methodology / Security & Infrastructure / #1
DMARC enforcement
#1 · Required · Web Standards · security · Security & Infrastructure · weight 3.3% · impl implemented · source Free DNS-over-HTTPS lookup of `_dmarc.<domain>` TXT record · method v1.2.0
Web Standards item — Security
This factor is part of Web Standards — the table-stakes binary layer of the score. It is graded pass/fail and gates the Web Quality score; it is not weighted into Web Quality itself.
- Pass criteria
- Tolerant — passes on pass or warn.
- Web Standards label
- DMARC published
- Why it's required
- Any DMARC policy (even p=none) shows the operator has thought about email spoofing. The bar cares about presence, not enforcement.
What this means for your business
Without this, anyone can send phishing email pretending to be from your business — and your customers may receive it as if it really came from you. The fix is a few DNS records your email provider can usually add in under an hour.
Plain title: Stops scammers from emailing customers as you
What we measure
DMARC tells the world to only trust emails that actually came from your domain. Without an enforced policy, anyone can send emails that appear to come from you — and most inboxes will deliver them.
How to improve your score
Add a `_dmarc.<domain>.com` TXT record: `v=DMARC1; p=quarantine; rua=mailto:rua@yourdomain.com` (or `p=reject` for stricter enforcement). Verify with mxtoolbox.com/dmarc.
Implementation
stale · v1 · seeded — no connector publish yet · source: freshcoat-discovery/src/connectors/legacy-audit.ts:scoreDmarcEnforcement
Detection method
Reads dns_has_dmarc + dmarc_policy from the audit endpoint's TXT-record query for _dmarc.<domain>. Bands the policy keyword onto the strict ladder.
Detection sources
- TXT lookup for _dmarc.<domain> via the audit endpoint
- Cloudflare DoH fallback when audit returns null
Scoring bands · strict ladder
| Score | Condition |
|---|---|
| 100 | p=reject (the bulk-sender bar) |
| 80 | p=quarantine |
| 40 | p=none (record present but not enforcing) |
| 0 | no DMARC record published |
Evidence-key dictionary
What every notes string the connector emits means.
Surfaces in the per-domain dossier evidence column.
p=reject- Strongest DMARC policy — receivers reject unauthenticated mail.
p=quarantine- Receivers send unauthenticated mail to spam.
p=none- DMARC published but not enforcing; reporting only.
missing- No _dmarc TXT record found.
Applicability
Always applies. Required for any domain that sends mail; weighted at 1.0 across all site types.
Changelog
- 2026-04-29 · seed Initial seed from MethodologyRegistry bootstrap.
Facts
Implementation notes
Already implemented. Score awards full points only for `quarantine` or `reject`. `p=none` gets partial credit.
Scoring
Scoring formulas are versioned with the methodology. The current method (v1.2.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Cited by these standards
Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.
Version history
| Version | Change | Date |
|---|---|---|
| v1.2.0 | Factor introduced. Status: live. Scoring impl: implemented. | 2026-04-25 |