What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

How-To Guide

How to Configure DKIM for Email Authentication

Learn how to generate DKIM keys, publish them in DNS, and enable signing on your mail server to cryptographically authenticate every outbound message.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Before You Start

Administrative access to your email platform (Microsoft 365, Google Workspace, or mail server)
Access to your DNS hosting provider to create CNAME or TXT records
SPF record already configured for your domain
Understanding of public-key cryptography basics

Generate DKIM keys in your email platform

The process varies by platform. In Google Workspace, navigate to Admin Console, then Apps, then Gmail, then Authenticate Email, select your domain, and click Generate New Record. Choose a 2048-bit key for stronger security. Google will provide a TXT record name and value. In Microsoft 365, go to the Defender portal, navigate to Email and Collaboration, then Policies, then Threat Policies, then Email Authentication Settings, and select DKIM. Select your domain and Microsoft will display two CNAME records you need to publish. For self-hosted mail servers running Postfix or Exchange, use opendkim-genkey to create a public and private key pair with at least 2048 bits.

Publish the DKIM public key in DNS

Log in to your DNS provider and create the records your email platform specified. For Google Workspace, create a TXT record with the name google._domainkey.yourdomain.com and paste the public key value. For Microsoft 365, create two CNAME records pointing to the Microsoft-provided hostnames. For custom setups, create a TXT record at selector._domainkey.yourdomain.com where selector is a label you chose during key generation. The record value follows the format v=DKIM1; k=rsa; p=YOUR_PUBLIC_KEY. Set the TTL to 3600 seconds initially. Double-check for typos in the key value, as even a single wrong character will break DKIM verification.

Enable DKIM signing on your email platform

After DNS propagation, return to your email platform and enable signing. In Google Workspace, go back to the Authenticate Email page and click Start Authentication. Google will verify the DNS record is present before enabling signing. In Microsoft 365, toggle the Sign messages for this domain switch to enabled in the DKIM settings page. For Postfix with OpenDKIM, configure the signing table and key table in opendkim.conf, set the socket path, and restart both OpenDKIM and Postfix services. Signing is not retroactive, so only new outbound messages will carry DKIM signatures from this point forward.

Send test emails and verify DKIM signatures

Send test emails from your domain to an external address such as a Gmail account. Open the received email and view the full message headers. Look for the DKIM-Signature header, which should contain your domain in the d= tag and your selector in the s= tag. Check the Authentication-Results header for dkim=pass. If you see dkim=fail, the most common causes are a mismatch between the DNS record and the signing configuration, DNS propagation delay, or message modification by an intermediate mail relay. Use online tools like mail-tester.com or dkimvalidator.com to get a detailed breakdown of the signature verification process.

Configure DKIM for third-party senders

Each service that sends email on your behalf should also sign with DKIM. Most major platforms support custom DKIM. In SendGrid, navigate to Settings, then Sender Authentication, then Domain Authentication, and follow the wizard to publish their CNAME records. In Mailchimp, go to your verified domain settings and add the provided DKIM records. Each service uses its own selector, so there is no conflict with your primary DKIM record. Verify each third-party service by sending test messages and checking headers. Having DKIM aligned across all senders is essential for passing DMARC alignment checks, which require either SPF or DKIM to align with the From domain.

Rotate DKIM keys periodically

DKIM keys should be rotated every six to twelve months to limit exposure if a private key is compromised. The rotation process involves generating a new key pair with a new selector name, publishing the new public key in DNS, waiting for propagation, switching your mail server to sign with the new selector, and then removing the old DNS record after a grace period of one to two weeks. Using a date-based selector naming convention such as 202605 makes it easy to track which key is current. Automate this process where possible and document the rotation schedule. Never delete the old DNS record immediately, as emails signed with the old key may still be in transit.

Common Mistakes to Avoid

Using a 1024-bit key instead of 2048-bit, which is considered weak by modern standards

Forgetting to enable signing after publishing the DNS record, so emails go out unsigned

Not configuring DKIM for third-party senders, causing DMARC alignment failures

Deleting the old DKIM DNS record immediately during key rotation before in-flight emails are delivered

How to Set Up an SPF Record How to Set Up DMARC from Monitor to Enforce How to Configure SSL/TLS for Your Web Server

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card.

Get My Cyber Defense Score™ →