With all of the recent conversations and articles about DMARC and Authentication I thought I would run a quick scan of the banking landscape in Canada. I took a quick look at the top 5 banks in Canada and the Bank of Canada, Canada’s central bank, added mainly because of a recent phishing warning message they posted this week. The test is only on the corporate domain for each brand as many of the banks have sub-domains sending emails, that may be separately authenticated via a service provider.

Canadian Banks:

Bank Domain SPF DKIM * DMARC
Bank of Montreal bmo.com Yes No No
Bank of Nova Scotia scotiabank.com Yes No p=none
Canadian Imperial Bank of Commerce cibc.com Yes No No
Royal Bank of Canada rbc.com Yes No No
Toronto-Dominion Bank td.com No No No
Bank of Canada bankofcanada.ca No No No

A quick review of the top 5 commercial banks in Canada and Canada’s central bank shows they could be doing a lot more to protect their brands and their consumers from Phishing and Fraud. In summary:

  • Four of the six banks are employing SPF for authentication
  • Only one of the banks is using DMARC and is currently in monitoring only mode
  • No visible indication of DKIM on the corporate domains for any of the banks

Sadly the main banks in Canada are failing when it comes to protecting their customers and their employees from fraud and phishing.

* DKIM test is only to see if the service may be in use, without samples and domain selectors it is not possible to tell if the domains properly DKIM sign emails.