Risk vector grades are based on evidence of preventative implementations and/or the presence of vulnerabilities in a company’s infrastructure. When we have insufficient data to use as evidence, we assign a default risk vector grade. The threshold on what causes a default grade to be used varies by risk vector. In the case of the SPF Domains risk vector, a default grade of F is assigned if there are no findings (or only Neutral findings).
Why Do I Need SPF Domain Findings?
Having SPF records for all domains (including SMTP servers and those that aren’t configured to send email) is best practice. An attacker can still use a domain to spoof email even if the company does not intend to send email from that particular domain.
Only domains that are sending email and don’t have SPF records are affected.
An F grade is also assigned if a company's performance in the risk vector is in the bottom 20% of all companies in the Bitsight inventory.
If there are no findings and we are temporarily unable to collect data, the most recent grade is assigned for up to 400 days before being assigned the default grade.
Feedback
0 comments
Please sign in to leave a comment.