Banks Lead DMARC Enforcement at 76%: Why Financial Services Got Ahead
76% of the top 25 US banks enforce DMARC at p=reject, the highest enforcement rate of any sector in our May 2026 scan. Universities are at 28%, state governments at 26%, and news media at 53%. Banks got there because spoofed email from a bank domain produces customer account takeovers that the bank pays to remediate, which made the business case impossible to ignore.
The financial sector solved a problem that technically sophisticated organizations in other industries haven't. Understanding why is useful for anyone trying to make the same case inside a slower-moving organization.
The numbers
We checked the top 25 US banks by assets in May 2026:
- 84% have a DMARC record (21/25)
- 76% are at
p=reject(19/25) - 2 banks have a record but aren't at full enforcement
- 4 banks timed out (inconclusive)
The two that aren't at full enforcement
Discover Financial (discover.com) is at p=quarantine. The record exists and is partially enforcing, but failing messages are quarantined rather than rejected. Presumably mid-migration.
Comerica (comerica.com) is at p=none. This is the more notable gap: a top-25 US bank in active monitoring mode, where spoofed email from comerica.com reaches inboxes. Comerica is a regional bank with a significant commercial banking presence, the kind of organization whose email communications carry high trust and would be valuable to impersonate.
The four DNS timeouts (KeyCorp, Regions Financial, American Express, Zions Bancorporation) are inconclusive; check the live research page for current results.
Why banks got ahead
The threat is directly measurable. Credential phishing from spoofed bank domains produces customer account takeovers that banks pay to remediate. When a customer's account is drained because they clicked a phishing email that appeared to come from their bank, the bank often absorbs the loss. That financial liability created a clear business case for email authentication that doesn't exist at universities or state agencies.
Regulatory pressure created compliance culture. OCC supervision, FFIEC guidance, and PCI DSS requirements for cardholder communications have made email security a documented control in financial institutions. When auditors ask about email authentication, banks have to have answers. The compliance infrastructure that exists for other financial controls extends naturally to email security.
Security investment is sustained. Banks spend more on IT security per employee than almost any other sector. DMARC enforcement is a straightforward project when security engineers have dedicated time and budget for it. Organizations that treat IT security as overhead stall at the places where real work is required.
Brand damage is quantified. A spoofed email from a bank's domain is directly correlated with phishing incidents, customer fraud, and reputational damage that financial institutions track and report. When "our domain is being impersonated" translates to a dollar figure, it gets fixed.
What other industries can learn
Banks don't have a technical advantage over universities or state governments. The DMARC standard is the same, the DNS configuration is the same, and the sending infrastructure challenges are similar. The difference is incentive structure.
The argument that worked for banks translates: "Spoofed email from our domain directly causes harm to people who trust our organization." For universities, that harm is financial aid scams targeting students. For health systems, it's patient credential theft. For state agencies, it's government impersonation enabling fraud against citizens.
The organizations that haven't gotten to enforcement usually have the technical knowledge. What they need is the business case that makes the sending-source audit worth completing.
The email authentication checker shows where your domain stands. The DMARC adoption research page shows how your sector is doing relative to financial services.
Full bank-by-bank results are at the DMARC adoption research page. The email authentication checker shows your institution's current authentication posture.
