DMARC Email Authentication and Deliverability

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a requirement that involves the email addresses used by a bank to send out email. DMARC is a way to determine whether or not a given message is legitimately from the sender, and what to do if it isn’t. This makes it easier to identify spam and phishing messages, and keep them out of customers' inboxes.

DMARC provides domain-owners with control, and the ability to block domain-based spoofing. Used correctly, DMARC also provides domain-owners with intelligence, by giving domain owners aggregate and forensic data on emails. However, DMARC implementation is complicated and has traditionally been too costly for most small businesses.

By default, all .BANK domain names must have DMARC records set to "Reject". This means the domain is not being used to send out email. Banks are free to keep this setting for as long as they wish to. When banks decide they want to start using their .BANK domain name to send out email, the DMARC record is temporarily set to "None". This allows a designated email address to review reports from various email service providers, such as Google, Yahoo, Comcast, Microsoft, etc. regarding emails that are claiming to be from the bank's domain name. All authorized email senders are then inventoried and white-listed in a SPF record (A less-common approach using digital signatures is called DKIM). Once either of these records are correctly configured, the DMARC setting is switched back to "reject" so that the email service providers do not deliver unauthorized email.