Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Why Do I Have a Bad DMARC Finding?

Erin Conry

This risk vector does not impact the Security Rating at this time. DMARC will only begin impacting the rating after a Rating Algorithm Update. Although we do not have a specific timeline for when this will occur, the date for the Rating Algorithm Update will be announced a minimum of 5 months prior to the update itself.

BAD DMARC Findings can occur for a variety of reasons. Here are a few examples and reasons why a BAD DMARC Finding has been generated:

  • Your domain has an MX record but no DMARC record is configured.
  • There are multiple DMARC records for one domain
  • If there is no DMARC record for your domain, the finding will be graded as BAD.
  • If a DMARC record is detected and valid and it uses a p=none policy. Because this is a monitoring-only policy and does not enforce protection, BitSight considers it a BAD configuration.
  • Syntax errors or missing required tags in the DMARC record.

Remediation Tips

  • Set up a strong DMARC policy that enforces protection: Ensure your domain has a valid DMARC record with an enforcement policy (p=reject or p=quarantine) and pct=100. Learn more about setting up a DMARC policy here.
  • If you have multiple DMARC records: Ensure that only one valid DMARC record exists per domain.
  • Removing outdated records, assets, and infrastructure for SPM users: If domains that had a DMARC record are no longer managed by your organization, you can submit for expiration by following the steps outlined here. 
  • Resolving “DMARC record not found”: A domain can have MX records but still be unprotected if there’s no valid DMARC TXT record at _dmarc.domain.tld. DMARC must be published at the domain apex as Bitsight evaluates DMARC protection at the apex domain, not at subdomains or web hosts.

But what if I have remediated a bad finding and it is still affecting my grade?

User requested rescans can take up to 3 days to complete and an additional day to become visible. Automated scans can take up to 30 days.

Please note that the DMARC Risk Vector is not eligible for Dynamic Remediation, so findings for offline assets need to complete their lifetime. If an asset has been taken offline, the finding will need to complete its remaining lifetime before it stops impacting your rating as BItsight scans will not be able to update it. The lifetime duration for the DMARC risk vector is 60 days.

If this did not resolve your issue:

  • January 20, 2026: Restructured article.
  • November 13, 2024: Published.
Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.