such as when a finding has been remediated.
|Out of 70.5% in Diligence.
DKIM Records findings are evaluated as GOOD, WARN, FAIR, BAD, or NEUTRAL. An overall letter grade is calculated using the evaluations of individual findings.
- If the domain has a DKIM record with a sufficiently long public key, it is graded as GOOD.
- FAIR findings for this risk vector have a negative impact on the rating.
See finding messages.