DMARC Risk Vector: Why Do I Have a Bad DMARC Finding? Erin Conry This risk vector does not impact the Security Rating at this time. DMARC will only begin impacting the rating after a Rating Algorithm Update. Although we do not have a specific timeline for when this will occur, the date for the Rating Algorithm Update will be announced a minimum of 5 months prior to the update itself.BAD DMARC Findings can occur for a variety of reasons. Here are a few examples and reasons why a BAD DMARC Finding has been generated: Your domain has an MX record but no DMARC record is configured. There are multiple DMARC records for one domain If there is no DMARC record for your domain, the finding will be graded as BAD. If a DMARC record is detected and valid and it uses a p=none policy. Because this is a monitoring-only policy and does not enforce protection, BitSight considers it a BAD configuration. Syntax errors or missing required tags in the DMARC record. Remediation Tips Set up a strong DMARC policy that enforces protection: Ensure your domain has a valid DMARC record with an enforcement policy (p=reject or p=quarantine) and pct=100. Learn more about setting up a DMARC policy here. If you have multiple DMARC records: Ensure that only one valid DMARC record exists per domain. Removing outdated records, assets, and infrastructure for SPM users: If domains that had a DMARC record are no longer managed by your organization, you can submit for expiration by following the steps outlined here. Resolving “DMARC record not found”: A domain can have MX records but still be unprotected if there’s no valid DMARC TXT record at _dmarc.domain.tld. DMARC must be published at the domain apex as Bitsight evaluates DMARC protection at the apex domain, not at subdomains or web hosts. If external queries show no DMARC TXT value: check your DNS provider’s configuration and propagation. Ensure the TXT value is present and returned by public DNS. Use valid DMARC syntax and ensure the record is at the correct name. For parked or retiring domains: it’s common to enforce strict DMARC with p=reject and ensure SPF/DKIM are not accidentally published at DMARC names. After correcting DMARC, request a rescan. Please expect the status to update within up to 5 business days for manual rescans and display changes within 1–3 business days once completed.But what if I have remediated a bad finding and it is still affecting my grade?User requested rescans can take up to 3 days to complete and an additional day to become visible. Automated scans can take up to 30 days. Online Assets: If the asset is online, we will verify your fix during the next scan. Once the remediation is confirmed, the finding will be resolved. Offline Assets: If an asset goes offline before a fix can be confirmed, the historical finding must complete its 60-day lifetime before it will age out of your rating. If this did not resolve your issue:Do you need to verify a finding has been remediated? Learn how here. January 28, 2026: Restructured article. November 13, 2024: Published. Related to diligence_risk_category dmarc Related articles TLS/SSL Configurations Risk Vector How is the Web Application Headers Risk Vector Assessed? Finding Behavior Requesting a Rescan TLS/SSL Finding Remediation & Remediation Verification Feedback 0 comments Please sign in to leave a comment.