fTLD is suspending the DNSSEC and TLS requirements for out of zone CNAME DNS resource records; these are not residing in the .BANK/.INSURANCE zone and/or are vendor domains servicing your .BANK/.INSURANCE domain(s). For out of zone MX DNS resource records, fTLD will continue to test Ports 25 & 110 (i.e., common email ports) for TLS and if not present or substandard, fTLD will issue a warning (recommendation) vs. a failure for this result. With fTLD issuing a warning, the Registrant is encouraged to move towards meeting the recommendation when their mail provider eventually offers that functionality.
fTLD will continue to advocate for vendors to adopt DNSSEC and strong TLS/encryption practices, and we will continue to monitor the adoption of these important security features. We will continue to periodically review the Security Requirements to ensure they are responsive to changing needs in security and the banking and insurance communities.