eCommerceNews Australia - Technology news for digital commerce decision-makers
Australia
Australian banks lag on strict DMARC email protection

Australian banks lag on strict DMARC email protection

Wed, 1st Jul 2026 (Today)
Mark Tarre
MARK TARRE News Chief

Most Australian banks have not adopted the strictest level of DMARC email authentication, according to Proofpoint, which analysed 78 authorised deposit-taking institutions.

The study found 59% do not use a DMARC reject policy, the setting designed to block fraudulent emails from reaching inboxes. Only 41% of the institutions assessed had adopted that policy, while 18% used quarantine settings, 23% were set to monitor only, and 18% had no DMARC record.

DMARC, or Domain-based Message Authentication, Reporting and Conformance, is used to verify whether an email sender is authorised to use a domain. A reject policy is the most restrictive option because it instructs receiving systems to block messages that fail authentication checks.

The findings come as regulators sharpen their focus on artificial intelligence and operational risk in financial services. The Australian Prudential Regulation Authority has warned institutions about the cyber risks linked to frontier AI tools, including the potential for faster, more convincing social engineering attacks.

Proofpoint said this leaves a gap between attention on advanced AI threats and the basic controls that can prevent common fraud attempts. Weak email authentication can make it easier for attackers to impersonate trusted banking brands in phishing campaigns targeting customers, staff, and business partners.

According to the Australian Signals Directorate's annual cyber threat report for 2024-25, online banking fraud is among the three most commonly self-reported cybercrimes affecting individuals. Proofpoint's own 2026 research found email remained the main entry point for cyber threats in Australia, with 53% of organisations identifying it as their most common threat vector.

Authentication gap

The data suggests the sector has improved since Proofpoint's earlier review of Australian banks. In 2023, the company found 22% of institutions had implemented a reject policy, compared with 41% in the latest analysis.

That increase still leaves a majority without what Proofpoint described as the recommended setting. For banks with no DMARC record, the exposure is more basic: cyber criminals may be able to spoof their domains without any published authentication policy.

Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan, at Proofpoint, said the issue should be understood as both a technical and human risk.

"Banks must remember that even the most advanced AI-driven attack often relies on a single person making a mistake," said Steve Moros, Senior Director, Advanced Technology Group, Asia Pacific and Japan, at Proofpoint.

"While AI can accelerate the attacker's playbook, these threats are still ultimately designed to manipulate people. For hard-working Australians who trust their financial institutions to protect their savings and personal data, especially with today's cost-of-living pressures, getting this right is essential. To stay ahead of the evolving threat landscape, Australian banks must adopt stronger protections for their customers, such as enforcing the strictest recommended reject level of DMARC and ensuring they adopt a human-centric approach to cybersecurity. This will help reduce the risk of customers falling victim to scams resulting from domain impersonation."

AI pressure

The warning reflects a broader shift in cybersecurity, where AI tools can help attackers draft convincing emails, imitate writing styles, and automate campaigns at scale. That does not replace established attack methods, but it can shorten the time needed to launch them and increase the volume of messages sent.

For banks, this matters because trust in brand identity is central to routine customer communication. Emails about account activity, payment verification, service updates, and security alerts can all become more effective lures when criminals make messages appear to come from a legitimate banking domain.

DMARC is one of several long-established controls intended to reduce that risk. The protocol works with other email authentication standards to tell receiving mail servers whether messages that fail checks should be monitored, quarantined, or rejected.

Institutions that remain on monitor settings may be collecting data on suspicious messages without preventing delivery. Quarantine settings provide a higher degree of protection, but they still stop short of the outright blocking that reject policies are designed to enforce.

The analysis used data from APRA's register of authorised deposit-taking institutions. It covered 78 organisations and measured their public DMARC settings in May 2026.

The results suggest reducing exposure to domain impersonation remains an unfinished task in Australian banking, despite wider awareness of phishing risks and increased regulatory scrutiny of cyber governance. The latest figures indicate nearly one in five banks still has no DMARC record.