The DMARC risk vector determines whether domains have a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy or not and evaluates how effective it is at ensuring only verified senders are able to use this domain for email. DMARC authenticates that the sender of an email is legitimately authorized to send email on a company’s behalf, providing a measure of protection against spoofing.
What criteria is considered to have domains affected by the DMARC Risk Vector?
Not all domains are evaluated for DMARC compliance. Only domains that meet either of the following criteria are considered for the DMARC Risk Vector:
- The domain is protected by a DMARC record.
- The domain is not protected by a DMARC record and is associated with a Mail Exchange (MX) record. A MX record identifies the server where email should be routed. The record must direct to another domain.
Domains without a DMARC or MX record are not graded for the DMARC risk vector by a Bitsight scan.
How is the DMARC Risk Vector Graded?
As of January 15, 2026, the DMARC Risk Vector is a graded (A to F) risk vector; this was previously a non-graded risk vector.
The default grade for the DMARC risk vector is:
DMARC findings are evaluated by validating the following common issues:
- Absence of a DMARC record.
- Invalid DMARC record syntax.
- Ineffective passthrough policy.
- Use of unauthorized third-party reporting domains.
- Low percentage filtering (pct tag < 100).
- Level of policy enforcement.
Learn more about what impacts a DMARC's finding grade and tips on how to remediate findings
This risk vector does not currently impact the overall rating, but it is planned to become ratings-impacting in a future Ratings Algorithm Update. An announcement regarding this change will be made at least 5 months prior to the update, along with a ratings preview shortly after.
Do you have a BAD DMARC Grade or Finding? Click here to learn more and for remediation tips.
Where can I view my DMARC Grades and Findings?
- SPM App: Risks ➔ Findings
- CM App: Portfolio Risk ➔ Companies List ➔ Vendor Risk ➔ Findings
- Insurance App: Portfolio Risk ➔ Companies List ➔ Client Risk ➔ Findings
-
Bitsight API: GET
/v1/companies/entity_guid/findings?risk_vector=dmarc
If this didn’t fully solve your issue:
- Learn more about Diligence Risk vectors.
- Learn more about why DMARC is important to protecting your cybersecurity risk on the Bitsight blog.
- It is a best practice to configure a DMARC record for a parked domain to prevent any entity from sending email on behalf of those domains. Learn more on how to evaluate and remediate Parked Domains
- The DMARC risk vector’s weight towards the overall Diligence risk category is not yet defined but will be updated with the future Ratings Algorithm Update. The Diligence risk category accounts for 70.5% of a company’s Bitsight Security Rating.
- January 28, 2026: Restructured article.
- January 20, 2026: DMARC Risk Vector is recategorized from a temporarily non-graded risk vector to informational and does not affect Bitsight Security Ratings.
- June 25, 2025: Finding behavior grouped by rescan statuses.
- April 23, 2024: Linked to guide for setting a DMARC policy; Linked to Bitsight Blog on the importance of DMARC.
- April 16, 2024: Linked to finding considerations.
Feedback
3 comments
Is it planned that the Risk Vector will affect security ratings in the future?
What percentage of the overall grade will this new Risk Vector account for? What will be the impact on companies scores? What is the date that this grade will start counting toward overall scores? Does this measure SPF or only DMARC?
Hi folks! This information is available in the DMARC Frequently Asked Questions article.
Please sign in to leave a comment.