Ratings Algorithm Update (RAU26) - July 16, 2026 Erin Conry The ratings algorithm has been updated!Changes to the ratings algorithm for RAU 26 include: DMARC risk vector is now Rating-Impacting Critical Vulnerability Management (CVM) replaced Patching Cadence Email risk vector (SPF and DKIM) default grade changes for entities with no domains 1. DMARC is now Rating-ImpactingThe DMARC risk vector is now become rating-impacting, adding to Bitsight’s assessment of email security and spoofing risk. Inclusion of DMARC enforcement and alignment in the rating helps better reflect whether organizations have implemented effective controls to prevent email spoofing and phishing.Key details to know: DMARC enforces alignment between SPF and DKIM. Email spoofing and phishing remain common breach entry points, and DMARC directly measures whether preventative controls are in place. Like SPF and DKIM, DMARC will have a risk vector weight of 1%. In turn, the weight of Compromised Systems will decrease from 27% to 26% and the weight of the Diligence risk category will increase from 70.5% to 71.5%. 2. The Patching Cadence risk vector is now Critical Vulnerability Management (CVM) The Patching Cadence risk vector has been renamed to Critical Vulnerability Management and has also updated its methodology. These changes are designed to better align risk vector grades and Bitsight ratings with real-world risk with vulnerability prioritization based on an improved balance of severity and duration. As part of this update, CVSS scores will also be refreshed across the board to ensure consistency and accuracy.Key details to know: High-severity vulnerabilities have a more significant, faster impact on grades. Long-running low-severity findings have reduced effects. Scores better reflect absolute vulnerability risk. 3. SPF and DKIM Default Grades for Entities with No DomainsUnder the old grading logic, entities without associated domains were automatically assigned punitive default grades for key email security protocols. Today's update aligns these vectors with our existing, non-punitive DMARC standards.Key details to know: If an entity has NO associated domains: SPF and DKIM risk vectors will now receive an N/A grade. This ensures that a lack of email activity does not drag down the entity's overall security rating. If an entity DOES have associated domains: Grading will continue exactly as it does today, utilizing our standard grading thresholds and default grades. Related to dmarc ratings_algorithm_update RAU26 patching_cadence spf_domains dkim critical_vulnerability_management Related articles Patching Cadence Risk Vector has been reconfigured to Critical Vulnerabilities Management Finding Behavior About Breach Intelligence TLS/SSL Finding Remediation & Remediation Verification Verify a Finding is Remediated Feedback 0 comments Please sign in to leave a comment.