Banking & Finance Email Security Report
Email security posture analysis of major US banking and financial institutions.
Executive Summary
The Banking & Finance Email Security Report shows above-average email security posture with an average score of 82.5 across 54 domains scanned. While most enterprises have deployed core authentication protocols, gaps in enforcement policies and advanced protocol adoption prevent many from achieving top-tier grades. The data reveals a clear divide between organizations that treat email security as a priority and those still relying on minimal configurations.
Grade Distribution
Distribution of email security grades across 54 scanned Banking & Finance Email Security Report domains.
Protocol Adoption
Percentage of Banking & Finance Email Security Report domains with each email security protocol correctly configured.
Pillar Breakdown
Average scores across the three DoSPM pillars for all scanned Banking & Finance Email Security Report domains.
Top Performers
The 10 highest-scoring Banking & Finance Email Security Report domains by overall email security posture.
| # | Domain | Grade | Score | Identity | Shadow | Reputation |
|---|---|---|---|---|---|---|
| 1 | fidelity.com | A- | 92 | 86 | 92 | 99 |
| 2 | synchrony.com | A- | 92 | 78 | 99 | 100 |
| 3 | citigroup.com | A- | 91 | 82 | 91 | 100 |
| 4 | usbank.com | A- | 91 | 86 | 88 | 99 |
| 5 | pnc.com | A- | 90 | 78 | 92 | 99 |
| 6 | wellsfargo.com | A- | 90 | 78 | 92 | 99 |
| 7 | citizensbank.com | B+ | 89 | 85 | 84 | 99 |
| 8 | goldmansachs.com | B+ | 89 | 78 | 92 | 96 |
| 9 | truist.com | B+ | 89 | 77 | 92 | 99 |
| 10 | zionsbancorp.com | B+ | 89 | 78 | 92 | 96 |
Common Vulnerabilities
The 10 most frequent critical and high severity failures across 54 scanned Banking & Finance Email Security Report domains.
| # | Failure | Severity | Domains | % Affected |
|---|---|---|---|---|
| 1 | No DKIM records found | high | 47 | 87.0% |
| 2 | Missing domain locks: clientDeleteProhibited | high | 9 | 16.7% |
| 3 | Subdomains have no DMARC enforcement | high | 9 | 16.7% |
| 4 | No NS records found | critical | 6 | 11.1% |
| 5 | Weak DNSSEC RSA key: 336 bits | high | 5 | 9.3% |
| 6 | No STARTTLS support on mx1.morganstanley.com:25 | high | 5 | 9.3% |
| 7 | Listed on singular.ttk.pte.hu | critical | 4 | 7.4% |
| 8 | Cannot check DNS consistency — no NS records | high | 4 | 7.4% |
| 9 | Non-routable IPv4 in public DNS: smtp.citizensbank.com → 10.1.20.65 | high | 3 | 5.6% |
| 10 | TLS certificate has expired | critical | 3 | 5.6% |
Key Findings
- 98% of Banking & Finance Email Security Report companies have published a DMARC record
- While adoption is high, many policies remain at p=none, offering no enforcement protection.
- 4% of Banking & Finance Email Security Report domains score below a C grade
- Most companies in this group maintain at least a baseline level of email security configuration.
- Identity is the weakest pillar with an average score of 64.6
- A 29.7-point gap between Reputation and Identity reveals that enterprises prioritize visible protocols over infrastructure hardening.
- Advanced protocols (MTA-STS, DANE, BIMI) average only 10.5% adoption
- Next-generation email security standards remain largely undeployed across the Banking & Finance Email Security Report, representing a significant opportunity for improvement.
Methodology
Scanning Approach
This report analyzes the email security posture of 54 domains from the Banking & Finance Email Security Report constituent list, of which 54 were successfully scanned. Each domain undergoes automated DNS and protocol checks that examine published records, validate configurations, and verify protocol compliance without sending any email traffic or interacting with mail servers beyond standard DNS queries and TLS connection probes.
Three-Pillar Model (DoSPM)
Every domain is evaluated across three security pillars, each representing a distinct dimension of email security posture:
- Identity
- Measures authentication and sender verification protocols including SPF, DKIM, DMARC, MTA-STS, DANE, and BIMI. These controls establish domain ownership and prevent unauthorized senders from impersonating the domain.
- Shadow
- Evaluates DNS infrastructure security including DNSSEC validation and DNS configuration hygiene. These controls protect against DNS spoofing, cache poisoning, and unauthorized zone modifications.
- Reputation
- Assesses transport security and domain standing including TLS configuration, certificate validity, and blacklist status. These controls ensure encrypted delivery and protect against interception and reputation damage.
Grading Scale
Each domain receives an overall score from 0 to 100, derived from weighted pillar scores. The score maps to a letter grade on a 13-point scale:
| Grade | Score Range |
|---|---|
| A+ | 97–100 |
| A | 93–96 |
| A− | 90–92 |
| B+ | 87–89 |
| B | 83–86 |
| B− | 80–82 |
| C+ | 77–79 |
| C | 73–76 |
| C− | 70–72 |
| D+ | 67–69 |
| D | 63–66 |
| D− | 60–62 |
| F | 0–59 |
Checks Per Domain
Each domain is evaluated against 57+ individual checks spanning all three pillars. Checks range from verifying the presence and syntax of DNS records to validating policy enforcement levels, cryptographic key strengths, certificate chains, and protocol interoperability. Results are classified by severity (pass, fail, warning, informational) and aggregated into pillar scores.
Data Coverage
Of the 54 domains in the Banking & Finance Email Security Report constituent list, 54 (100.0%) were successfully scanned and included in aggregate calculations. Domains without scan data or with scans older than 90 days are excluded from statistical analysis to ensure the report reflects current security posture.
Domain Lookup
Search and sort all Banking & Finance Email Security Report domains by email security posture.
| Domain | Grade | Score | Identity | Shadow | Reputation |
|---|---|---|---|---|---|
| jpmorgan.com | B | 85 | 78 | 92 | 85 |
| bankofamerica.com | B | 85 | 81 | 76 | 98 |
| wellsfargo.com | A- | 90 | 78 | 92 | 99 |
| citigroup.com | A- | 91 | 82 | 91 | 100 |
| goldmansachs.com | B+ | 89 | 78 | 92 | 96 |
| morganstanley.com | B | 84 | 62 | 92 | 99 |
| usbank.com | A- | 91 | 86 | 88 | 99 |
| pnc.com | A- | 90 | 78 | 92 | 99 |
| truist.com | B+ | 89 | 77 | 92 | 99 |
| capitalone.com | B | 85 | 72 | 92 | 91 |
| tdbank.com | C | 75 | 34 | 92 | 98 |
| citizensbank.com | B+ | 89 | 85 | 84 | 99 |
| key.com | B- | 82 | 75 | 75 | 96 |
| regions.com | B | 85 | 75 | 84 | 96 |
| 53.com | B- | 80 | 61 | 95 | 83 |
| huntington.com | B+ | 88 | 77 | 92 | 96 |
| bmo.com | B+ | 87 | 75 | 92 | 95 |
| ally.com | B | 86 | 72 | 88 | 99 |
| synchrony.com | A- | 92 | 78 | 99 | 100 |
| discover.com | B | 84 | 68 | 99 | 84 |
| comerica.com | B | 84 | 66 | 92 | 95 |
| zionsbancorp.com | B+ | 89 | 78 | 92 | 96 |
| firsthorizon.com | C+ | 77 | 55 | 75 | 100 |
| synovus.com | C+ | 78 | 60 | 75 | 99 |
| websterbank.com | B | 84 | 59 | 92 | 100 |
| culberson.com | D+ | 68 | 51 | 95 | 58 |
| popular.com | B- | 81 | 56 | 92 | 96 |
| bokfinancial.com | B | 83 | 66 | 92 | 91 |
| eastwestbank.com | B | 83 | 61 | 88 | 99 |
| valleynationalbank.com | B | 84 | 78 | 83 | 91 |
| schwab.com | B- | 82 | 57 | 92 | 96 |
| fidelity.com | A- | 92 | 86 | 92 | 99 |
| vanguard.com | B+ | 87 | 70 | 92 | 98 |
| edwardjones.com | B | 85 | 64 | 92 | 100 |
| ameriprise.com | B- | 80 | 51 | 91 | 99 |
| raymondjames.com | B | 83 | 58 | 91 | 100 |
| stifel.com | C | 76 | 61 | 92 | 76 |
| lpl.com | B- | 82 | 70 | 84 | 92 |
| berkshirehathaway.com | C+ | 77 | 52 | 95 | 84 |
| metlife.com | B- | 81 | 52 | 92 | 99 |
| prudential.com | C- | 71 | 35 | 92 | 85 |
| aig.com | C+ | 78 | 43 | 92 | 99 |
| aflac.com | C+ | 79 | 62 | 91 | 83 |
| progressive.com | C+ | 77 | 56 | 92 | 84 |
| allstate.com | C | 75 | 43 | 88 | 95 |
| travelers.com | C | 75 | 42 | 88 | 96 |
| paypal.com | B+ | 87 | 78 | 91 | 92 |
| stripe.com | C | 76 | 37 | 92 | 100 |
| square.com | B | 84 | 60 | 92 | 100 |
| sofi.com | B | 85 | 63 | 92 | 99 |
| robinhood.com | B | 83 | 56 | 95 | 99 |
| coinbase.com | D- | 61 | 63 | 28 | 92 |
| plaid.com | C+ | 79 | 54 | 92 | 92 |
| marqeta.com | B- | 82 | 72 | 76 | 99 |
No matching domains found.