It is Q1 2026. The Digital Personal Data Protection (DPDP) Act is enforceable with rules notified in November 2025. The RBI’s mandate for .bank.in domain migration has passed its October 2025 deadline. Yet, a critical vulnerability persists in the bedrock of Indian banking communication.
New intelligence from February 2026 confirms a stark reality: 39% of Indian banks still fail to enforce strict DMARC protocols (p=reject). While 99% have adopted the protocol on paper, they remain stuck in “monitoring” or “quarantine” purgatory.
In 2023, this was a hygiene issue. In 2026, with the widespread availability of the Nupay/NACH leak data (273,000+ transaction records exposed in late 2025) and Generative AI capable of crafting indistinguishable spoof emails, this is not a gapโit is a kinetic kill chain for financial fraud.
The Data Narrative: The ‘Monitor’ Trap
The industry is patting itself on the back for “99% adoption.” This is a vanity metric. The only metric that matters in a Zero Trust environment is enforcement.
| DMARC Status (2026) | % of Indian Banks | The Strategic Implication |
|---|---|---|
| p=reject (Strict) | 61% | SECURE. The bank explicitly blocks unauthorized emails. Spoofing is technically impossible for the domain. |
| p=quarantine | 28% | VULNERABLE. Suspicious emails go to spam folders, where usersโconditioned to check spamโstill click malicious links. |
| p=monitor (None) | 10% | OPEN DOOR. The bank is merely watching. Attackers can spoof the domain with impunity. Zero blocking power. |
The 2026 Context: The 39% of banks in the ‘Quarantine/Monitor’ zones are effectively subsidizing the R&D of cybercrime syndicates. With the recent explosion of “Deepfake Voice” fraud targeting high-net-worth individuals (HNIs), an email that looks like it comes from the CEO, followed by a voice-cloned call, is a devastating combo. If the email domain isn’t locked down with p=reject, the entire social engineering attack surface remains wide open.
Signal vs. Noise: The 2026 Security Landscape
The cybersecurity vendor ecosystem is noisy, pushing “AI-driven autonomous defense” while basic door locks remain unbolted.
| NOISE (Industry Hype) | SIGNAL (Execution Reality) | VERDICT |
|---|---|---|
| “AI-Powered Phishing Defense” will solve email fraud. | 39% of banks allow their own domains to be spoofed. No amount of inbound AI defense fixes outbound brand impersonation. | Fix the protocol first. AI is a layer, not a foundation. |
| “The .bank.in migration is complete.” | Migration created consumer confusion. The shift to .bank.in (RBI Oct ’25 deadline) has created a transition period where legacy domains remain vulnerable. | Migration implementation remains uneven across Tier-2 and cooperative banks. |
| “DPDP Act compliance is a legal issue.” | It is a solvency issue. Under DPDP Rules 2025, breaches facilitated by inadequate security safeguards carry penalties up to โน250 crore. | DMARC p=reject is the cheapest insurance against regulatory exposure. |
| “Biometric authentication makes email irrelevant.” | Email is still the ‘Password Reset’ master key. Compromise the email, and you bypass the biometrics. | Email remains the single point of failure for digital identity. |
India Reality: The ‘Perfect’ Storm of 2026
The Indian banking sector operates in a unique pressure cooker in 2026. The convergence of three specific factors makes the DMARC gap existential.
1. The Nupay/NACH Aftermath
In late 2025, over 273,000 banking transaction documents were exposed via a cloud misconfiguration (the Nupay incident). This data is now in the wild.
- The Threat: Attackers possess valid account numbers, transaction values, and dates.
- The Vector: They send an email spoofing your bank’s domain: “Dear Customer, your NACH transaction of โน15,400 dated 24th Jan failed. Click here to retry.”
- The Gap: If you are among the 39% without strict DMARC, this email lands in the Primary Inbox. It looks 100% legitimate, making these attacks highly effective.
2. The ‘Bank.in’ Migration Transition
The RBI mandated banks to migrate to the .bank.in domain by October 31, 2025, to create a verified trust anchor.
- The Reality: Implementation has been uneven. Many Tier-2 and Cooperative banks are running dual domains during the transition.
- The Exploit: Attackers are registering variations of legacy domains. If the old domain lacks strict DMARC (because IT is focused on the new one), customers remain vulnerable to sophisticated phishing campaigns.
3. The Tier-2 / Cooperative Bank Vulnerability
While HDFC, ICICI, and SBI have largely fortified their perimeters, the 39% gap is heavily concentrated in Cooperative Banks and smaller private sector entities.
- The Risk: These banks are now part of the unified UPI ecosystem. A compromise here is not isolated; it is an entry point for mule account networks that launder money across the major banks. The RBI’s 2025 Guidelines for Co-operative Banks demanded tech modernization, but execution lags behind policy.
The Strategist’s Playbook: Closing the Gap
For the CXO, moving from p=none to p=reject is not a “tech ticket”โit is a governance mandate.
Phase 1: The Audit (Week 1)
- Directive: Do not ask “Do we have DMARC?” Ask “What is our enforcement policy on all parked and defensive domains?”
- Action: Identify every third-party sender (Salesforce, HubSpot, HR systems) spoofing your domain. The fear of breaking these services is why 28% of banks are stuck at
p=quarantine.
Phase 2: The ‘Scream Test’ Mitigation (Week 2-4)
- Directive: You cannot stay in
p=quarantineforever. - Action: Implement BIMI (Brand Indicators for Message Identification). In 2026, Gmail and Apple Mail display your bank’s logo only when you have
p=quarantineorp=rejectenforcement. Use this as the business case: “We are losing brand visibility and trust by not enforcing proper email authentication.”
Phase 3: The DPDP Shield (Ongoing)
- Directive: Map DMARC failure to DPDP liability.
- Action: Document the move to
p=rejectas a “Reasonable Security Safeguard” under Section 8 of the DPDP Act. If a breach occurs, this documentation is your primary defense against the Data Protection Board’s penalties.
Final Word
In 2026, an email from a bank is either a cryptographic guarantee of identity or a liability waiting to explode. There is no middle ground. The 39% of banks currently hoping that “monitoring” is enough are playing a high-stakes game with AI-generated phishing attacks that grow more sophisticated daily.
Close the door. Set p=reject.
FutureIsNow Editorial Intelligence Desk | Analysis based on Proofpoint research
