The 2026 Ratings Algorithm Update (RAU26) is coming! Erin Conry Changes to the ratings algorithm from the 2026 Ratings Algorithm Update (RAU26) will take effect on July 16, 2026, and include: DMARC risk vector becomes Rating-Impacting Critical Vulnerability Management (CVM) replaces Patching Cadence and provides essential improvements to measuring vulnerability presence and patching Email risk vector default grade changes for entities with no domains For the three months prior to the RAU, starting April 16th, 2026, users will have access to preview dashboards to understand how the coming RAU may impact their or their portfolio’s ratings and risk vector grades.DMARC Becomes Rating-ImpactingWith RAU26, the DMARC risk vector will become rating-impacting, adding to Bitsight’s assessment of email security and spoofing risk. The DMARC risk vector was released in April 2024 as an ungraded, non-rating-impacting (informational) risk vector, becoming a graded risk vector in early 2026. Currently, the Bitsight rating includes SPF and DKIM. DMARC enforcement and alignment will also now be included in the rating to better reflect whether organizations have implemented effective controls to prevent email spoofing and phishing.Key details: DMARC enforces alignment between SPF and DKIM. Email spoofing and phishing remain common breach entry points, and DMARC directly measures whether preventative controls are in place. Like SPF and DKIM, DMARC will have a risk vector weight of 1%. In turn, the weight of Compromised Systems will decrease from 27% to 26%. Critical Vulnerability Management (CVM) RAU26 introduces improvements to how vulnerability risk is reflected in the rating, through updates to the current Patching Cadence risk vector. This risk vector will be renamed Critical Vulnerability Management, and is also undergoing a methodology change. These changes are designed to better align risk vector grades and Bitsight ratings with real-world risk with vulnerability prioritization based on an improved balance of severity and duration. For SPM customers, a preview of Critical Vulnerability Management grade is already available in the application. It shows users which of their current Patching Cadence vulnerabilities would have the most impact when the new algorithm takes effect. Key changes: High-severity vulnerabilities have a more significant, faster impact on grades. Long-running low-severity findings have reduced effects. Scores better reflect absolute vulnerability risk. As part of this update, CVSS scores will also be refreshed across the board to ensure consistency and accuracy. For more information, see here for Frequently Asked Questions. SPF and DKIM Default Grades for Entities with No DomainsRAU26 will reflect a change in how email-focused risk vectors are handled for entities that do not have any associated domains.Currently: DKIM defaults to a C grade. SPF defaults to an F grade. These defaults can be overly punitive for entities without email-sending activity (for example, a subsidiary that does not itself send email). Please note that this is already in effect for DMARC; the default grade for all cases of insufficient gradable data is N/A. With RAU26: If an entity has no associated domains: the email risk vectors will receive a letter grade of N/A.An N/A grade is non-punitive and functions the same as a perfect grade for the risk vector. If an entity does have domains: grading will continue as it does today, including the existing default grades. Related to dmarc ratings_algorithm_update RAU26 patching_cadence spf_domains dkim critical_vulnerability_management Related articles Patching Cadence Risk Vector to be reconfigured to Critical Vulnerabilities Management Finding Behavior DMARC Risk Vector is Now Graded, Future Ratings Impact Planned - January 15, 2026 About Breach Intelligence Marsh McLennan Study: Correlation Between Bitsight Analytics and Cybersecurity Incidents Feedback 0 comments Please sign in to leave a comment.