Assign this task




DMARC helps protect against phishing and spoofing, and increases the deliverability of email to your customers, especially when used in combination with SPF and/or DKIM.




Registrants must publish a valid DMARC record whether or not the domain is used to send email. If a vendor sends email on your behalf, sending with your *.BANK or *.INSURANCE domain email address, they must comply with Security Requirement 6, Implementing TLS & DNSSEC.

For a domain not used for sending email: Registrants must publish a DMARC record with a reject mail receiver policy (p=reject).

For a domain used to send email: Registrants must publish a DMARC record with a reject mail receiver policy (p=reject), except during the implementation phase of email as described below*. In addition, Registrants must publish at least one of the following email authentication DNS Resource Records (publishing both, while not required, creates additional security for your email channel):

  • Sender Policy Framework (SPF),
  • DomainKeys Identified Mail (DKIM)

It is recommended that DMARC records specify strict identifier alignment for both SPF and DKIM via the adkim and aspf tags. Also, for DMARC records published at an organizational domain level to set an appropriate sp: tag. 

*When deploying DMARC during the implementation phase of email capabilities, Registrants may temporarily use a “none” (p=none) or “quarantine” (p=quarantine) mail receiver policy, but must change the policy to reject for ongoing operations within 90 days of deployment.




To test your email server's TLS encryption, the following tool will provide information about the configuration of your email server and whether it is using strong encryption practices:

To evaluate the configuration of your Domain-based Message Authentication, Reporting & Conformance (DMARC) record published for your .BANK or .INSURANCE Domain, you can use this tool:

To confirm the publication of DMARC or Sender Policy Framework (SPF) records in the DNS for your .BANK or .INSURANCE Domain and the requested mail receiver policy of your DMARC record, you can use this tool: 

To validate your DKIM record you can use these tools:


Mark Requirement Complete and Submit to fTLD for Review