⇤ How is the Diligence Risk Category Calculated?
The DMARC risk vector determines whether domains have a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy or not and evaluates how effective it is at ensuring only verified senders are able to use this domain for email.
See the criteria for classifying findings as DMARC.
Concept | Behavior |
---|---|
A default risk vector grade is assigned. |
Default: |
The number of days a finding impacts the risk vector grade, assuming nothing changes in the future and the finding is not updated with new information. Learn why findings have a decay and lifetime period. |
Duration: 60 Days |
Weight | Percentage (out of 70.5% in Diligence): This risk vector does not currently affect security ratings. |
Finding Grading
Refer to the DMARC finding messages to see all possible grades.
Common Issues
DMARC findings are evaluated by validating the following common issues:
- The presence of findings – No DMARC record present. It should be present to authenticate that the sender of an email is legitimately authorized to send emails on a company’s behalf.
- Invalid DMARC record – A record has syntax errors or is otherwise misspecified and is ineffective.
- Ineffective passthrough policy – The passthrough policy is ineffective in protecting recipients from spoofed emails.
- Missing reporting configuration – The records do not receive reporting emails and their implementation cannot be monitored. This is consequential for records using the passthrough policy.
- Use of unauthorized third-party reporting – The mailto links lack corresponding authorization records for their domains and do not receive reporting emails.
- Low percentage filtering – Less than 100% filtering means that some spoofed emails can be delivered. This is acceptable only in early stages of adoption.
Policy Enforcement
Finding grades by how the policy is enforced:
- No Enforcement – This is ineffective and does not protect against spoofing, it is graded BAD.
- Limited Enforcement – While not discarded, such emails are forwarded to a spam or junk folder or are otherwise marked to indicate the authentication failure to the recipient. However, some confirmed fraudulent emails can end up being delivered since the pct tag specifies a value less than 100.
- The best grade when using a non-maximum pct value is FAIR.
- The best grade when using pct≤50 is WARN.
- Full Enforcement – For DMARC records to be grade GOOD:
- An active policy must be used (
p=reject
orp=quarantine
) and the policy must act on all authentication failures (pct=100
). - Any existing third-party reporting domains must be associated with a valid authorization record.
- An active policy must be used (
- April 23, 2024: Incorporated finding grading based on policy enforcement.
- April 16, 2024: Linked to finding considerations.
- March 26, 2024: Clarification on passthrough policy.
Feedback
0 comments
Please sign in to leave a comment.