June 19, 2018
fTLD’s Security Requirements Working Group recently recommended, and fTLD approved, a modification to dispense the requirement for MX records aliasing to out-of-zone domains (i.e., not .BANK or .INSURANCE) to be DNSSEC signed. Given the Email Authentication requirement for .BANK and .INSURANCE, the security associated with DMARC, SPF and DKIM provide an adequate set of controls.