Network Security - DNS Domains with DMARC Configured¶
Description¶
The percentage of DNS domains with email configured that have a DMARC record created in the DNS zone.
How we measure it¶
Query all DNS domains. For every domain that has an MX record, check if a DMARC record is present in the DNS zone.
Meta Data¶
| Attribute | Value |
|---|---|
| Metric id | ns_domains_with_dmarc |
| Category | Network Security |
| SLO | 90.00% - 95.00% |
| Weight | 0.6 |
| Type |  |
References¶
| Framework | Ref | Domain | Control |
|---|---|---|---|
| ISO 27001:2022 | A.8.20 | 8 Technological controls | Networks security |
| CIS 8.1 | 9.4 | Email and Web Browser Protections | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions |
| CIS 8.1 | 12.6 | Network Infrastructure Management | Use of Secure Network Management and Communication Protocols |
| NIST CSF v2.0 | PR.DS-02 | Data Security (PR.DS) | PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected |
Code¶
SELECT
domain AS resource,
'domain' as resource_type,
CASE
when mx == [] then 1
when cast(txt as string) like '%v=DMARC1%' then 1
else 0
end as compliance,
CASE
when mx == [] then 'No MX record found - assumed no email'
when cast(txt as string) like '%v=DMARC1%' then 'DMARC record found'
else 'MX record found, but no DMARC record'
end as detail
FROM
{{ ref('domains') }}