Banks send the most consequential operational emails of any industry. A login from a new device. A transfer over the threshold. A card decline abroad. A statement. A scheduled payment failure. Every one of these is the kind of message a customer must see — and yet bank emails are systematically over-filtered by the major mailbox providers, often more aggressively than fintech challengers, because banks are the most-impersonated brands in phishing.
Bank notifications hit junk because filters over-correct against phishing of bank brands. The compliance angle is real: PSD2 SCA notifications, OCC consumer-protection rules, and FCA conduct standards all assume the customer receives the message. BIMI, DMARC at reject, dedicated authentication subdomain, and a documented cross-channel fallback are no longer optional.
Why banks suffer more than fintech challengers
It seems counterintuitive — banks have larger compliance teams, bigger IT budgets, decades-old domains with strong reputation. But the very recognizability of the brand is the problem. Chase, Wells Fargo, Barclays, HSBC, BNP Paribas — every one of these is among the top targets in any week's phishing report.
Mailbox providers respond defensively. A message that purports to come from Chase is held to a higher authentication bar than one from a no-name SaaS. If anything is even slightly off — a misaligned DKIM, a soft-fail SPF, a body that doesn't match the expected template — Gmail will quarantine first and ask questions later.
The challenger fintechs (Revolut, Wise, N26, Monzo) face a different problem: brand newness rather than over-defensiveness. Established banks pay an over-correction tax that newer brands avoid.
PSD2, OCC, FCA: the regulatory layer
PSD2's strong customer authentication rules in the EU, the OCC's consumer-protection guidance in the US, and the FCA's conduct standards in the UK all share an implicit assumption: the customer receives the notifications the bank is required to send. When a notification lands in junk and the customer fails to act on a fraud signal, the regulator's view is unforgiving.
The 2024 PSD3 draft, in particular, started requiring banks to demonstrate that fraud-prevention notifications were "actually received" — language that places the burden on the bank, not the customer's mail provider. Inbox-rate testing is moving from nice-to-have to compliance evidence.
US banks face an equivalent dynamic under the OCC's consumer compliance framework. A pattern of notifications that don't reach customers can be cited as a control deficiency in an exam.
BIMI is no longer optional for banks
BIMI displays the bank's verified logo next to messages in Gmail, Yahoo, Apple Mail, and Fastmail. For a customer who sees a notification with the verified blue checkmark logo, the message is immediately distinguishable from phishing. For a bank, that means higher engagement, lower complaint rate, and — over time — better placement.
The setup cost is around $1,500 a year for the Verified Mark Certificate plus DMARC enforcement at quarantine or reject. For a bank of any size this is operational rounding error and the most cost-effective deliverability investment available.
DMARC at p=reject, no exceptions
Many banks still operate DMARC at p=none or p=quarantine because of legacy systems sending mail without proper authentication — third- party loyalty platforms, legacy statement vendors, internal HR systems that share the corporate domain. Every one of these is a reason DMARC is not at reject, and every one is a phishing surface.
The transition to p=reject requires inventory work: identify every sender that uses the bank's domain, ensure each has SPF and DKIM aligned, then move policy. Painful but mandatory. A bank at p=quarantine in 2026 is publicly behind on email security.
Dedicated authentication subdomain
Bank email traffic should be split by purpose into separate subdomains, each with its own reputation:
- auth.bankdomain.com — login alerts, OTPs, password changes. Highest trust requirement, lowest volume.
- tx.bankdomain.com — transaction confirmations, transfer notices. Medium volume, time-sensitive.
- statements.bankdomain.com — periodic statements, tax documents. Predictable cadence.
- news.bankdomain.com — marketing, product updates, opt-in newsletters. Highest volume, lowest stakes.
Each subdomain develops its own engagement profile. The auth subdomain's near-perfect open rate insulates it from any marketing-side reputation drift. This separation is more important for banks than for any other category.
Maintain monthly placement-test evidence per subdomain. If a regulator asks whether your fraud notifications are reaching customers, you want a 24-month time-series, not a verbal assurance.
Cross-channel redundancy
Email is necessary but never sufficient for bank notifications. Critical alerts — fraud, large transactions, login from new device — should fan out across channels in parallel: email, SMS, push to the bank's app, and increasingly an in-app inbox the customer can check independently of any push.
The orchestration logic should treat email as one of N channels, not the primary. If the customer reads the alert in the app, the email is informational. If the customer responds to the SMS, the email is a backup record. Email's job in this model is durability — being there when the customer eventually checks — not immediacy.
For high-stakes events, require explicit acknowledgement on at least one channel. If no channel acknowledges within 5 minutes, escalate to a phone call from the fraud team.
Continuous deliverability testing for banks
A bank should run automated placement tests at least daily across the major providers. The cost is negligible compared with the cost of a single missed fraud notification. The discipline produces a time-series that becomes evidence in any regulatory or audit context, and a leading indicator of deliverability degradation before customers start complaining.
Specifically test from each subdomain to seed inboxes at Gmail, Outlook 365, Yahoo, Apple iCloud, and the regional providers relevant to the bank's customer base. Track inbox vs spam vs promotions placement separately.