fTLD periodically reviews our Security Requirements to ensure they are in-line with best practices for the financial services sector and continue to protect against evolving security threats.
This year the majority of changes to the Requirements reflect clarifications and do not materially alter them. The two exceptions we have made are to Requirement #2 (DNSSEC) to specify DNSSEC must be implemented with strong cryptographic algorithms, and to Requirement #5 (Email Authentication), as described below.
For Requirement #4 (Encryption), fTLD has included additional information available here: https://go.ftld.com/tls-implementation to specify the ports for web services we have always tested and this will continue for the encryption settings as required.
For Requirement #5 (Email Authentication): fTLD is clarifying that while publishing a DomainKeys Identified Mail (DKIM) record is not required, publishing both SPF (Sender Policy Framework) and DKIM creates additional security for your email channel.
Who is impacted by this change?
For Registrants who have published DMARC and only DKIM, but not SPF, they will need to add an SPF policy for their .BANK/.INSURANCE domain(s). Registrants who have implemented DNSSEC for their .BANK/.INSURANCE domain(s) should ensure they use strong cryptographic algorithms.
How will I know if I need to take action?
fTLD will automatically notify Registrants (and their Registrar) impacted by these changes.
If applicable, by when do I need to make changes to address the modification to Requirement #2 (DNSSEC) and Requirement #5 (Email Authentication)?
Registrants must make any necessary modifications to comply with the Requirements no later than February 12, 2021.