⇤ DMARC Findings
The DMARC risk vector determines whether domains have a Domain-based Message Authentication, Reporting and Conformance (DMARC) policy or not and evaluates how effective it is at ensuring only verified senders are able to use this domain for email.
This risk vector is non-graded. It is assigned an N/A grade.
GOOD
Message |
Details |
Remediation Tips |
Active policy with authed third party reporting |
There is a DMARC policy in place with authorized third-party reporting. |
- |
Active policy without reporting |
A policy is in place, however no reporting is being collected about authentication failures. See why not having a reporting configuration is an issue. |
If needed, implement reporting to obtain authentication statistics. |
Active policy with self reporting |
A policy is in place with self-reporting. |
- |
FAIR
Message |
Details |
Remediation Tips |
Active policy with non-authed third party reporting |
Third-party reporting mailto links that lack corresponding authorization records for their domains will not receive reporting emails. See why using unauthorized third-party reporting is an issue. |
See how to set a DMARC policy and implement third-party reporting authorization to ensure that authentication failure reports for this domain will be received. |
Active policy with pct<100 |
There is a DMARC policy in place, however it has a percentage value less than 100 , which means that some spoofed email will be delivered. See why low percentage filtering is an issue. |
See how to set a DMARC policy and set the policy percentage value equal to 100 (pct=100 ). |
WARN
Message |
Details |
Remediation Tips |
Active policy with pct<50 |
There is a DMARC policy in place, however it has a percentage value less than 100 , which means that some spoofed email will be delivered. See why low percentage filtering is an issue. |
See how to set a DMARC policy and set the policy percentage value equal to 100 (pct=100 ). |
BAD
Message |
Details |
Remediation Tips |
Passthrough policy with authed third party report |
A DMARC policy is in place, however p=none , providing no protection for recipients of spoofed email. Authorized third-party reporting is in place. See why having a passthrough policy is an issue. |
See how to set a DMARC policy and switch to p=quarantine or p=reject as soon as possible. If needed, use the pct parameter to control the enforcement rate, removing pct when confident in the deployment. |
Passthrough policy with non-authed third party reporting |
A DMARC policy is in place, however p=none , providing no protection for recipients of spoofed email. Third-party reporting is in place however is unauthorized. See why this is an issue. |
See how to set a DMARC policy and switch to p=quarantine or p=reject as soon as possible. Implement third-party reporting authorization to ensure that reporting email for this domain is received. |
Passthrough policy with no reporting |
A DMARC policy is in place, however p=none , providing no protection for recipients of spoofed email. No authentication statistics are being sent. See why this is an issue. |
See how to set a DMARC policy and switch to p=quarantine or p=reject as soon as possible. If needed, implement reporting to monitor authentication statistics and use the pct parameter to control the enforcement rate, removing pct when confident in the deployment. |
Passthrough policy with self reporting |
A DMARC policy is in place with self-reporting. See why this is an issue. |
See how to set a DMARC policy and switch to p=quarantine or p=reject as soon as possible. If needed, implement reporting to monitor authentication statistics and use the pct parameter to control the enforcement rate, removing pct when confident in the deployment. |
Record does not exist |
Domain has no DMARC record in place. |
See how to set a DMARC policy and implement a DMARC policy for this domain. |
Record is invalid |
There is a record in place, but it has syntax errors or is otherwise misspecified. |
See how to set a DMARC policy and ensure there are no syntax errors in place within the DMARC record; e.g. separators are correct and that record starts with v=DMARC1 and is immediately followed by the policy tag. |
- April 24, 2024: Linked to setting a DMARC policy and more context on the issues.
- April 16, 2024: Non-graded.
- March 5, 2024: Published.
Feedback
1 comment
We have multiple domains which is called as parked domains to avoid impersonating, phishing attempts etc from Threat Actors and those parked domains are not having any kind of Email Services enabled on it but do we still need to update DMARC record for it?
Please sign in to leave a comment.