The DMARC risk vector determines whether domains have a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy or not and evaluates how effective it is at ensuring only verified senders are able to use this domain for email. DMARC authenticates that the sender of an email is legitimately authorized to send email on a company’s behalf, providing a measure of protection against spoofing.
What criteria is considered to have domains affected by the DMARC Risk Vector?
Not all domains are evaluated for DMARC compliance. Only domains that meet either of the following criteria are considered for the DMARC Risk Vector:
- The domain is protected by a DMARC record.
- The domain is not protected by a DMARC record and is associated with a Mail Exchange (MX) record. A MX record identifies the server where email should be routed. The record must direct to another domain.
Domains without a DMARC or MX record are not graded for the DMARC risk vector by a Bitsight scan.
How is the DMARC Risk Vector Graded?
As of January 15, 2026, the DMARC Risk Vector is a graded (A to F) risk vector; this was previously a non-graded risk vector. The default grade for the DMARC Risk Vector is N/A.
DMARC findings are evaluated by validating the following common issues:
- Absence of a DMARC record.
- Invalid DMARC record syntax.
- Ineffective passthrough policy.
- Use of unauthorized third-party reporting domains.
- Low percentage filtering (pct tag < 100).
- Level of policy enforcement.
Learn more about what impacts a DMARC's finding grade and tips on how to remediate findings
This risk vector does not currently impact the overall rating, but it is planned to become ratings-impacting in a future Ratings Algorithm Update. An announcement regarding this change will be made at least 5 months prior to the update, along with a ratings preview shortly after.
Do you have a BAD DMARC Grade or Finding? Click here to learn more and for remediation tips.
Where can I view my DMARC Grades and Findings?
- SPM App: Risks ➔ Findings
- CM App: Portfolio Risk ➔ Companies List ➔ Vendor Risk ➔ Findings
- Insurance: Portfolio Risk ➔ Companies List ➔ Client Risk ➔ Findings
If this didn’t fully solve your issue:
- Learn more about Diligence Risk vectors.
- Learn more about why DMARC is important to protecting your cybersecurity risk on the Bitsight blog.
- It is a best practice to configure a DMARC record for a parked domain to prevent any entity from sending email on behalf of those domains. Learn more on how to evaluate and remediate Parked Domains
The DMARC risk vector’s weight towards the overall Diligence risk category is not yet defined but will be updated with the future Ratings Algorithm Update. The Diligence risk category accounts for 70.5% of a company’s Bitsight Security Rating.
Comments
0 comments
Please sign in to leave a comment.