23 years from Stockholm
Solutions · Banks and fintech

Email infrastructure for banks and fintech operating under DORA, PSD3, and the brand-impersonation problem

Banks send transactional email — statements, alerts, password resets, payment confirmations — to customers who are the single most lucrative phishing target in the digital economy. The infrastructure underneath that mail is now a regulated component: DORA applied since January 2025, the PSD3/PSR text was agreed in November 2025 with full enforcement expected by late 2027, and the 2024 Gmail/Yahoo bulk-sender mandate added technical compliance on top. We ship financial-grade sending: DMARC enforcement, BIMI/VMC deployment, EU-only routing in Stockholm and Frankfurt, ICT incident reporting workflows that DORA's Article 19 actually accepts, and zero US ownership in the data path.

The 2026 regulatory landscape for financial email

DORA is live. PSD3/PSR is agreed. The bulk-sender mandate has been enforcing for two years. Email is now a regulated workload.

For most of the last twenty years, email was treated by financial institutions as a low-stakes communication channel: useful, occasionally embarrassing when something leaked, but not regulated as critical infrastructure. That ended on January 17, 2025, when the Digital Operational Resilience Act (DORA) applied. DORA brings every electronic communication system that supports a financial service — including transactional mail, customer notifications, statement delivery, password resets, and 2FA confirmation emails — into the ICT risk management framework. The 2026 enforcement era has begun. The European Supervisory Authorities (EBA, ESMA, EIOPA) issued their first batch of designated critical third-party providers in November 2025 and started the annual oversight plan cycle in Q1 2026.

PSD3 and PSR were politically agreed by EU Parliament and Council negotiators on November 27, 2025. Entry into force is expected between Q1 and Q2 2026, with a 21-month transition period — meaning national transposition through 2027 and full operational compliance by 2028. PSD3/PSR mandates a framework with mitigation and control mechanisms to manage security and operational risks, explicitly aligning with DORA's ICT risk management provisions. Payment service providers must submit an annual assessment of operational and security risks related to their services. Email sits squarely in that scope when it carries SCA confirmation codes, transaction notifications, or any communication that touches the customer's payment authentication path.

Layered on top: the Gmail/Yahoo bulk-sender enforcement that went live in February 2024 and tightened through 2025-2026, the Microsoft Outlook authentication mandate effective May 5, 2025, the La Poste enforcement that started September 2025, and Gmail Postmaster Tools v2's binary Pass/Fail Compliance Status launched October 2025. For a bank sending more than 5,000 transactional messages per day to Gmail addresses, DMARC must be valid and aligned, SPF and DKIM must authenticate every stream, one-click unsubscribe must work for any communication that isn't purely transactional, and the spam complaint rate has to stay below 0.30% (with 0.10% as the working ceiling).

The intersection of these regimes makes financial email harder than any other vertical's email. The brand-impersonation problem is the worst in the economy — Spamhaus, APWG, and Anti-Phishing Working Group consistently report that banking and payments are the top phishing target sectors. The customer impact of a phishing wave that gets through is direct financial loss for real people, which DORA classifies as an ICT-related incident with the highest reporting priority and the tightest 72-hour clock for initial notification to the competent authority. Email infrastructure that was acceptable for a SaaS company is not acceptable for a bank.

What we ship is built for this regime specifically. The DMARC enforcement progression isn't optional advice; it's the only path that gets you to BIMI/VMC display and reduces the brand-impersonation surface. EU-only routing in our Stockholm primary / Frankfurt secondary infrastructure avoids Schrems II complications and the EU-US Data Privacy Framework risk that US-owned ESPs propagate through their chain. Stockholm on-call rotation gives DORA Article 19 ICT-incident reporting a real human to call within EU business hours. And the per-domain reputation isolation that lets a corporate banking client and a retail banking client coexist without cross-contamination is the foundation of a multi-brand financial group's email architecture.

Brand-impersonation exposure

What your bank loses every year to phishing that successfully impersonates your domain

Move the sliders to model your situation. The math approximates documented phishing-loss exposure for banks of different sizes, with the assumption that authentication posture (no DMARC vs DMARC enforcement vs BIMI/VMC) determines the impersonation surface and the customer recovery cost.

10K5M
€500 (small)€25K (high-net-worth)
1 (small bank)500 (tier-1 bank)
p=nonequarantinerejectBIMI/VMC

Math: success rate of a phishing campaign × campaigns/yr × customer base reached × avg loss = annual exposure. Reduction factors per posture: p=none = full exposure (1.0×); p=quarantine = 0.45× (spoofed mail filtered to spam, but still reaches some inboxes); p=reject = 0.10× (spoofed mail bounces, only lookalike-domain phishing succeeds); BIMI/VMC = 0.04× (customers trained to look for the logo, unmarked mail flagged as suspicious). Reduction factors derived from Anti-Phishing Working Group 2025 trend data and documented case studies from EU financial institutions post-VMC deployment.

Annual exposure
€2.6M
Without DMARC enforcement
Phishing campaigns/yr 24
Customers reached per campaign ~25,000
Victim conversion rate ~1.25%
Successful victims/yr ~750

Move to p=reject + BIMI/VMC and the same parameters drop annual exposure by roughly 96%. The certificate cost (~€780-€1,668/year per VMC) and the operational work to reach p=reject typically pay for themselves in the first month at this scale.

The compliance stack for financial email

Four overlapping regimes, all currently active or imminent

Each of these regimes has its own scope, its own enforcement clock, and its own technical requirements. Email infrastructure for a bank in 2026 has to satisfy all of them simultaneously. Here's the practical breakdown.

DORA · Live since 17 January 2025

Digital Operational Resilience Act

EU regulation that brings every ICT system supporting a financial service into a unified risk-management framework. ICT incident reporting with a 72-hour initial-notification clock for major incidents. Third-party oversight: if your email provider is a designated critical third-party (CTPP), they're under direct ESA supervision.

Email touchpoints
ICT risk management, incident reporting, third-party register
2026 status
First wave of CTPP designations issued Nov 2025
PSD3 + PSR · Agreed November 2025

Payment Services Directive 3 + Regulation

Political agreement reached 27 Nov 2025. Replaces PSD2 and the Electronic Money Directive. Strengthens Strong Customer Authentication (SCA), tightens transaction-risk analysis, introduces verification-of-payee schemes, and mandates direct alignment with DORA for operational resilience.

Email touchpoints
SCA confirmation, payment notifications, customer comms
Timeline
Force expected Q1-Q2 2026, full compliance ~2028
Bulk-sender mandate · Active since Feb 2024

Gmail / Yahoo / Microsoft / La Poste

Originally Gmail/Yahoo Feb 2024, then Microsoft Outlook May 5 2025 (rejects with 550 5.7.515), then La Poste September 2025. Postmaster Tools v2 launched October 2025 with binary Pass/Fail Compliance Status. Banks routinely cross the 5,000 messages/day threshold for transactional mail.

Email touchpoints
DMARC alignment, SPF/DKIM, one-click unsubscribe
2026 enforcement
Gmail permanent 550 rejection since Nov 2025
GDPR + national supervisors · Continuous

GDPR, BaFin, CNMV, FCA, AMF

National banking supervisors layer their own rules on top: BaFin's MaRisk for German institutions, the Bank of Spain's circular for ICT outsourcing, the FCA SYSC handbook in the UK, the ACPR/AMF for French institutions. Email touchpoints: data residency, outsourcing notifications, customer data confidentiality.

Email touchpoints
Data residency, Art. 28 DPA, breach notification
Friction point
US-owned ESPs trigger Schrems II questions
The BIMI/VMC layer

Your verified logo in the inbox is now the strongest signal customers have that an email is really from you

BIMI (Brand Indicators for Message Identification) displays your verified brand logo next to authenticated emails in Gmail, Yahoo Mail, Apple Mail, Fastmail, and AOL. For a bank, the logo serves a security function as much as a branding one: customers who become trained to look for the logo on a message from "your bank" will flag a logo-less message as suspicious, which is exactly what you want them to do when a phishing impersonation reaches their inbox.

The technical floor is non-negotiable. BIMI requires DMARC at p=quarantine or p=reject for at least 30 consecutive days before mailbox providers will pull and display the logo. Most banks reach BIMI roughly six to twelve months after starting the DMARC enforcement progression — the time required to find every legitimate sending source (Salesforce Marketing Cloud for marketing mail, the transactional ESP for statements, the CRM for service comms, the office mail server for staff replies), get all of them DKIM-aligned, and then ratchet the policy from monitoring to quarantine to reject without breaking legitimate mail.

The Verified Mark Certificate adds a legal layer on top: a digital certificate issued by a Certificate Authority (DigiCert and Entrust are the dominant CAs) that confirms the logo is a registered trademark and that the entity displaying it owns the trademark. VMC pricing in 2026 ranges from $780/year to $1,668/year depending on the CA, the term length, and reseller discounts; the certificate is what unlocks the Gmail blue checkmark and the full logo display in Apple Mail. For banks without a registered trademark on the specific logo variant (the colored version vs. the monochrome version, for instance), the Common Mark Certificate at roughly $650/year is an alternative on Gmail and Apple Mail but doesn't grant the verified checkmark.

The case for banks is straightforward. A documented EU financial institution case study from late 2025 reported a significant drop in customer-submitted phishing reports six months after VMC deployment, with the more interesting outcome being a behavior change: customers began reporting messages without the logo as suspicious. That's the real value. The phishing volume targeting the bank didn't decrease; the customer base's ability to tell the difference between real and fake increased. The SOC team's response time decreased because the reports they did receive were higher quality.

What we ship on the BIMI/VMC layer: DMARC reporting and analysis at p=none for the first 30-60 days to identify every legitimate sending stream, alignment fixes for the streams that need them, the progression to p=quarantine for another 30 days with continuous monitoring, the final move to p=reject, the SVG Tiny PS file generation from your existing trademark logo (under 32 KB, 1:1 ratio, no scripts, no external references), the VMC application liaison with DigiCert or Entrust, the DNS TXT record publication, and the per-subdomain BIMI verification (BIMI checks the subdomain policy explicitly via sp=, so it's not inherited automatically).

What we ship for a financial services engagement

The pieces of the platform that satisfy DORA, PSD3, and the bulk-sender mandate together

What we provide is the regulated sending layer: a managed PowerMTA infrastructure hosted in our Stockholm primary and Frankfurt secondary data centers, with the operational disciplines and reporting workflows that the financial regimes require. We don't replace your core banking platform, your CRM, or your marketing automation; what we replace is the SMTP relay underneath those systems, plus the deliverability and authentication tooling around it.

  • DMARC enforcement progression to p=reject 30 days at p=none with full DMARC aggregate report parsing to identify every legitimate sending source. 30 days at p=quarantine. Final move to p=reject. This is the foundation for BIMI/VMC and the only state in 2026 that's safe long-term. Only 35% of Fortune 500 DMARC records reach p=reject, and that 35% is the cohort with reliable Gmail inbox placement.
  • BIMI / VMC deployment SVG Tiny PS logo preparation from your existing trademark (under 32 KB, 1:1 ratio), VMC application with DigiCert or Entrust, DNS TXT record publication, per-subdomain verification, monthly verification that the logo continues to display in Gmail, Yahoo Mail, Apple Mail, Fastmail, and AOL. Annual VMC renewal handled.
  • DORA Article 19 incident reporting workflow Pre-defined ICT-incident escalation paths. Initial notification template within 72 hours, intermediate report within 30 days, final report within 90 days — the cadence DORA Article 19 actually requires. Stockholm on-call rotation provides the human who picks up when something goes wrong, with bank-side liaison coordinated through your designated point-of-contact.
  • EU-only routing in Stockholm and Frankfurt Primary infrastructure in Stockholm, secondary in Frankfurt. Both are EU-jurisdictions. No US ownership in the data path. The Schrems II transfer-impact-assessment that complicates US-routed mail doesn't apply when the routing stays in the EU. For Swiss banks, the equivalent treatment under the revised FADP works without additional contractual layers.
  • Per-brand reputation isolation for multi-entity groups A typical financial group has 5-15 brands (retail bank, corporate bank, asset management, insurance, payment processor) each with its own customer base and its own deliverability profile. We isolate each brand on its own sending domain with its own DKIM keys, its own IP pool (or pools), and its own DMARC policy. A spam incident on the marketing list of one entity doesn't degrade the transactional reputation of another.
  • Bounce-handling and FBL ingestion per regulatory category Transactional mail (statements, alerts, password resets) is treated differently from promotional mail in our bounce-handling logic, because the regulatory consequence is different — a bounced password reset triggers an authentication-failure workflow, a bounced promotional message triggers a list-hygiene workflow. FBL data from Yahoo, Hotmail, Microsoft 365, La Poste, and Comcast is ingested per allocated IP and attributed back to the originating sending stream.
  • DPA framework for the Art. 28 GDPR + DORA Art. 30 sub-processor chain Our DPA is structured for the typical financial-services chain: the bank is the controller, we are the processor (under DORA Art. 30, the ICT third-party services contract), with explicit data-residency commitments, audit rights, exit assistance, and subcontracting restrictions. Banks in Germany sign under DSGVO + BDSG-neu + Art. 28 AVV. Banks in Spain under RGPD + LOPD-GDD. Banks in the UK under UK-GDPR + DPA 2018.
Pricing scenarios

How banking engagements typically size

Regional bank / mid-tier fintech

PowerMTA Pro + Managed Deliverability · €2,699/mo

PowerMTA Pro (€1,499) + Managed Deliverability retainer (€1,200). 20 dedicated IPs, 150K msg/hr, named deliverability engineer, DMARC progression to p=reject and BIMI/VMC deployment included over the first 90 days. The configuration where most regional banks settle.

See Managed PowerMTA
Tier-2 bank / large fintech · Most common

PowerMTA Enterprise + Managed Deliverability · €3,999/mo

PowerMTA Enterprise (€2,799) + Managed Deliverability (€1,200). 30 dedicated IPs, 500K msg/hr, per-brand isolation across the financial group's entities, BIMI/VMC for each brand. The tier where mid-size European banks and significant fintechs settle.

See Managed Deliverability
Tier-1 bank / DORA-designated CTPP

Custom · from €7,500/mo

Multi-server architecture with active-active across Stockholm and Frankfurt, dedicated /24 IP space, named SLA with sub-15-minute response, quarterly TLPT (threat-led penetration testing) participation, audit support for DORA Art. 19 reviews. Banks at this scale typically also negotiate a custom DPA.

Open the conversation
Common questions from financial services procurement

What banks ask before signing

Are you a DORA-designated critical third-party provider?

+

Not currently. The first batch of CTPP designations was issued by the ESAs in November 2025 and consisted of the very largest cloud and IT services providers (the typical names in that list are public). Our size and customer concentration don't meet the CTPP threshold. What this means practically: under DORA Art. 28, your bank is responsible for the third-party register and the ICT risk management around using us; under Art. 30, the contract has to include the specific clauses DORA requires; under Art. 19, your bank is the reporter to the competent authority if an ICT-related incident on our infrastructure affects you. We supply the technical incident data within an hour; you supply the supervisory-side report.

Banks that need a CTPP-designated provider on grounds of internal procurement policy can use one of the designated names; we work as a complement rather than a replacement when that's the case. We've found that this is rare — most banks decide that for email infrastructure specifically, an EU-jurisdiction operator with no US ownership matters more than CTPP designation.

What about Schrems II and US-owned providers in the chain?

+

Authorize Hosting is a Swedish-incorporated entity (Stockholm, established 2003) with no US ownership in the corporate chain. Primary infrastructure is in Stockholm, secondary in Frankfurt. Both are EU-jurisdictions and the data stays in the EU by default. There is no transfer to the US in any normal mail flow, and the EU-US Data Privacy Framework's instability — which the Schrems II case made clear — doesn't apply to our chain.

For banks whose customers explicitly do not want their data touching US-owned infrastructure (typically public sector clients, healthcare-banking-adjacent products, or institutions with EU sovereignty mandates), this is the structural answer. The DPA explicitly precludes US sub-processors. For comparison: any of the dominant US-owned email infrastructure providers (the major US-headquartered ESPs and cloud sending services) requires a transfer-impact assessment for an EU customer, and most banks find that assessment progressively harder to defend through 2025 and 2026.

How does the DMARC progression actually work for a bank with 50+ sending streams?

+

Banks typically have more sending streams than they realize: the core banking platform's transactional mail, the CRM's service notifications, the marketing automation for the retail offer letters, the wealth management division's reporting, the corporate banking division's separate stream, the HR system's internal mail, the various office Microsoft 365 / Google Workspace tenants, the contracted call center's email-out, the document signing platform, the customer surveys, the security team's automated alerts, and so on. A 50-stream inventory is common for a tier-2 bank.

The progression: first 30 days at p=none with DMARC reporting going to our dashboard, where we parse the aggregate reports and produce a stream-by-stream readiness assessment. Most banks discover 5-10 streams that aren't authenticating cleanly (typically older or less-maintained systems, or third-party vendors whose authentication setup was never completed). We work with the bank's internal teams to fix each, then move to p=quarantine for another 30 days to confirm no legitimate stream is being filtered. Final move to p=reject. Total elapsed time for a bank-sized environment: typically 90-120 days. For very large estates: 6 months.

How fast can you support DORA Article 19 incident notification?

+

The DORA Art. 19 clock for major ICT-related incidents is: initial notification within 24 hours of becoming aware, intermediate report within 72 hours, final report within 30 days (extendable to 90). Banks at our pricing tier get a Stockholm on-call rotation with named engineers and a documented escalation tree. Critical incidents (multi-customer affecting, regulator-visible) trigger response within an hour during EU business hours; off-hours response is 2-3 hours. The technical incident data we provide — affected sending streams, time windows, root cause analysis, remediation steps — is structured for direct inclusion in the bank's notification to the competent authority.

What we don't do is file the notification with the competent authority on your behalf. That's the bank's regulatory responsibility, and trying to delegate it to us would create more compliance risk than it would solve. Our job is to make sure the data you submit is accurate, complete, and on time.

How does BIMI/VMC actually reduce phishing? Customers aren't trained to look for it yet.

+

Two effects, working over different time horizons. Immediate effect: BIMI requires DMARC at p=reject as a prerequisite. Getting to p=reject stops direct domain spoofing (mail sent from your bank's domain). The phishing that gets through after BIMI deployment is lookalike-domain phishing (sent from your-bank-securely.com or similar), which is harder to set up and easier for customers to spot.

Long-horizon effect: customers do learn to look for the logo, but it takes 6-18 months of consistent visual presence in their inbox. The documented EU financial institution case study from 2025 showed customer behavior change at the six-month mark — customers started reporting messages without the logo as suspicious. This is the actual goal: not "the customer sees the logo and trusts the email," but "the customer notices when the logo is missing and gets suspicious." That second behavior is what reduces phishing victim conversion rates.

How does this integrate with our existing ESP (Salesforce Marketing Cloud / Adobe Campaign / Selligent)?

+

Two patterns. SMTP relay pattern: your ESP (SFMC, Adobe, Selligent, Acoustic, or anything else) keeps its UI, its campaign builder, its segmentation, its analytics. What changes is where the mail leaves on. Instead of the ESP's shared infrastructure, the ESP authenticates to our SMTP relay and the mail leaves on our dedicated IPs under your domain. Most banks set this up for the high-deliverability streams (transactional mail, password resets, statement notifications) and keep promotional mail on the ESP's native infrastructure where the engagement signals don't carry regulatory weight.

Direct API pattern: for transactional mail specifically — statement delivery, payment confirmations, 2FA codes — banks often build directly against our HTTP API or SMTP relay from the core banking platform, bypassing the marketing-focused ESP entirely. This is faster (no campaign-builder overhead), more reliable (fewer intermediate systems), and easier to audit (one less vendor in the chain).

What about TLPT (threat-led penetration testing) and DORA's testing requirements?

+

DORA Art. 26 requires TLPT for significant financial entities at least every three years. The TLPT scope can include ICT third parties whose disruption would meaningfully affect the bank — which can include the email infrastructure when the bank's transactional mail volume is significant or when the email infrastructure is in the bank's critical-or-important-functions register.

For banks at the Tier-1 pricing tier, we participate in TLPT engagements as a third-party in scope. We provide controlled test environments, documentation of our perimeter, and the technical liaison for the red team during the test window. We don't participate as a third-party in TLPT for banks below that tier because the operational disruption isn't worth it for both sides — but the underlying infrastructure is the same, and the bank can test it indirectly through the red team's customer-side perspective.

Procurement-ready conversation

Tell us about your institution: regulatory perimeter (DORA scope, payment-services authorization, jurisdictions), current sending estate, DMARC posture, and what specifically pushed you to look at the email infrastructure. We'll come back with a sized proposal, a DPA, and the security questionnaire pre-filled.