Scoring

Posture Scoring

Every domain receives a score from 0 to 100 after each scan. The score starts at 100 and each finding deducts a fixed penalty based on its category and key.

Penalty weights

−35SMTP:starttls_fail / smtp_handshake_fail

−30DMARC:dmarc_missing / dmarc_regression · SPF:spf_plus_all · MX:mx_missing / mx_unreachable

−25DMARC:dmarc_invalid_syntax · TLS:cert_expired

−20DMARC:dmarc_policy_none · SPF:spf_qall / spf_lookup_overflow · DKIM:dkim_missing · MTA_STS:mta_sts_not_enforce · TLS:tls_lt_12

−15DMARC:dmarc_pct_lt_100 / dmarc_rua_missing · SPF:spf_vendor_sprawl_root / spf_missing / spf_not_hardfail · MTA_STS:mta_sts_missing · TLS_RPT:tls_rpt_missing · TLS:cert_expires_soon · SMTP:starttls_fail_secondary

−10SPF:spf_near_limit

−8SPF:spf_nested_complex · TLS:weak_cipher_present

−5DNS:ttl_instability · BIMI:bimi_missing

The score floor is 0 — penalties do not produce negative scores. Multiple findings of the same type stack (e.g. two CRITICAL findings each deduct their full penalty).

Score history

Every scan stores a score snapshot. The score history chart in the domain detail view shows how posture has changed over time, making it easy to demonstrate improvement to clients after remediation.

Health status

Each domain displays a health label derived from its score and open violations:

Critical — one or more open CRITICAL violations
Degraded — one or more open HIGH violations, no CRITICAL
Fair — score below 80, no CRITICAL or HIGH
Good — score 80 or above, no CRITICAL or HIGH
Unknown — domain has never been scanned