Domain-based Message Authentication, Reporting and Conformance
(DMARC) is a requirement that involves the email addresses used by a
bank to send out email. DMARC is a way to determine whether or not a
given message is legitimately from the sender, and what to do if it
isn’t.
This makes it easier to identify spam and phishing messages, and keep
them out of customers' inboxes.
DMARC provides domain-owners with control, and the ability to
block domain-based spoofing.
Used correctly, DMARC also provides domain-owners with intelligence, by
giving domain owners aggregate and forensic data on emails.
However, DMARC implementation is complicated and has traditionally been
too costly for most small businesses.
By default, all .BANK domain names must have DMARC records set to
"Reject". This means the domain is not being used to send out email.
Banks are free to keep this setting for as long as they wish to. When
banks decide they want to start using their .BANK domain name to send
out email, the DMARC
record is temporarily set to "None". This allows a designated
email address to review reports from various email service providers,
such as Google, Yahoo, Comcast, Microsoft, etc. regarding emails that
are claiming to be from the bank's domain name. All authorized email
senders
are then inventoried and white-listed in a SPF record (A less-common
approach using digital signatures is called DKIM). Once either of these
records are correctly configured,
the DMARC setting is switched back to "reject" so that the email service
providers do not deliver unauthorized email.