banks · United States
10% of United States's banks are not protected against email spoofing
Public DMARC posture of 50 banks. Edition of June 2026.
40
Protected
5
Enforcing
4
Monitoring only
1
No DMARC
Where each one stands
| Organization | DMARC status | Grade |
|---|---|---|
| Allyally.com | Protected (p=reject) | A |
| American Expressamericanexpress.com | Protected (p=reject) | A |
| Associated Bankassociatedbank.com | Protected (p=reject) | A |
| Bank of Americabankofamerica.com | Protected (p=reject) | A |
| Bank OZKozk.com | Protected (p=reject) | A |
| Barclays USbarclaysus.com | Protected (p=reject) | A |
| BMObmo.com | Protected (p=reject) | A |
| Capital Onecapitalone.com | Protected (p=reject) | A |
| Cash Appcash.app | Protected (p=reject) | A |
| Charles Schwabschwab.com(corporate domain : schwabbank.com) | Protected (p=reject) | A |
| Chasechase.com(corporate domain : jpmorganchase.com) | Protected (p=reject) | A |
| Chimechime.com | Protected (p=reject) | A |
| Citibankciti.com(corporate domain : citigroup.com) | Protected (p=reject) | A |
| Citizens Bankcitizensbank.com | Protected (p=reject) | A |
| Fifth Third Bank53.com | Protected (p=reject) | A |
| First Citizens Bankfirstcitizens.com | Protected (p=reject) | A |
| First Horizonfirsthorizon.com | Protected (p=reject) | A |
| First National Bankfnb-online.com | Protected (p=reject) | A |
| Flagstar Bankflagstar.com | Protected (p=reject) | A |
| Huntingtonhuntington.com | Protected (p=reject) | A |
| KeyBankkey.com | Protected (p=reject) | A |
| M&T Bankmtb.com | Protected (p=reject) | A |
| Marcusmarcus.com(corporate domain : goldmansachs.com) | Protected (p=reject) | A |
| Navy Federalnavyfederal.org | Protected (p=reject) | A |
| Pinnacle Financialpnfp.com | Protected (p=reject) | A |
| PNC Bankpnc.com | Protected (p=reject) | A |
| Regions Bankregions.com | Protected (p=reject) | A |
| SoFisofi.com | Protected (p=reject) | A |
| South State Banksouthstatebank.com | Protected (p=reject) | A |
| Synchrony Banksynchrony.com | Protected (p=reject) | A |
| Synovussynovus.com | Protected (p=reject) | A |
| TD Banktd.com(corporate domain : tdbank.com) | Protected (p=reject) | B |
| Truisttruist.com | Protected (p=reject) | A |
| U.S. Bankusbank.com | Protected (p=reject) | A |
| Umpqua Bankumpquabank.com | Protected (p=reject) | A |
| USAAusaa.com | Protected (p=reject) | A |
| Webster Bankwebsterbank.com | Protected (p=reject) | A |
| Wells Fargowellsfargo.com | Protected (p=reject) | A |
| Wintrustwintrust.com | Protected (p=reject) | A |
| Zions Bankzionsbank.com | Protected (p=reject) | A |
| Currentcurrent.com | Enforcing (p=quarantine) | B |
| Discoverdiscover.com(corporate domain : capitalone.com) | Enforcing (p=quarantine) | B |
| East West Bankeastwestbank.com | Enforcing (p=quarantine) | B |
| Valley Bankvalley.com | Enforcing (p=quarantine) | B |
| Varo Bankvaromoney.com(corporate domain : varo.com) | Enforcing (p=quarantine) | B |
| Comericacomerica.com | Monitoring only (p=none) | D |
| Frost Bankfrostbank.com | Monitoring only (p=none) | D |
| Old National Bankoldnational.com | Monitoring only (p=none) | D |
| Western Alliancewesternalliancebank.com | Monitoring only (p=none) | D |
| HSBC Bank USAus.hsbc.com(corporate domain : hsbc.com) | No DMARC | F |
Previous editions
Methodology
We read each organization’s public DNS — the DMARC record on its consumer-facing domain — and classify the published policy (none / quarantine / reject). “Protected” means an enforced p=reject policy. Only public data is used; figures reflect the edition date and can change as records are updated.