How the score is calculated
No black box. Every check, every data source, every point — explained openly so you know exactly what you're looking at and where it comes from.
What we check, why it matters, and where the data comes from
Your score starts at 100. Each of these seven checks can subtract up to its maximum if it fails — the more directly a gap can be exploited, the more it costs. Checks we can't evaluate from the outside don't affect your score either way.
Email impersonation protection (DMARC)
We check whether your domain has a DMARC policy published in public DNS. DMARC tells receiving mail servers what to do when someone sends email pretending to be from your domain. Without it, anyone on the internet can send an email that looks like it came from your organization — your executive director, your finance team, your board. This is the exact mechanism used in wire fraud and vendor impersonation scams. It's weighted highest because it's the most directly exploitable gap we can detect from the outside.
Email sender verification (SPF)
SPF is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. Without it, spoofed emails from your domain are more likely to reach inboxes undetected. SPF works alongside DMARC — both records are required for complete email authentication. SPF alone without DMARC provides partial protection only.
Email signing (DKIM)
DKIM adds a cryptographic signature to outgoing emails. Receiving servers use it to verify the message was sent by an authorized source and wasn't altered in transit. It's the third layer of the email authentication stack alongside SPF and DMARC. All three work together — a gap in any one weakens the others.
Leaked credentials (dark web)
We query DeHashed — a publicly accessible breach intelligence database — for email addresses associated with your domain that have appeared in known data breaches. The risk is password reuse: if someone on your team uses the same password at work that was stolen in a breach somewhere else, an attacker may already have it. Score impact scales with how many accounts are exposed. We show you a count. The full account list is included in your emailed report.
Website encryption (HTTPS)
We check whether your website has a valid SSL/TLS certificate and serves all traffic over HTTPS. An unencrypted site exposes visitor data in transit and signals to browsers — and attackers — that basic security hygiene is not in place. Modern browsers actively warn visitors when a site is unencrypted.
Website security headers
We check for HTTP security headers in your site's public responses — specifically Content-Security-Policy, X-Frame-Options, and related settings. These protect visitors from common web attacks like clickjacking and cross-site scripting. Missing headers are one of the most common and easiest-to-fix gaps we find.
Spam and phishing filter
We read your public MX records to identify your mail provider and determine whether spam and phishing filtering is active. Organizations using Microsoft 365 or Google Workspace with default settings pass this check. Filtering reduces the likelihood that malicious emails reach your team in the first place.
Where every finding comes from
Every check uses publicly accessible data. Nothing in your CyberRate report requires access to your systems. The links below let you run the same checks yourself for free.
| Check | Data source | Verify it yourself |
|---|---|---|
| DMARC | Public DNS records | mxtoolbox.com/dmarc |
| SPF | Public DNS records | mxtoolbox.com/spf |
| DKIM | Public DNS records | mxtoolbox.com/dkim |
| Leaked credentials | DeHashed breach database | dehashed.com |
| Website encryption | Public SSL certificate | ssllabs.com |
| Security headers | Public HTTP response | securityheaders.com |
| Spam filter | Public DNS MX records | mxtoolbox.com/mx |
How the leaked logins check works
When we find email addresses from your domain in breach databases, it means those credentials were captured in a data breach somewhere — LinkedIn, Adobe, Dropbox, or thousands of other sites. The direct risk is password reuse. If an employee uses the same password at work that was stolen in a breach elsewhere, an attacker already has it. Score impact scales with volume.
| Accounts found | Score impact | Points lost | Result |
|---|---|---|---|
| 0 accounts | No penalty | — | Passed |
| 1–3 accounts | Moderate | −10 pts | Warning |
| 4–9 accounts | Significant | −20 pts | Failed |
| 10+ accounts | Heavy | −30 pts | Failed |
| Unknown | No penalty | — | Unknown |
The one rule that overrides everything else
A high average score can mask a single critical gap. CyberRate applies one hard override rule to prevent a passing score from obscuring a serious exposure.
DMARC failure caps your score at 59 (At Risk)
If your domain has no DMARC record, your score cannot exceed 59 — regardless of how well every other check performs. A missing DMARC record means anyone on the internet can send email impersonating your organization right now. No other passing check offsets that risk. One open door is all it takes.
This rule exists because security risk doesn't average out. A business with strong website encryption and no email impersonation protection is still one spoofed invoice away from a wire fraud loss.
What your score means
Scores map to four named bands. The band reflects the severity and combination of gaps found — not just the raw number.
What this score doesn't measure
CyberRate is an external scan — we read what's publicly visible. Your score does not reflect what's happening inside your organization. A business can score well on all six external checks and still have serious internal gaps. These are things no external tool can see:
Multi-factor authentication
Whether MFA is enforced across accounts and systems.
Endpoint protection
Antivirus, EDR, or device management on your team's computers.
Security awareness training
Whether your team can recognize phishing and social engineering.
Backup and recovery
Whether your data is backed up and recoverable after a ransomware attack.
Internal network security
Firewall configuration, network segmentation, access controls.
Password hygiene
Whether your team uses unique passwords or a password manager.
Offboarding controls
Whether departed employees still have access to your systems.
Wire transfer controls
Whether your team has a verification process before moving money.
A score of 85 with no MFA and no offboarding process is still a serious exposure — the score just can't see it. That's exactly what the free 30-minute review is for.
Why we ask for your email
We ask for your email address at the end of the scan to send you the full report — including the complete list of any breached accounts found and the plain-English fix for each finding. That's the only reason.
- ✓ We send your report to the address you provide. That's what you asked for.
- ✓ We don't sell your email address. Ever.
- ✓ We don't add you to marketing lists without your explicit opt-in.
- ✓ We don't share your email with third parties.
- ✓ The domain you scanned and your email are stored only to deliver your report and, if you opt in, to alert you when new breaches affect your domain.
- ✓ You can ask us to delete your data at any time by emailing us directly.
We're a local IT company in Bloomington. Our business runs on trust and referrals. Abusing your email address would be bad for our business and bad for our reputation. We have no interest in doing it.
Ready to see your score?
Enter your domain and get your CyberRate report in under two minutes. No software. No access to your systems. Just your public records, organized and explained.
Get my CyberRate →