Back in February 2025, we reported on the RBI’s plans to introduce ‘.bank.in’ and ‘.fin.in’ domains as a strategic move to enhance email security and public trust in India’s financial sector.

Now, it’s official.

On April 22, 2025, the Reserve Bank of India (RBI) issued a formal directive mandating all commercial, cooperative, and district banks to migrate their domains to ‘.bank.in’ no later than October 31, 2025.

This marks a major shift in how banks must approach digital identity and cybersecurity.

A Quick Recap – What Was Proposed in February

In the February 7, 2025 policy announcement, RBI signalled its intent to roll out exclusive domains for the financial sector to:

• Combat increasing incidents of email-based fraud
• Strengthen the cybersecurity posture of Indian banks
• Foster greater trust in digital financial services

Our earlier blog urged financial institutions to start preparing, especially by implementing robust email authentication protocols like DMARC, SPF, and DKIM.

The April 2025 Circular

The April circular (RBI/2025-26/28) now makes it mandatory to:

• Register a ‘.bank.in’ domain via IDRBT, authorized by NIXI and MeitY.
• Commence and complete the domain migration by October 31, 2025.
• Engage with IDRBT at sahyog@idrbt.ac.in for support throughout the registration and application process.

This is no longer a recommendation—it’s a deadline.

Why Is This Important?

The migration to the ‘.bank.in’ domain is part of a broader initiative to:

• Enhance cybersecurity frameworks
• Strengthen public confidence in digital banking
• Combat rising instances of fraud in digital payments

Email Threats Don’t Disappear With Domain Changes

Simply migrating to a new domain doesn’t automatically secure your communications. Cybercriminals are quick to adapt. Without implementing the right email authentication protocols like DMARC, SPF, and DKIM, even a “.bank.in” domain can be spoofed.

Worse, your old domain (the one you’re moving from) becomes a goldmine for attackers. If not protected with a strong DMARC policy (preferably set to ‘reject’), fraudsters can continue impersonating your brand.

Key Challenges in Migration

• Ensuring all third-party email services are aligned with DMARC, SPF, and DKIM for the new domain “.bank.in”.
• Warming up the new domain to send bulk emails
• Gaining full visibility into email traffic from both the old and new domains.
• Meeting Microsoft, Google & Yahoo’s bulk email authentication requirements.
• Warming up the new domain gradually to maintain sender reputation and avoid spam filters—critical for bulk communications like OTPs, statements, and alerts. (Note: this must be done in consultation with your ESP (Email Service Provider) or vendor)
• Maintaining deliverability during transition without compromising security.
• Aligning with regulatory frameworks like RBI, IRDAI, and CERT-In advisories.

What Should Banks Do Now?

With the RBI’s mandate now in motion, here’s a proactive checklist for BFSI institutions to stay ahead:

• Start the registration process for the “.bank.in” domain by reaching out to IDRBT at sahyog@idrbt.ac.in
• Consult your ESPs to initiate the domain warm-up process for bulk email communications.
• Conduct a domain and subdomain audit to identify all active email sending sources (CRM tools, marketing platforms, ticketing systems, etc.)
• Implement DMARC, SPF, and DKIM on both the new and old domains to ensure end-to-end email authentication.
• Gradually shift email traffic to the new domain in a phased manner while monitoring delivery rates.
• Apply a strict DMARC policy (p=reject) on the old domain to prevent spoofing and phishing post-migration.
• Partner with an email security platform like ProDMARC to gain deep visibility, real-time insights, and actionable compliance reports.

How ProDMARC Makes This Transition Seamless

Our platform, ProDMARC, is built to help BFSI organizations:

• Gain full visibility into email traffic across old and new domains
• Identify and align all third-party senders with compliance protocols
• Achieve DMARC enforcement (reject policy) to prevent misuse
• Meet bulk sender authentication requirements from Microsoft, Gmail & Yahoo
• Generate actionable insights to fast-track compliance

Need Help with Migration?

At Progist, we’ve been working closely with banks to ensure their email infrastructure is not just compliant—but secure by design. Whether you need help with:

• SPF, DKIM, DMARC configuration
• Monitoring domain abuse
• Or implementing email authentication at scale

—we’re here to assist.

📩 Get in touch: info@progist.net
📞 Or call us at: +91-9820116312 | +91-9819256263

Let’s ensure your bank is ready—not just for compliance, but for true cyber resilience.

---

About Progist:
Progist is Asia’s leading provider of DMARC and email security solutions. With tools like ProDMARC, we provide banks with full visibility into their email ecosystem, block spoofing attacks, and help teams achieve regulatory compliance swiftly.