What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

Guide

DKIM Implementation Guide

DKIM adds cryptographic proof that your emails are authentic and unaltered. Learn how to generate keys, publish DNS records, rotate keys, and pass CDA verification.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Get My Cyber Defense Score™ →Book a 30-min review

In this guide

1. What DKIM is and how it works
2. Key generation and DNS publishing
3. Key rotation and maintenance

What DKIM is and how it works

DomainKeys Identified Mail (DKIM) is an email authentication method that uses public-key cryptography to sign outgoing messages. Every email sent from your domain gets a digital signature added to its headers. The receiving mail server retrieves your public key from DNS and uses it to verify the signature. DKIM proves two things: 1. The email genuinely originated from your domain (authenticity) 2. The message content was not modified in transit (integrity) Unlike SPF, which only checks the sending server's IP address, DKIM verifies the message itself. This makes DKIM essential for forwarded emails, which often fail SPF checks because the forwarding server's IP isn't in the original domain's SPF record. Cyber Defense Agent checks for DKIM configuration as part of every scan. A domain without DKIM signing is missing a critical layer of email authentication.

Key generation and DNS publishing

DKIM implementation involves generating a key pair and publishing the public key in DNS: 1. Generate DKIM keys — Most email providers handle this automatically. In Microsoft 365, go to Defender > Email & collaboration > Policies > DKIM. In Google Workspace, go to Admin > Apps > Google Workspace > Gmail > Authenticate email. 2. Publish the public key — Your provider will give you a CNAME or TXT record to add to your DNS. The record is published under a selector subdomain: selector1._domainkey.yourdomain.com. 3. Enable DKIM signing — Activate DKIM signing in your email provider's admin console. All outgoing emails will now include a DKIM-Signature header. 4. Verify — Send a test email to an external address and check the headers for "dkim=pass" in the Authentication-Results header. Run a Cyber Defense Agent scan to confirm. For third-party services (marketing platforms, CRM), each service needs its own DKIM configuration. Check each provider's documentation for their specific DKIM setup process.

Key rotation and maintenance

DKIM keys should be rotated periodically to maintain security: Why rotate keys: - Limits exposure if a private key is compromised - Longer keys (2048-bit) provide stronger security than older 1024-bit keys - Some compliance frameworks recommend annual key rotation Rotation process: 1. Generate a new key pair with a new selector (e.g., selector2) 2. Publish the new public key in DNS under the new selector 3. Wait for DNS propagation (24-48 hours) 4. Switch your email provider to sign with the new selector 5. Keep the old public key in DNS for 7-14 days (to verify emails in transit) 6. Remove the old public key after the transition period Best practices: - Use 2048-bit keys minimum (1024-bit is increasingly vulnerable) - Rotate keys at least annually - Document your current selectors and rotation schedule - Test thoroughly before removing old keys

Key Takeaways

TL;DR

DKIM cryptographically signs emails to prove authenticity and message integrity.

Most email providers (M365, Google Workspace) make DKIM setup straightforward.

Use 2048-bit keys minimum and rotate them at least annually.

Each third-party email service needs its own DKIM configuration.

Cyber Defense Agent verifies DKIM is properly configured during every scan.

Official Sources

RFC 6376: DKIM Specification Google Workspace DKIM Setup

FAQ

Frequently asked questions

How do I set up DKIM in Microsoft 365?

In the Microsoft 365 Defender portal, go to Email & collaboration > Policies & rules > Threat policies > DKIM. Select your domain and click "Enable." Microsoft will provide CNAME records to add to your DNS. After DNS propagation, Microsoft 365 will automatically sign all outgoing emails with DKIM.

What key size should I use for DKIM?

Use 2048-bit keys. While 1024-bit keys are still technically valid, they are increasingly vulnerable to brute-force attacks. Most modern email providers generate 2048-bit keys by default. If your DNS provider doesn't support long TXT records, you may need to split the key across multiple strings.

How often should DKIM keys be rotated?

Rotate DKIM keys at least annually. Some security frameworks recommend quarterly rotation. Always rotate immediately if you suspect a key compromise. Use a new selector name for each rotation to ensure a smooth transition without disrupting email delivery.

Does DKIM work with forwarded emails?

Yes, this is a key advantage of DKIM over SPF. When an email is forwarded, the DKIM signature remains intact because it's part of the message headers. SPF often fails for forwarded emails because the forwarding server's IP isn't in the original sender's SPF record. This is why both DKIM and SPF are needed, and why DMARC checks either-or.

Related Guides

Continue reading

Email Authentication: SPF, DKIM & DMARC Complete Guide SPF Record Setup & Troubleshooting DMARC Policy Configuration Guide

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card. Real evidence.

Get My Cyber Defense Score™ →Book a 30-min review with Farhad