Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

See more

How is the DKIM Records Risk Vector Assessed?

Avatar
Ingrid
Follow
  • September 11, 2023: Separated finding messages.
  • April 20, 2023: 2023 RAU risk category weight adjustment & grading when there are no findings.
  • January 4, 2021: Automated scan duration, 2 weeks changed to 30-50 days.

⇤ How is the Diligence Risk Category Calculated?

The DKIM Records risk vector is assessed based on if a company has a DomainKeys Identified Mail (DKIM) record for each of their domains and the key length of the public key found in their DNS record. Test records are assessed as if the domain does not have a record.

The following standards are used as a basis for assessing a company's DKIM records:

  • RFC-4871
  • NIST – Since 2015, this US department of Commerce agency recommends that all RSA keys be at least 2048 bits.
  • ECRYPT – This EU initiative, to strengthen European excellence in the area of cryptology, recommends that all RSA asymmetric keys be at least 2048 bits.
  • French Network and Information Security Agency (ANSSI) – Recommends that all RSA asymmetric keys be at least 2048 bits since 2014.
  • Lenstra – A mathematical algorithm used to estimate when cryptographic attacks against asymmetric are plausible, indicating that 1024 should no longer be used as of 2006.

Impact

Field Description Details & Values
Finding Behavior How findings behave, depending on the action taken. Impact is immediate. Grades improve when a new DKIM Records finding is detected.
Lifetime The number of days a finding will impact the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. 60 Days
No Findings The letter grade if there are no findings for this risk vector.

[Grade C] – “C” Letter Grade

Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. This is set in the center of the grading scale for computing into security ratings.

If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.
Refresh The Bitsight platform regularly checks for new observations. Bitsight findings are updated as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.
  Automated Scan Duration The duration of a regularly scheduled finding refresh, as the Bitsight platform checks for new observations. 30-50 Days
User-Requested Refresh Duration The duration of a user-requested refresh, which initiates a refresh of eligible findings upon request. This is recommended when a change in the finding is expected, such as when a finding has been remediated. 2 Days
Weight Out of 70.5% in Diligence. 1%

Evaluation

DKIM Records findings are evaluated as GOOD, WARN, BAD, or NEUTRAL. An overall letter grade is calculated using the evaluations of individual findings.

If the domain has a DKIM record with a sufficiently long public key, it is graded as GOOD. See finding messages.

Related articles