What is the Cyber Defense Score™?

The Cyber Defense Score™ is an A–F letter grade plus a 0–100 numerical score produced by a 100-tool external attack surface scan. It shows you exactly what cyber insurance underwriters see when they assess your business. It is mapped to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness.

How does Cyber Defense Agent help with cyber insurance?

Cyber Defense Agent runs the same external scans that cyber insurance underwriters use to assess your risk. By scanning first, you can identify and fix gaps (missing MFA, DMARC, open ports, SSL issues) BEFORE your renewal or new application. This helps you avoid denials, reduce premiums, and pass underwriting on the first attempt.

What do cyber insurance underwriters scan for?

Underwriters typically scan for: MFA enforcement across all remote access, DMARC/SPF/DKIM email authentication, open RDP ports (3389), SSL/TLS configuration, known vulnerabilities in public-facing services, DNS security, and evidence of endpoint detection (EDR). Cyber Defense Agent checks all of these in 60 seconds.

Can Cyber Defense Agent help me lower my cyber insurance premium?

Yes. Carriers offer premium discounts of 10–25% for businesses that demonstrate strong security posture. By fixing the gaps Cyber Defense Agent identifies and presenting your Cyber Defense Score™ and trust page to your broker, you provide concrete evidence of risk reduction that carriers reward with lower premiums.

Why was my cyber insurance application denied?

The most common denial reasons are: no MFA on email and remote access (41% of denials), missing DMARC email authentication, open RDP ports, no EDR/endpoint protection, and no incident response plan. Cyber Defense Agent scans for all of these and shows you exactly what to fix before reapplying.

How long does a Cyber Defense Agent scan take?

A full 100-tool external attack surface scan completes in approximately 60 seconds. No software installation, no questionnaires, and no credit card is required to get started. You see the same view of your attack surface that underwriters see.

What frameworks does Cyber Defense Agent map to?

Cyber Defense Agent maps scan results to NIST CSF 2.0, CIS Controls, SOC 2, NIST 800-171, FTC Safeguards Rule, and PCI-DSS readiness. These are the same frameworks cyber insurance carriers reference in their underwriting guidelines.

How much does Cyber Defense Agent cost?

Essentials starts at $149/mo ($1,490/yr). Pro is $349/mo ($3,490/yr) and includes internal scanning, SOC 2 readiness, and full MCP toolset. Enterprise is $999/mo ($9,990/yr) with daily scans, custom framework mapping, and a dedicated AI agent instance. MSP partners pay $79/business/mo with a 25-business minimum. The free scan is always free.

How do I prepare for cyber insurance renewal?

Start 60–90 days before renewal. Run a Cyber Defense Agent scan to identify gaps. Fix critical items: enforce MFA everywhere, deploy DMARC, close open ports, update EDR. Re-scan to verify improvements. Present your Cyber Defense Score™ and trust page to your broker as evidence of improved posture. This positions you for renewal without premium increases or coverage reductions.

What is a trust page?

A trust page is a public cybersecurity posture page hosted at trust.cyberdefenseagent.ai/{your-slug}. It displays your Cyber Defense Score™, framework compliance status, and last scan date. Brokers, underwriters, and business partners can verify your security posture in 60 seconds instead of reviewing 30-page questionnaires.

Guide

DMARC Policy Configuration Guide

DMARC is the enforcement layer that ties SPF and DKIM together. Learn how to configure policy levels, set up reporting, and safely move to full enforcement.

Farhad Mirza Khawar

Founder of HIPAA Agent and Cyber Defense Agent. Compliance infrastructure for SMBs. Sacramento, CA.

2026-05-01

Get My Cyber Defense Score™ →Book a 30-min review

In this guide

1. DMARC policy levels explained
2. DMARC reporting: rua and ruf
3. The path to DMARC enforcement

DMARC policy levels explained

DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do when an email fails both SPF and DKIM authentication. Your DMARC policy is published as a DNS TXT record at _dmarc.yourdomain.com. The three DMARC policy levels: p=none — Monitor only. Emails that fail authentication are still delivered. You receive reports showing who is sending email as your domain. This is the starting point for every DMARC deployment. p=quarantine — Failed emails are sent to the recipient's spam/junk folder. This provides protection while allowing recipients to review quarantined messages. An intermediate step toward full enforcement. p=reject — Failed emails are blocked entirely and never reach the recipient. This is the strongest protection and the ultimate goal. At p=reject, no one can successfully spoof your domain. Cyber Defense Agent checks your DMARC policy level. While p=none is a valid starting configuration, p=quarantine or p=reject demonstrates mature email security and is preferred by cyber insurance carriers.

DMARC reporting: rua and ruf

DMARC's reporting capability is what makes the gradual enforcement path possible. There are two types of DMARC reports: Aggregate reports (rua) — XML reports sent daily (by default) showing authentication results for all emails sent as your domain. These reports reveal: - Which servers are sending email as your domain - Whether messages passed or failed SPF and DKIM - The volume of email from each source - Which messages would be affected by stricter policies Forensic reports (ruf) — Individual failure reports sent for each authentication failure. These contain more detail but can be voluminous and are not supported by all receiving servers. A complete DMARC record with reporting: v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:dmarc-forensics@yourdomain.com; fo=1 Use a dedicated mailbox or a DMARC reporting service (like Postmark, dmarcian, or Valimail) to process aggregate reports. Raw XML reports are difficult to read manually.

The path to DMARC enforcement

Moving from p=none to p=reject safely requires a methodical approach: Weeks 1-4: Deploy DMARC with p=none - Publish your DMARC record with p=none and rua reporting - Monitor aggregate reports to identify all legitimate email senders - Ensure SPF and DKIM are correctly configured for every authorized sender Weeks 5-8: Move to p=quarantine with pct=25 - Change policy to p=quarantine; pct=25 (only 25% of failing emails are quarantined) - Monitor for legitimate email being quarantined - Fix any remaining SPF/DKIM issues for legitimate senders - Gradually increase pct to 50, then 100 Weeks 9-12: Move to p=reject - Change policy to p=reject; pct=25 - Monitor closely for any impact on legitimate email - Gradually increase pct to 100 - At p=reject; pct=100, your domain is fully protected Common pitfalls: - Rushing to p=reject without monitoring (blocks legitimate email) - Forgetting to authorize third-party senders before enforcement - Not using the pct tag for gradual rollout - Ignoring DMARC reports during the monitoring phase

Key Takeaways

TL;DR

DMARC has three policy levels: none (monitor), quarantine (spam folder), and reject (block).

Always start at p=none and use aggregate reports to identify all legitimate senders.

Use the pct tag to gradually roll out stricter policies (25% > 50% > 100%).

Set up rua reporting to a dedicated mailbox or DMARC reporting service.

The goal is p=reject — full protection against domain spoofing.

Official Sources

RFC 7489: DMARC Specification DMARC.org FAQ

FAQ

Frequently asked questions

What DMARC policy should I start with?

Always start with p=none. This monitors authentication results without affecting email delivery. Review your DMARC aggregate reports for 2-4 weeks to identify all legitimate email senders and fix any SPF/DKIM issues before moving to p=quarantine.

How do I read DMARC aggregate reports?

DMARC aggregate reports are XML files that are difficult to read manually. Use a DMARC reporting service like dmarcian, Postmark DMARC, Valimail, or similar tools to parse and visualize the data. These services show you who is sending email as your domain and whether authentication is passing.

How long does it take to reach p=reject?

Plan for 8-12 weeks minimum. Weeks 1-4 for monitoring (p=none), weeks 5-8 for quarantine, and weeks 9-12 for reject. Rushing this process risks blocking legitimate email. Organizations with many third-party email senders may need longer.

Related Guides

Continue reading

Email Authentication: SPF, DKIM & DMARC Complete Guide SPF Record Setup & Troubleshooting DKIM Implementation Guide

Get your Cyber Defense Score™ in 60 seconds.

100 tools. No installation. No credit card. Real evidence.

Get My Cyber Defense Score™ →Book a 30-min review with Farhad