Domain Score

Users of DMARC Manager can assess a given domain’s safety score in the Domains interface within DMARC Manager, in each domain’s Settings interface, and in the DNS Analysis tooling.
This document explains how the scoring is derived and how to address any underlying problems highlighted.

Location of the Domain Score

In the Domains Interface
In the Edit Settings Interface
On the DNS Analysis Landing Page

Score Calculation Overview

The score is calculated out of 100 and is broken down into 3 parts:

1. Impersonation Rating (out of 5)

Your impersonation rating looks at the likelihood of your organization’s domain being used in impersonation attacks.
There are a few settings in your DNS records that can help to prevent such attacks. We check whether they:

Conform to the relevant RFC standards
Are configured in a manner that protects the domain (e.g., policies set up to block misuse)

These checks are performed against the following DNS records:

DMARC – Defines your domain’s DMARC policy and specifies what receiving email servers should do with emails received from your domain.
SPF – Contains a list of mail servers you have authorized to send emails on your behalf.
DKIM – Stores the public key used to verify any email signed with the private key, ensuring the message is associated with the domain.

2. Privacy Rating (out of 5)

Your privacy rating looks at whether your mail service providers have been set up correctly to receive TLS-secure SMTP connections.
This is done by checking for the presence and configuration of the following DNS policies:

TLS-RPT – Enables sending systems to share statistics and information about failures with recipient domains.
MTA-STS – Enables mail service providers to declare their ability to receive TLS-secure SMTP connections.

3. Branding Rating (out of 5)

Your branding rating looks at whether your organization's domain branding has been set up correctly by checking the BIMI record.

Domain Score Report

When using DNS Analysis tools, users can explore each of the scores in greater detail by inputting a domain into the provided interface.

Summary View

Once a domain has been entered for scoring, the system displays the risk level with a message and a summary of areas that require attention.

Example: Domain Overview

The 3 Risk Levels for Overall Domain Score

High Risk
You don't have effective controls in place to protect your domain from impersonation and interception of email communication.
This puts your brand and email recipients at risk, reduces trust, and can damage email deliverability.
Moderate Risk
You have some measures in place to protect recipients from malicious emails from your domain.
Attention should be paid to areas where controls can be improved.
Low Risk
Email from your domain is highly secure from impersonation and interception.
Recipients will see your branding in communication, which builds trust and improves deliverability.

Detailed Report View

By clicking View Detailed Report, users can access a detailed view for each of the rating areas (Impersonation, Privacy, and Branding).

For each DNS Record check, users can perform a deep analysis by clicking Analyze, which leads to the Domain Analysis page.

Example:
An area where greater technical detail can be provided.

At the bottom of the report, users can:

Download a PDF version of the report
Continue Analysis for the entire set of DNS records

Helpful tooltips explain each section of the report for better understanding.

1. Impersonation Rating

For your Impersonation Rating, we evaluate the domain’s DMARC, SPF, and DKIM implementation and give a rating out of 5 with a message.
For each check, we display the results and indicate if action is required.

Example:
An impersonation rating for a domain.

Risk Levels for Impersonation Rating

High Risk – Little or no protection. Your domain may be hijacked by criminals for fraudulent email activities.
Moderate Risk – Configuration requires additional changes. Deliverability issues may occur.
Low Risk – Very low risk. The domain is 100% DMARC compliant and protected from impersonation and phishing attacks.

2. Privacy Rating

For your Privacy Rating, we assess the domain’s TLS-RPT and MTA-STS implementation and give a rating out of 5 with a message.
Each check displays the results and indicates if action is required.

Example:
A Privacy Rating for a domain.

Risk Levels for Privacy Rating

High Risk – Minimal to no safeguards for email privacy. Communications could be intercepted.
Moderate Risk – Encryption enforcement requires attention. Emails may be at risk if sending isn't secured.
Low Risk – Low risk of interception. Encryption standards are enforced, and reporting is in place.

3. Branding Rating

For your Branding Rating, we assess the domain’s BIMI implementation and give a rating out of 5 with a message.
Each check displays the results and indicates if action is required.

Example:
A Branding Rating for a domain.

Risk Levels for Branding Rating

High Risk – Branding not effectively implemented. Full BIMI setup is recommended for recognition.
Moderate Risk – Branding requires attention. Logo and sender mark may appear only in limited clients.
Low Risk – Branding effectively implemented. Logo and verified sender mark visible in supported clients.

4. Common Records

Together with your Ratings, we include results of checks performed on common DNS records.
These give insights into the type of domain being checked.

Common records included:

NS Records
MX Records
A Records

Domain Score ​

Location of the Domain Score ​

Score Calculation Overview ​

1. Impersonation Rating (out of 5) ​

2. Privacy Rating (out of 5) ​

3. Branding Rating (out of 5) ​

Domain Score Report ​

Summary View ​

The 3 Risk Levels for Overall Domain Score ​

Detailed Report View ​

1. Impersonation Rating ​

Risk Levels for Impersonation Rating ​

2. Privacy Rating ​

Risk Levels for Privacy Rating ​

3. Branding Rating ​

Risk Levels for Branding Rating ​

4. Common Records ​

Common records included: ​