With all of the recent conversations and articles about DMARC and Authentication I thought I would run a quick scan of the banking landscape in Canada. I took a quick look at the top 5 banks in Canada and the Bank of Canada, Canada’s central bank, added mainly because of a recent phishing warning message they posted this week. The test is only on the corporate domain for each brand as many of the banks have sub-domains sending emails, that may be separately authenticated via a service provider.
Canadian Banks:
| Bank | Domain | SPF | DKIM * | DMARC |
| Bank of Montreal | bmo.com | Yes | No | No |
| Bank of Nova Scotia | scotiabank.com | Yes | No | p=none |
| Canadian Imperial Bank of Commerce | cibc.com | Yes | No | No |
| Royal Bank of Canada | rbc.com | Yes | No | No |
| Toronto-Dominion Bank | td.com | No | No | No |
| Bank of Canada | bankofcanada.ca | No | No | No |
A quick review of the top 5 commercial banks in Canada and Canada’s central bank shows they could be doing a lot more to protect their brands and their consumers from Phishing and Fraud. In summary:
- Four of the six banks are employing SPF for authentication
- Only one of the banks is using DMARC and is currently in monitoring only mode
- No visible indication of DKIM on the corporate domains for any of the banks
Sadly the main banks in Canada are failing when it comes to protecting their customers and their employees from fraud and phishing.
