Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

DMARC Risk Vector

Ingrid

DMARC is a Diligence risk vector. It determines whether domains have a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy or not and evaluates how effective it is at ensuring only verified senders are able to use this domain for email.

DMARC authenticates that the sender of an email is legitimately authorized to send email on a company’s behalf, providing a measure of protection against spoofing.

This risk vector is non-graded. It is assigned an N/A grade.

See data collection methods or the criteria for classifying findings as DMARC.

Risks

See Bitsight Blog, “Domain (in)security: the state of DMARC” to learn more about DMARC and why it is important.

Grading

See how the DMARC risk vector is graded.

Insufficient Data

A default risk vector grade is assigned if there is insufficient or no data.

Default: grade-na.png

Lifetime

Lifetime is the number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. This is defined by the number of days a finding will impact the risk vector grade. Learn why findings have a decay and lifetime period.

Duration: 60 Days

Weight

The DMARC risk vector is part of the Diligence risk category, which aggregates the weights of all risk vectors in the category to 70.5% towards Bitsight Security Ratings.

Weight: This risk vector does not currently affect security ratings.

Remediation

Resources

Rescan Base Duration

The Bitsight platform regularly checks for new observations. Findings are rescanned as these observations change, e.g., newly observed Diligence findings or an existing finding was remediated.

Automated Scan: 30 Days

User-Requested Rescan: 3 days. See timeline for details.

Finding Behavior

The behavior of findings based on remediation and rescan statuses:

Remediated

  • The remediated finding stops impacting the grade. If a user-requested rescan is initiated, the rescan status is either Remediated or Partially Remediated.
  • A new finding impacting the grade is created. If this is a result of a user-requested rescan, the rescan status is Replacement Finding.

Not Remediated

If a user-requested rescan is initiated and the issue persists, the rescan status is Not Remediated and the finding continues to impact the grade until it completes its lifetime.

  • June 25, 2025: Finding behavior grouped by rescan statuses.
  • April 23, 2024: Linked to guide for setting a DMARC policy; Linked to Bitsight Blog on the importance of DMARC.
  • April 16, 2024: Linked to finding considerations.

Related articles

Feedback

3 comments

Date Votes
  • Martin Ronai

    Is it planned that the Risk Vector will affect security ratings in the future?

    1
  • John Darnell

    What percentage of the overall grade will this new Risk Vector account for? What will be the impact on companies scores? What is the date that this grade will start counting toward overall scores? Does this measure SPF or only DMARC? 

    1
  • Jessica

    Hi folks! This information is available in the DMARC Frequently Asked Questions article.

    0

Please sign in to leave a comment.