banks · France

22% of France's banks are not protected against email spoofing

Public DMARC posture of 51 banks. Edition of June 2026.

Protected

Enforcing

Monitoring only

No DMARC

Where each one stands

Organization	DMARC status	Grade
AXA Banqueaxabanque.fr(corporate domain : axa.fr)	Protected (p=reject)	A
Banque BCPbanquebcp.fr	Protected (p=reject)	A
Banque de Savoiebanque-de-savoie.fr	Protected (p=reject)	A
Banque Delubac & Ciedelubac.com	Protected (p=reject)	A
Banque Palatinepalatine.fr	Protected (p=reject)	A
Banque Populairebanquepopulaire.fr	Protected (p=reject)	A
BforBankbforbank.com	Protected (p=reject)	A
BNP Paribasbnpparibas.fr(corporate domain : bnpparibas.com)	Protected (p=reject)	A
BRED Banque Populairebred.fr	Protected (p=reject)	A
BTP Banquebtp-banque.fr	Protected (p=reject)	A
Caisse d'Épargnecaisse-epargne.fr	Protected (p=reject)	A
CASDEN Banque Populairecasden.fr	Protected (p=reject)	A
CCFccf.fr	Protected (p=reject)	A
Crédit Agricolecredit-agricole.fr(corporate domain : credit-agricole.com)	Protected (p=reject)	A
Crédit Agricole d'Île-de-Franceca-paris.com(corporate domain : credit-agricole.fr)	Protected (p=reject)	A
Crédit Coopératifcredit-cooperatif.coop	Protected (p=reject)	A
Crédit Maritimecreditmaritime.fr	Protected (p=reject)	A
Crédit Mutuel de Bretagnecmb.fr	Protected (p=reject)	A
Fortuneofortuneo.fr	Protected (p=reject)	A
Hello bank!hellobank.fr	Protected (p=reject)	A
HSBC Continental Europehsbc.fr	Protected (p=reject)	A
Indosuez Wealth Managementca-indosuez.com	Protected (p=reject)	A
Neuflize OBCneuflizeobc.fr	Protected (p=reject)	A
Nickelnickel.eu	Protected (p=reject)	A
Oneyoney.fr	Protected (p=reject)	A
Qontoqonto.com	Protected (p=reject)	A
Rothschild & Corothschildandco.com	Protected (p=reject)	A
Société Généralesg.fr(corporate domain : societegenerale.com)	Protected (p=reject)	A
Banque Hottinguerbanque-hottinguer.com	Enforcing (p=quarantine)	B
Banque Transatlantiquebanquetransatlantique.com	Enforcing (p=quarantine)	B
BoursoBankboursobank.com	Enforcing (p=quarantine)	B
CICcic.fr	Enforcing (p=quarantine)	B
Crédit Mutuelcreditmutuel.fr	Enforcing (p=quarantine)	C
Floafloabank.fr	Enforcing (p=quarantine)	C
Manager.onemanager.one	Enforcing (p=quarantine)	B
Milleis Banquemilleis.fr	Enforcing (p=quarantine)	B
Monabanqmonabanq.com	Enforcing (p=quarantine)	B
Propulse by CApropulsebyca.fr	Enforcing (p=quarantine)	C
Shineshine.fr	Enforcing (p=quarantine)	B
Sumeriasumeria.eu(corporate domain : sumeria.fr)	Enforcing (p=quarantine)	B
Banque Richelieu Francebanquerichelieu.com	Monitoring only (p=none)	F
Banque Wormser Frèresbanquewormser.com	Monitoring only (p=none)	D
Blankblank.app	Monitoring only (p=none)	D
Bpifrancebpifrance.fr	Monitoring only (p=none)	D
Chaabi Bankchaabibank.fr	Monitoring only (p=none)	D
Green-Gotgreen-got.com	Monitoring only (p=none)	D
Helioshelios.do	Monitoring only (p=none)	D
La Banque Postalelabanquepostale.fr	Monitoring only (p=none)	D
LCLlcl.fr	Monitoring only (p=none)	D
Pixpaypixpay.fr	Monitoring only (p=none)	D
Edmond de Rothschildedmond-de-rothschild.com	No DMARC	F

Previous editions

June 202622%

Methodology

We read each organization’s public DNS — the DMARC record on its consumer-facing domain — and classify the published policy (none / quarantine / reject). “Protected” means an enforced p=reject policy. Only public data is used; figures reflect the edition date and can change as records are updated.