⇤ How is the Diligence Risk Category Calculated?
The DKIM Records risk vector is assessed based on if a company has a DomainKeys Identified Mail (DKIM) record for each of their domains and the key length of the public key found in their DNS record. Test records are assessed as if the domain does not have a record.
The following standards are used as a basis for assessing a company's DKIM records:
- RFC-4871
- NIST – Since 2015, this US department of Commerce agency recommends that all RSA keys be at least 2048 bits.
- ECRYPT – This EU initiative, to strengthen European excellence in the area of cryptology, recommends that all RSA asymmetric keys be at least 2048 bits.
- French Network and Information Security Agency (ANSSI) – Recommends that all RSA asymmetric keys be at least 2048 bits since 2014.
- Lenstra – A mathematical algorithm used to estimate when cryptographic attacks against asymmetric are plausible, indicating that 1024 should no longer be used as of 2006.
Impact
Concept | Behavior |
---|---|
A default risk vector grade is assigned. |
Without DKIM records, we cannot verify that a company is effectively preventing email from being spoofed from its domains. This is set in the center of the grading scale for computing into security ratings. ❖ If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade. If the most recent grade is lower than the default grade, the default grade is assigned. |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days |
Percentage (out of 70.5% in Diligence): 1% |
Finding Grading
DKIM Records findings are evaluated as GOOD, WARN, FAIR, BAD, or NEUTRAL. An overall letter grade is calculated using the evaluations of individual findings.
- If the domain has a DKIM record with a sufficiently long public key, it is graded as GOOD.
- FAIR findings for this risk vector have a negative impact on the rating.
See finding messages.
- November 22, 2024: Default grading behavior updated.
- March 26, 2024: “No findings/low findings” changed to “insufficient data.”
- December 12, 2023: Linked to no findings definition.
Feedback
4 comments
This document does not describe how the dkim record is found. It is very common to use a selector when setting up dkim records and those records are not found when using a search for text records on the main domain name.
To observe DKIM records, DNS and passive-DNS traffic are analyzed.
What records are you then looking for in this DNS / passive-DNS traffic? I have over an 100 domains with dkim records configured, but in my reports it shows that I have 0 dkim records.
Jan Hugo Prins Please reach out to our Support team (support@bitsight.com).
Please sign in to leave a comment.