HomeNewsBitsight Adds DMARC to 2026 Rating Algorithm
Email Deliverability

Bitsight Adds DMARC to 2026 Rating Algorithm

Bitsight adds DMARC to its security ratings starting April 16 preview. DMARC now counts 1% toward overall ratings alongside SPF and DKIM, directly rewarding email authentication investment.

M

Marcus Webb

April 9, 2026

5 min read
HomeNewsBitsight Adds DMARC to 2026 Rating Algorithm
Email Deliverability

Bitsight Adds DMARC to 2026 Rating Algorithm

Bitsight adds DMARC to its security ratings starting April 16 preview. DMARC now counts 1% toward overall ratings alongside SPF and DKIM, directly rewarding email authentication investment.

M

Marcus Webb

April 9, 2026

5 min read
Share:
Share:
#Compliance#DMARC#Email Authentication#SPF/DKIM
#Compliance#DMARC#Email Authentication#SPF/DKIM
Illustration for new_technology: Bitsight Adds DMARC to 2026 Rating Algorithm
Illustration for new_technology: Bitsight Adds DMARC to 2026 Rating Algorithm

Stay in the loop

Get the latest posts delivered straight to your inbox. No spam, unsubscribe anytime.

Starting April 16, 2026, DMARC will count toward an organization's Bitsight Security Rating for the first time, carrying a 1% weight in the platform's annual algorithm update. For businesses that have treated DMARC as a "nice to have," that posture now has a measurable cost on a score that insurers, vendors, and boards rely on to evaluate cyber risk.

What Changed and Why It Matters

DMARC will now contribute to the Bitsight Rating with a 1% weight, reallocated from the Compromised Systems category. This completes the trio of foundational email-based risk vectors: Sender Policy Framework (SPF) domains, DomainKeys Identified Mail (DKIM) records, and DMARC.

DMARC grades were already visible within the Bitsight platform, but prior to this update they had no impact on the overall rating. DKIM and SPF both carry a weight of 1%, and organizations that implement DMARC policies will now see that investment reflected directly in their Bitsight Rating.

The 2026 Bitsight Ratings Algorithm Update will be available for preview starting April 16. To ensure transparency and give organizations time to prepare, Bitsight is providing a three-month preview window before the update goes live.

The stakes here extend well beyond a single percentage point. From boardrooms to credit agencies, insurers to regulators, and compliance officers to SOC analysts, Bitsight Security Ratings are woven into the fabric of global commerce. The platform's rating system is correlated with breach likelihood and used widely by insurers and financial institutions. For marketing and growth teams, that means a weak DMARC posture can now indirectly affect cyber insurance premiums, vendor approvals, and procurement decisions, not just email deliverability.

What DMARC Actually Does

DMARC is an email authentication protocol that builds on SPF and DKIM by giving domain owners greater control over email authentication, including the ability to require either SPF or DKIM to pass for email to be considered authenticated, specify what action mail servers should take when authentication fails (such as rejecting or quarantining the message), and request authentication statistics from receiving mail servers to review the effectiveness of their implementation.

For email marketers, this has a direct deliverability dimension. Marketers are realizing that DMARC not only improves security but also boosts email deliverability. When ISPs see that a sender has a strong authentication posture, legitimate campaigns are less likely to be flagged as spam, which is critical for email marketing success.

Stay in the loop

Get the latest posts delivered straight to your inbox. No spam, unsubscribe anytime.

Starting April 16, 2026, DMARC will count toward an organization's Bitsight Security Rating for the first time, carrying a 1% weight in the platform's annual algorithm update. For businesses that have treated DMARC as a "nice to have," that posture now has a measurable cost on a score that insurers, vendors, and boards rely on to evaluate cyber risk.

What Changed and Why It Matters

DMARC will now contribute to the Bitsight Rating with a 1% weight, reallocated from the Compromised Systems category. This completes the trio of foundational email-based risk vectors: Sender Policy Framework (SPF) domains, DomainKeys Identified Mail (DKIM) records, and DMARC.

DMARC grades were already visible within the Bitsight platform, but prior to this update they had no impact on the overall rating. DKIM and SPF both carry a weight of 1%, and organizations that implement DMARC policies will now see that investment reflected directly in their Bitsight Rating.

The 2026 Bitsight Ratings Algorithm Update will be available for preview starting April 16. To ensure transparency and give organizations time to prepare, Bitsight is providing a three-month preview window before the update goes live.

The stakes here extend well beyond a single percentage point. From boardrooms to credit agencies, insurers to regulators, and compliance officers to SOC analysts, Bitsight Security Ratings are woven into the fabric of global commerce. The platform's rating system is correlated with breach likelihood and used widely by insurers and financial institutions. For marketing and growth teams, that means a weak DMARC posture can now indirectly affect cyber insurance premiums, vendor approvals, and procurement decisions, not just email deliverability.

What DMARC Actually Does

DMARC is an email authentication protocol that builds on SPF and DKIM by giving domain owners greater control over email authentication, including the ability to require either SPF or DKIM to pass for email to be considered authenticated, specify what action mail servers should take when authentication fails (such as rejecting or quarantining the message), and request authentication statistics from receiving mail servers to review the effectiveness of their implementation.

For email marketers, this has a direct deliverability dimension. Marketers are realizing that DMARC not only improves security but also boosts email deliverability. When ISPs see that a sender has a strong authentication posture, legitimate campaigns are less likely to be flagged as spam, which is critical for email marketing success.

The Adoption Gap That Creates Risk

The challenge is that most organizations have not yet reached full DMARC enforcement. DMARC adoption among top domains increased from 27.2% to 47.7% between 2023 and 2025, a 75% surge in protected domains, with enforcement policies (quarantine and reject) growing by 50% during this period. That growth sounds encouraging, but the enforcement detail tells a different story.

Valid DMARC adoption grew from 523,921 domains in 2023 to 858,782 in 2025 and 937,931 in early 2026. However, p=none remains the most common policy globally, and many organizations still use DMARC primarily for visibility rather than active protection. In 2026, 525,996 domains remained at p=none.

A p=none policy generates reporting data but does nothing to block spoofed or unauthenticated email. Analysis of the top 10 million internet domains found that only 22.9% of domains that send DMARC reporting data to themselves have a DMARC reject policy. Under the new Bitsight scoring, a p=none configuration will likely receive a lower grade than a fully enforced p=reject policy, meaning the rating gap between organizations that have deployed enforcement and those that haven't is about to become visible in an external score.

How Bitsight Will Grade DMARC

Only domains with specific criteria will generate a DMARC finding: domains protected by a DMARC record, and domains not protected by a DMARC record that are associated with an MX record. If an MX record is present and no DMARC record is configured, this results in a finding with the issue "Record does not exist" and a Bad grade.

For entities that do not have associated domains, SPF and DKIM will now default to N/A and will have no negative impact on the rating. Previously, these entities received default grades despite having no domains to evaluate.

By measuring DMARC alongside SPF and DKIM, Bitsight strengthens the Rating's ability to surface evidence-based protections against spoofing and phishing, giving security and risk teams a clearer, more actionable indicator to demonstrate improved email security posture.

What Email Marketers and Business Owners Should Do Now

The preview window is a practical opportunity to close the gap before scores shift. Here are the steps most relevant to marketing and growth teams:

The Adoption Gap That Creates Risk

The challenge is that most organizations have not yet reached full DMARC enforcement. DMARC adoption among top domains increased from 27.2% to 47.7% between 2023 and 2025, a 75% surge in protected domains, with enforcement policies (quarantine and reject) growing by 50% during this period. That growth sounds encouraging, but the enforcement detail tells a different story.

Valid DMARC adoption grew from 523,921 domains in 2023 to 858,782 in 2025 and 937,931 in early 2026. However, p=none remains the most common policy globally, and many organizations still use DMARC primarily for visibility rather than active protection. In 2026, 525,996 domains remained at p=none.

A p=none policy generates reporting data but does nothing to block spoofed or unauthenticated email. Analysis of the top 10 million internet domains found that only 22.9% of domains that send DMARC reporting data to themselves have a DMARC reject policy. Under the new Bitsight scoring, a p=none configuration will likely receive a lower grade than a fully enforced p=reject policy, meaning the rating gap between organizations that have deployed enforcement and those that haven't is about to become visible in an external score.

How Bitsight Will Grade DMARC

Only domains with specific criteria will generate a DMARC finding: domains protected by a DMARC record, and domains not protected by a DMARC record that are associated with an MX record. If an MX record is present and no DMARC record is configured, this results in a finding with the issue "Record does not exist" and a Bad grade.

For entities that do not have associated domains, SPF and DKIM will now default to N/A and will have no negative impact on the rating. Previously, these entities received default grades despite having no domains to evaluate.

By measuring DMARC alongside SPF and DKIM, Bitsight strengthens the Rating's ability to surface evidence-based protections against spoofing and phishing, giving security and risk teams a clearer, more actionable indicator to demonstrate improved email security posture.

What Email Marketers and Business Owners Should Do Now

The preview window is a practical opportunity to close the gap before scores shift. Here are the steps most relevant to marketing and growth teams:

  1. Audit your current DMARC record. Check whether your sending domains have a valid _dmarc TXT record in DNS. Tools like MXToolbox can verify this in seconds.
  2. Move beyond p=none. A monitoring-only policy will not earn a strong Bitsight grade. Work toward p=quarantine or p=reject with pct=100. An active policy using p=reject or p=quarantine that acts on all authentication failures with pct=100 is required for the best possible grade.
  3. Check all sending domains, including non-email domains. Bitsight looks for properly configured SPF records for all of an organization's domains, even those not used for sending email, because threat actors may attempt to spoof email from a domain even if the organization does not use it for email.
  4. Brief stakeholders before the preview period ends. Many organizations share their Bitsight Rating with vendors, partners, boards, and insurers. The preview period is an opportunity to brief these stakeholders and ensure alignment.
  1. Audit your current DMARC record. Check whether your sending domains have a valid _dmarc TXT record in DNS. Tools like MXToolbox can verify this in seconds.
  2. Move beyond p=none. A monitoring-only policy will not earn a strong Bitsight grade. Work toward p=quarantine or p=reject with pct=100. An active policy using p=reject or p=quarantine that acts on all authentication failures with pct=100 is required for the best possible grade.
  3. Check all sending domains, including non-email domains. Bitsight looks for properly configured SPF records for all of an organization's domains, even those not used for sending email, because threat actors may attempt to spoof email from a domain even if the organization does not use it for email.
  4. Brief stakeholders before the preview period ends. Many organizations share their Bitsight Rating with vendors, partners, boards, and insurers. The preview period is an opportunity to brief these stakeholders and ensure alignment.

The broader data is clear on why this matters. Countries with mandatory DMARC requirements show dramatically different phishing attack patterns. The US reduced successful phishing delivery from 69% to 14%, while countries without enforcement mandates like the Netherlands saw vulnerability increase to 97%. For any organization managing email marketing at scale, the business case for DMARC enforcement is now both a security argument and a ratings argument.

No comments yet. Be the first!

Leave a comment

Comments are reviewed before publishing.

The broader data is clear on why this matters. Countries with mandatory DMARC requirements show dramatically different phishing attack patterns. The US reduced successful phishing delivery from 69% to 14%, while countries without enforcement mandates like the Netherlands saw vulnerability increase to 97%. For any organization managing email marketing at scale, the business case for DMARC enforcement is now both a security argument and a ratings argument.

No comments yet. Be the first!

Leave a comment

Comments are reviewed before publishing.

Breaking

Related news

Illustration for new_technology: Gmail's New RETVec AI Boosts Spam Detection by 38%
Email DeliverabilityMay 22, 2026 6 min

Gmail's New RETVec AI Boosts Spam Detection by 38%

Google deployed RETVec, an AI spam filter that detects obfuscated spam, improving detection 38% while reducing false positives 19.4%. Here's what email marketers need to know.

Breaking

Related news

Illustration for new_technology: Gmail's New RETVec AI Boosts Spam Detection by 38%
Email DeliverabilityMay 22, 2026 6 min

Gmail's New RETVec AI Boosts Spam Detection by 38%

Google deployed RETVec, an AI spam filter that detects obfuscated spam, improving detection 38% while reducing false positives 19.4%. Here's what email marketers need to know.

R
Rachel Torres
R
Rachel Torres
Illustration for new_technology: IETF Publishes RFC 9989 DMARC Standard in May 2026
Email DeliverabilityMay 22, 2026 6 min

IETF Publishes RFC 9989 DMARC Standard in May 2026

IETF officially published RFC 9989 in May 2026, upgrading DMARC to Proposed Standard status. The update improves spoofing prevention and email authentication with clarified terminology and stronger subdomain protection.

JJames Chen
Illustration for new_technology: IETF Publishes RFC 9989 DMARC Standard in May 2026
Email DeliverabilityMay 22, 2026 6 min

IETF Publishes RFC 9989 DMARC Standard in May 2026

IETF officially published RFC 9989 in May 2026, upgrading DMARC to Proposed Standard status. The update improves spoofing prevention and email authentication with clarified terminology and stronger subdomain protection.

JJames Chen
Illustration for industry_trend: Gmail Spam Filter Collapse Jams 1.8B Inboxes
Email DeliverabilityMay 22, 2026 6 min

Gmail Spam Filter Collapse Jams 1.8B Inboxes

Gmail's spam filters collapsed on Saturday, flooding 1.8 billion inboxes with promotions while blocking legitimate mail. Here's what happened.

RRachel Torres
Illustration for industry_trend: Gmail Spam Filter Collapse Jams 1.8B Inboxes
Email DeliverabilityMay 22, 2026 6 min

Gmail Spam Filter Collapse Jams 1.8B Inboxes

Gmail's spam filters collapsed on Saturday, flooding 1.8 billion inboxes with promotions while blocking legitimate mail. Here's what happened.

RRachel Torres