Dr . Who Domain Posture lives at domainposture.com — audit-grade domain evidence.
embed badge Markdown [](https://www.domainposture.com/d/bankofamerica.com)copy
HTML <a href="https://www.domainposture.com/d/bankofamerica.com"><img src="https://www.domainposture.com/d/bankofamerica.com/badge.svg" alt="Domain posture" /></a>copy
additional context — IP + user-agent lookups lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.
cert valid for 90 days
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
subject cn: bankofamerica.com
issuer: DigiCert EV RSA CA G2 / DigiCert Inc
valid: Sep 16 00:00:00 2025 GMT → Sep 15 23:59:59 2026 GMT
authorized: yes
sha256: 02:C1:AD:CF:68:F4:6B:56:F1:04:B9:FE:00:A9:A3:ED:31:D3:1A:08:49:7B:E4:39:B0:C1:B1:54:80:83:8A:C8 fetched 2026-06-17T08:13:25.736Z
2 MX record(s) present
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
pri=10 mxa-0000ec05.gslb.pphosted.com.pri=10 mxb-0000ec05.gslb.pphosted.com.fetched 2026-06-17T08:13:25.779Z
~all softfail — receivers may still accept
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Recommendations
Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection v=spf1 ip4:171.161.41.178 ip4:171.159.227.167 ip4:171.161.147.155 include:spf-0000ec15.pphosted.com ~all
v=spf1 ip4:171.161.41.178 ip4:171.159.227.167 ip4:171.161.147.155 include:spf-0000ec15.pphosted.com ~all fetched 2026-06-17T08:13:25.789Z
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin https://domainposture.com method GET preflight status 301 access-control-* headers
access-control-allow-origin —
access-control-allow-methods —
access-control-allow-headers —
access-control-allow-credentials —
access-control-max-age —
access-control-expose-headers — no access-control-* headers returned — site does not advertise CORS to this origin
fetched 2026-06-17T08:13:25.798Z
no DKIM selectors found — likely not configured
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Enable DKIM signing in your mail provider and publish the provided TXT record Common selectors: google._domainkey, selector1._domainkey (Microsoft), mail._domainkey no DKIM record on probed selectors (default, google, k1, selector1, selector2, mxvault)
p=reject — strict policy
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
fetched 2026-06-17T08:13:25.801Z
DNSSEC enabled — DS records present and chain validated (AD flag)
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
enabled yes
DS records 2516 RSASHA256 2 bdb1607a1869fd5b4f0be0602360aedd836769989d649454277d5d9fe742e705, DS ECDSAP256SHA256 2 86400 1782184313 1781575313 27677 com. +5yGkBurOk5snluPCVFhX9vipreuIo4gb/7A4aJHDg7y0pKxACy5E8j2KZvmLqpaiRtjPmDlrHC41YA5qowpGg==
DNSKEY records 4 key(s) fetched 2026-06-17T08:13:25.811Z
not applicable: no _mta-sts TXT record
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
A/AAAA records present
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
A ttl=166 3.173.22.90ttl=166 3.173.21.90ttl=166 3.173.23.90
AAAA — NS ttl=86400 a.ns-bac.com.ttl=86400 b.ns-bac.org.ttl=86400 c.ns-bac.net.ttl=86400 d.ns-bac.info.ttl=86400 e.ns-boa.biz.ttl=86400 f.ns-boa.us.ttl=86400 g.ns-bac.com.SOA ttl=600 ns10.bac.com. domain\.administrator.bankofamerica.com. 2026062808 1800 900 604800 600CAA ttl=600 \# 17 00 05 69 73 73 75 65 61 6d 61 7a 6f 6e 2e 63 6f 6dttl=600 \# 19 00 05 69 73 73 75 65 64 69 67 69 63 65 72 74 2e 63 6f 6dttl=600 \# 15 00 05 69 73 73 75 65 70 6b 69 2e 67 6f 6f 67ttl=600 \# 18 00 05 69 73 73 75 65 73 65 63 74 69 67 6f 2e 63 6f 6dttl=600 \# 14 00 05 69 73 73 75 65 73 73 6c 2e 63 6f 6dttl=600 \# 22 00 08 69 73 73 75 65 76 6d 63 64 69 67 69 63 65 72 74 2e 63 6f 6dTXT ttl=3600 "MS=ms26780064"ttl=3600 "00D0b000000De84=1TBKW000000GmaA"ttl=3600 "00D1D000000jT9H=1TBDR0000008OIt"ttl=3600 "00D210000002QLf=1TBDl0000008OKR"ttl=3600 "00D2g0000000ZPI=1TBD1000000003M"ttl=3600 "00D300000000K1b=1TBKZ0000004CFQ"ttl=3600 "00D300000000Lsb=1TBHp0000008OIF"ttl=3600 "00D300000005zGi=1TBKe000000oLob"ttl=3600 "00D3000000071D4=1TBKX0000008OLJ"ttl=3600 "00D30000000nW2o=1TBKd000000000B"ttl=3600 "00D30000000nqfl=1TBHt000000CaRH"ttl=3600 "00D30000001FXpf=1TBHt000000000Q"ttl=3600 "00D30000001H1Cv=1TBHt000000000B"ttl=3600 "00D30000001H88T=1TBKX000000Gmb7"ttl=3600 "00D30000001HRSt=1TBKe000000blLi"ttl=3600 "00D36000000rZom=1TBHq0000004C9D"ttl=3600 "00D37000000J5Lh=1TBKb000000TN74"ttl=3600 "00D3K0000008lCp=1TBDc0000008OM2"ttl=3600 "00D400000007EoN=1TBKY000000fxU2"ttl=3600 "00D46000000aATr=1TBKk0000000007"ttl=3600 "00D4C0000008x25=1TBD10000004CCb"fetched 2026-06-17T08:13:25.793Z
ttl=3600
ttl=3600 "00D60000000KTAU=1TBKZ000000001T"
ttl=3600 "00D700000009PLP=1TBKe0000004C9D"
ttl=3600 "00D750000000NEs=1TBDh0000004CB9"
ttl=3600 "00D7g0000005BwN=1TBD70000004CB9"
ttl=3600 "00D8I0000016LkC=1TBDa000000000a"
ttl=3600 "00DD50000009T2F=1TBD50000004CCI"
ttl=3600 "00DDE0000045mMg=1TBDE000000CaRH"
ttl=3600 "00DDL00000D40CM=1TBDL000000001O"
ttl=3600 "00DDY0000000PuC=1TBDY0000004C9D"
ttl=3600 "00DDk000000E4pS=1TBDk0000008ONA"
ttl=3600 "00DDn00000122RU=1TBDn0000004C9E"
ttl=3600 "00DDn0000014WHa=1TBDn000000XZAR"
ttl=3600 "00DDn0000014WMF=1TBDn0000000006"
ttl=3600 "00DE0000000ZaqE=1TBHt000000XZEJ"
ttl=3600 "00DHo000007ESQH=1TBHo000000sXtb"
ttl=3600 "00Dd0000000fllf=1TBKh000000Kynr"
ttl=3600 "_mue2mr9ttx0pb28iu4vju44fyivlze2"
ttl=3600 "79HRM45BZQL4W6DODHCJ08ICCEPI4ZZ95OPF1PODC"
ttl=3600 "N73NW9KHOCFO1J30DG9M0U52P3KJYN458U7T7MOAO"
ttl=3600 "apple-domain-verification=8NQqHRIawsPLpi0W"
ttl=3600 "apple-domain-verification=d7eRv0GK7kdI6vEs"
ttl=3600 "apple-domain-verification=rELhhF8gjKgBEMuH"
ttl=3600 "ccisso=4d9729b7-b770-4856-947d-935d1b4dca9c"
ttl=3600 "docusign=7d338bac-902f-4792-8cdb-89a34b44ccf6"
ttl=3600 "docusign=7f619a20-e6e1-47ba-88e2-5ffde1224228"
ttl=3600 "facebook-domain-verification=vzgeob2q58bgtl7degzq855tbt3nld"
ttl=3600 "onetrust-domain-verification=e788a6ac2ccb43818ec10f692be6c065"
ttl=3600 "webexdomainverification.=28c49c72-742e-4204-a733-18e8a8982a47"
ttl=3600 "webexdomainverification.=9caf3cdf-4b7a-4806-8346-9a9591002ef3"
ttl=3600 "webexdomainverification.AU51=01da9742-a899-4543-b134-6dba5c7669f0"
ttl=3600 "webexdomainverification.BV9Q=6a8ae93e-8405-4430-91c6-1095ff8ab83a"
ttl=3600 "webexdomainverification.D04F=58ac4583-65d7-4b3d-89e2-2657f01be854"
ttl=3600 "webexdomainverification.D182=d3bd60b7-b138-488e-9ce4-bb6a965bd46c"
ttl=3600 "webexdomainverification.DMQQ=2397072c-14ba-446b-af2b-b7d82b0c3d84"
ttl=3600 "webexdomainverification.DPFR=fc6d9245-b5e5-456d-a469-6332595f0a02"
ttl=3600 "webexdomainverification.EPKA=0bb7fd7a-0b2a-4645-ab25-62a5a06a68f1"
ttl=3600 "webexdomainverification.KK43=938a1277-bf6a-441d-949c-c22f81ce00e0"
ttl=3600 "webexdomainverification.KK48=150225ca-a113-4206-9228-4e3460b52486"
ttl=3600 "webexdomainverification.1TKBV=0b486704-ef66-4735-96f0-8b4af777b303"
ttl=3600 "webexdomainverification.1TKU2=55bfd798-3032-4b19-9e4d-1a3cdc9f83dd"
ttl=3600 "webexdomainverification.7VRFC=41f26899-9147-46be-927a-64a4921bce12"
ttl=3600 "webexdomainverification.8BOEU=a4a75bdf-0a9d-419b-bad5-09ed7837a3a4"
ttl=3600 "apple-domain-verification=_tTrLth1tZlC6XJXF7Ot2qt-U0o_cPfdE1qif1tDlDo"
ttl=3600 "XP24tQeCoyIoYKFUDBai/TAmSrkfqDi8E276kwIOINKuXcgwMZwhckPM+6x5egH7+IV5OFBRNkdgRIHmbQ4Usw=="
ttl=3600 "v=spf1 ip4:171.161.41.178 ip4:171.159.227.167 ip4:171.161.147.155 include:spf-0000ec15.pphosted.com ~all"not applicable: no TLSRPT record
Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).
HTTPS served correctly
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
final status: 200 · 2 hops
[301] https://bankofamerica.com/[200] https://www.bankofamerica.com/fetched 2026-06-17T08:13:26.856Z
HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present User-agent: * # applies to all robots
Disallow: /global # disallow indexing of restricted areas
Disallow: /cfdocs
Disallow: /thirdparty
Disallow: /directbenefits
Disallow: /groupbanking
Disallow: /incubator
Disallow: /signin
Disallow: /associatebanking
Disallow: /cgi-bin
Disallow: /deposits/*.pdf$
Disallow: /deposits/*.swf$
Disallow: /deposits/*.txt$
Disallow: /products/deposits/
Disallow: /banking-information/associatebanking/
Disallow: /banking-information/employeebanking/
Disallow: /products/employeebanking/
Disallow: /employeebanking
Disallow: /employeebankingandinvestments
Disallow: /*slider-module.go
Disallow: */hp-assets/
Disallow: /financial-wellness/
# Disallow URLs with tracking parameters
Disallow: /adtrack/
Disallow: /*adlink
Disallow: /*cm_mmc
Disallow: /weblinking/
Disallow: /mortgage_network/
Disallow: /*cm_sp
Disallow: /*reason=QKN
Disallow: /*msg=OnlineIdEmpty
Disallow: /*SOURCE_URL
# Disallow mobile content
Disallow: /promos/jump/package/iPhone/
Disallow: /promos/jump/package/mobile/
User-agent: gsa-crawler # Special rule just for Google Search Appliance
Disallow: /global
Disallow: /cfdocs
Disallow: /thirdparty
Disallow: /directbenefits
Disallow: /groupbanking
Disallow: /incubator
Disallow: /signin
Disallow: /cgi-bin
Disallow: /deposits/*.pdf$
Disallow: /deposits/*.swf$
Disallow: /deposits/*.txt$
Disallow: /products/deposits/
Disallow: /banking-information/associatebanking/
Disallow: /banking-information/employeebanking/
Disallow: /products/employeebanking/
Disallow: /employeebanking
Disallow: /employeebankingandinvestments
Disallow: /*slider-module.go
Disallow: */hp-assets/
Disallow: /financial-wellness/
# Disallow URLs with tracking parameters
Disallow: /adtrack/
Disallow: /*adlink
Disallow: /*cm_mmc
Disallow: /weblinking/
Disallow: /mortgage_network/
Disallow: /*cm_sp
Disallow: /*reason=QKN
Disallow: /*msg=OnlineIdEmpty
Disallow: /*SOURCE_URL
# Disallow mobile content
Disallow: /promos/jump/package/iPhone/
Disallow: /promos/jump/package/mobile/
User-agent: OmniExplorer_Bot
Disallow: /
# Allow mobile content for primary mobile bots
User-agent: Googlebot-Mobile
User-agent: msnbot-mobile
User-agent: YahooSeeker/M1A1-R2D2
Disallow: /global
Disallow: /cfdocs
Disallow: /thirdparty
Disallow: /directbenefits
Disallow: /groupbanking
Disallow: /incubator
Disallow: /signin
Disallow: /associatebanking
Disallow: /cgi-bin
Disallow: /deposits/*.pdf$
Disallow: /deposits/*.swf$
Disallow: /deposits/*.txt$
Disallow: /products/deposits/
Disallow: /banking-information/associatebanking/
Disallow: /banking-information/employeebanking/
Disallow: /products/employeebanking/
Disallow: /employeebanking
Disallow: /employeebankingandinvestments
Disallow: /*slider-module.go
Disallow: */hp-assets/
Disallow: /financial-wellness/
# Disallow URLs with tracking parameters
Disallow: /adtrack/
Disallow: /*adlink
Disallow: /*cm_mmc
Disallow: /weblinking/
Disallow: /mortgage_network/
Disallow: /*cm_sp
Disallow: /*reason=QKN
Disallow: /*msg=OnlineIdEmpty
Disallow: /*SOURCE_URL
sitemap: https://www.bankofamerica.com/content/sitemap_index.xml
#Deployed from SPARTA
#CAST ID for this deployment #78658
#www robots.txt
head
title Bank of America - Banking, Credit Cards, Loans and Merrill Investing description What would you like the power to do? At Bank of America, our purpose is to help make financial lives better through the power of every connection. social
og:title Bank of America - Banking, Credit Cards, Loans and Merrill Investing
og:description What would you like the power to do? At Bank of America, our purpose is to help make financial lives better through the power of every connection.
og:type website
og:site_name Bank of America
og:url https://www.bankofamerica.com/
og:image https://www.bankofamerica.com/content/images/ContextualSiteGraphics/Logos/en_US/logos/colored_flagscape-v2.png
og:image:alt Bank of America - Banking, Credit Cards, Loans and Merrill Investing
twitter:title Bank of America - Banking, Credit Cards, Loans and Merrill Investing
twitter:description What would you like the power to do? At Bank of America, our purpose is to help make financial lives better through the power of every connection.
twitter:card summary
twitter:site @BankofAmerica
twitter:url https://www.bankofamerica.com/
twitter:image https://www.bankofamerica.com/content/images/ContextualSiteGraphics/Logos/en_US/logos/colored_flagscape-v2.png
twitter:image:alt Bank of America - Banking, Credit Cards, Loans and Merrill Investing fetched 2026-06-17T08:13:27.426Z
domain registered until 2026-12-28
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
registrar CSC Corporate Domains, Inc.
created 1998-12-28T05:00:00Z
expires 2026-12-28T05:00:00Z
statuses clientTransferProhibited https://icann.org/epp#clientTransferProhibited, serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited, serverTransferProhibited https://icann.org/epp#serverTransferProhibited, serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited fetched 2026-06-17T08:13:27.838Z
B
Mostly compliant · 2 items need attention
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass 13
Warn 2
Fail 0 What an auditor would flag first medium SPF
~all softfail — receivers may still accept
SOC 2 CC6.7 ISO 27001 A.8.20
low DKIM
no DKIM selectors found — likely not configured
SOC 2 CC6.7
Need this as an artifact your auditor can verify?
Your bankofamerica.com scan flagged 1 medium and 1 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
15-check summary DNS records A/AAAA records present MX 2 MX record(s) present SPF ~all softfail — receivers may still accept DMARC p=reject — strict policy DKIM no DKIM selectors found — likely not configured TLS certificate cert valid for 90 days Redirect chain HTTPS served correctly Security headers 3 security header(s) missing CORS no CORS headers — cross-origin requests blocked by default Web surface HTTPS surface reachable (robots ✓, sitemap ✗, title ✓) MTA-STS not applicable: no _mta-sts TXT record TLS-RPT not applicable: no TLSRPT record DNSSEC DNSSEC enabled — DS records present and chain validated (AD flag) WHOIS domain registered until 2026-12-28 Certificate Transparency check failed: crt.sh: Error: crt.sh http 404; certspotter: TypeError: fetch failed check failed: crt.sh: Error: crt.sh http 404; certspotter: Error: certspotter http 429
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
crt.sh: Error: crt.sh http 404; certspotter: Error: certspotter http 429
